With COVID-19 restrictions requiring businesses to increase digital operations and expand the scope of technology they use, cyber risk protection is more critical than ever. Yet, for many business owners, cyber insurance is still considered a discretionary purchase. Unlike property and commercial insurance policies, cyber insurance isn’t standardized and is often viewed more as a luxury than a necessity.
Cyber insurance is also a new product, and many business owners do not yet understand how it works or why they would need to purchase it. The truth is, in our increasingly remote working environment, it’s more important than ever to be covered in case of a cyberattack, but it can be challenging to know what you need.
More business owners have discovered that operating in a remote, virtual environment is essential to their success during the pandemic. Businesses wishing to keep up with their competitors’ digital transformations need to consider the risks and exposures they face without cyber insurance. If you’re ready to assess your cyber risks and vulnerabilities, the following tips may help.
Get the right advice on cyber insurance
When it comes to getting the right cyber coverage, one of the most important things you need is a broker that fully understands your business—one who can describe your operations as an employee would. Once you have confidence in a broker, here are some questions you should consider to ensure you get the coverage you need:
- What type of data do we maintain in our system (or in our cloud provider)? What is my exposure if my data or systems are affected?
- If using a cloud provider for services, where is my data kept, and what contractual agreement do I have in place with the provider?
- How long can we continue to operate without our primary systems?
- How long do we anticipate it may take to recover from an incident, such as a data breach?
- What internal controls do we currently use? For example, call-back provisions to change banking information, employee training in cyber hygiene, advanced firewalls, etc.
Get the right cyber insurance coverage
The current cyber market provides a variety of options which appear very similar at first glance, but they can differ dramatically from one another when you examine the policy wording. Even if the coverage titles are similar, the coverage may not be equal. Each policy has its unique terms, conditions, and exclusions that may modify the described coverage’s intent.
At the most basic level, Cyber Expense or Privacy Breach Notification Expense coverage can be added to traditional commercial insurance packages and is intended to provide limited coverage (commonly $25,000). It is designed solely to assist with basic costs, like paying for postage when you send a privacy breach notification to affected individuals.
On the other end of the spectrum, some stand-alone cyber liability policies cover costs related to a network or security breach that results in the disclosure of personally identifiable information, personal health information, or third-party corporate information.
While fully customized cyber liability policies are also available, the foundation of any great program should include coverage for:
- Third-party liability: Liability arising from the unauthorized disclosure of personally identifiable information, personal health information, or third party corporate information due to a security breach or network failure
- First-party expenses: Coverage to help your business with the financial burden of expenses such as crisis event management, security breach remediation and notification, and computer program and electronic data restoration
- Cyber extortion: System disruption due to ransom or extortion demands, including access to experienced cyber negotiators and ransomware specialists
- Cybercrime: Social engineering and unauthorized electronic funds transfers
- Business interruption: Income replacement while you attempt to recover from an incident
Develop your Cyber Incident Response Plan
While getting the right coverage is essential, any cyber policy you choose should be a part of an overall Cyber Incident Response Plan that identifies:
- The types of information you have
- Which people at your organization are working remotely due to COVID-19 restrictions
- Which people at your organization are responsible for initiating the plan
- Who to contact in specific scenarios or at specific points
- How the response plan adapts to specific situations
- How the restrictions required by COVID-19 impact the execution of your plan if an incident occurs
Cyber policies are complex coverage documents. In your Cyber Incident Response Plan, it’s important to note at which point each type of coverage you purchase is available. The plan should also contain direction on how best to utilize the policy coverages. Certain coverages respond upon notice; others require prior written consent from the insurer.
No matter the size of your company, Cowan Insurance Group’s dedicated team of expert advisors can help you secure your business and assess any new exposures you may face as a result of increased technology use due to COVID-19. Contact us today to get started on evaluating your coverage needs.