Does your business have insurance to protect you against breaches of your cybersecurity? Turns out that’s not a simple “yes” or “no” question, and the answer changes constantly based on new cases being litigated and new types of breaches impacting companies.
Businesses need to take into account a wide range of factors in determining whether they have enough breadth and depth of insurance coverage to guard against any cyber liabilities. And it might be helpful to consult with an insurance broker who handles these types of policies.
First of all, you need to make sure you’re covered for your own damages resulting from such an incident. These can include the costs of forensic analysis to determine what happened, legal assistance, notification of individuals and regulators about a data breach, and any fines, penalties or other costs stemming from an enforcement action. Also, you need to be insured for any degree of business interruption.
This “first party” coverage, which might be likened to a cyber version of commercial property insurance, must be delineated as covering a variety of specific types of incidents: ransomware, in which your hardware or data are held “hostage” until payment demands are met; malware, in which a virus is let loose in your system; wire fraud of any sort; and a phishing incident or social engineering, in which an employee is induced to click on a link that leads to a cyber breach.
Then you need coverage for claims that might be brought against your business by customers, partners or anyone else. This “third party” coverage, which guards against a data breach or cyberattack against another entity as a result of your negligence, provides protection against individual litigation, class action litigation and enforcement actions.
Beyond those broad strokes, you need to delve into the specific exclusions in your policy and how to tailor coverage for your particular industry, both of which a broker can help sort out. If you want coverage for anything that’s excluded, you can purchase it in addition to your standard policy.
Specific industry coverage might include issue like privacy and security violations under the Health Insurance Portability and Accountability Act (HIPAA) or enforcement actions under the General Data Protection Regulation (GDPR), promulgated by the European Union.
In addition, you might want to add supplementary coverage to ensure that you have adequate protection when it comes to issues like cybercrime, social engineering, errors and omissions, and business interruptions.
There may be other ins and outs to consider when purchasing cyber liability insurance, but this provides a good basic checklist for you and your business to get started. But once you’ve gone down it and figured out what you need, don’t put this topic on a shelf and forget about it. Given how constantly cyber liability is evolving, your insurance policy will need to be regularly reviewed and updated as necessary.