How Cyber Insurance Can Protect Your Business
All businesses large and small have become dependent on the internet and online platforms in order to communicate, run programs, take payments, transfer data, and more. Whether it’s an in-house email system, taking online orders and payments, utilizing social media platforms for sales and marketing purposes, or interdepartmental networks- the integration of the internet has become a nearly unavoidable part of doing business.
The internet, while essential, poses its own unique risks to business owners and employees. If your business accepts online credit card payments, banks online, utilizes social media platforms such as Facebook, Twitter, or LinkedIn, or stores sensitive customer or employee data, then you’re at risk. Cyber insurance policies are designed to protect businesses from the risks associated with computer, network, and internet-based risks. Here we’ll discuss these risks and the ways a cyber insurance policy responds to each.
Data Breaches and Loss
One of the primary cyber security security risks for businesses, and the most well-known, is data loss. In these scenarios a hacker breaks into your network and gets past your security controls, stealing information. When major companies experience a data breach, it becomes headline news. The extent of the breach and number of people and records impacted is often undetermined without extensive further security reviews. A data breach is your first-party insurance coverage with respect to the cyber policy, and essentially data breaches are where cyber insurance first started. Originally, these data breach policies were put in place to protect personal identifiable information.It also detailed what was defined as personal identifiable information, how that information was used, and who was at risk.
Businesses of all kinds have any number of personal identifiable information pieces to manage and keep track of. Examples may be medical and health information, usernames and passwords, dates of birth, social security numbers, and so on. There are also risks associated with public knowledge data, like home addresses. Home addresses alone being shared via breach wouldn’t be considered a disaster or loss- but couple that with birthdates or social security numbers, and now you have personally identifiable information.
In the event of a data breach, where someone has stolen your data files with other people’s personal information, you are responsible by law to notify any and all clients potentially vulnerable as a result of the breach. According to the National Conference of State Legislatures, “All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information.” In addition to being responsible for notification, businesses are also required to provide the victims of the breach with 12 months of credit monitoring.
Some of the most notable data breaches, for example- Target, Home Depot, Marriott- consumers may remember receiving an email because their credit card information was compromised in those breaches. These emails served to notify the consumer that their information was at risk and they needed to change passwords, replace cards and card numbers, etc. and that they would be provided with 12 months of credit monitoring at no charge to them.
Data breach protection is also valuable in a second type of scenario. Aside from personally identifiable information leaks, there is the issue of private or potentially embarrassing information (not the kind of information that would damage credit, but could damage a reputation, for example) being leaked. Any high profile client or client with private information that is being held can become a liability- through legal fees or lawsuits. Cyber liability protection then becomes incredibly important.
Cyber insurance policies respond to data breaches by covering legal fees, as well the costs of security experts, PR consultants, and the identity theft protection for customers impacted by the breach. It also covers defense and settlement costs for related lawsuits, and any PCI fines and penalties, taking this massive burden off of the policy holder.
Social engineering is the term for the kind of cyber exposure commonly called phishing. These aren’t necessarily “hacks,” but rather the result of bad-actor-designed scams that trick employees into sending money to an imposter posing as a company manager, client, or vendor. These scenarios are still defrauding you or your company, but aren’t the same as someone diving deep into your code and stealing on the back end of your system.
Another form of social engineering, also sometimes known as CEO fraud, is the result of fraudsters utilizing social media or other online tracking methods to determine what certain C-level executives are doing and where they are. These thieves then get ahold of the executives’ email addresses and start sending emails on their behalf, requesting money.
The businesses most at risk for social engineering scams typically have a significant number of transactions moving on a consistent and regular basis. These companies have a large and varied supply chain where money is going out all the time. A small business that doesn’t send out many payments or interact with a ton of vendors is not the ideal target for this scam. These companies tend to have fewer potential employees that would have authorization to make or request payments, making the scam emails easier to detect. Midsize businesses, however, with numerous vendors and an accounts payable department, are at risk for scams with dupe AP department emails or invoices. These can then be inadvertently paid via electronic or wire transfer. A cyber insurance policy protects your business in the event of a social engineering scheme by reimbursing you the money lost in these scenarios.
Funds Transfer Fraud
Funds transfer fraud is fairly straightforward. In this situation, a hacker breaks into your computer system and gains access to your online banking account. The hacker then uses this access to request a funds transfer. They may then initiate a funds transfer to an account of their own.
Funds transfer fraud can also be tied to stealing banking information. Cyber insurance policies respond to this type of cyber exposure by covering the money lost but not reimbursed from a criminal fraudulently issuing instructions to your bank to electronically transfer funds.
Ransomware is a particularly creative method that hackers use to gain access to information and steal data or money. In one variation of this situation, much like in the plot of a 1990’s action film, an employee unknowingly opens a link in an email that contains a computer virus. This virus immediately begins encrypting files on your network. The criminals then reach out to you and demand a “ransom” in return for unlocking your company’s files.
The insurance policy in this situation has coverage in place for both the data loss and restoration. You can get your system shut down, wiped clean, and restarted, and data restored fairly easily in most situations. Then, depending on the data, there is coverage to pay the actual ransom within the policy. Many cyber insurance companies also have a consulting cyber-security team on standby 24 hours a day, so in the event there’s an issue of this magnitude there is someone your company can contact and get guidance from right away.
Another, more recent method of using ransomware to extort a company comes in the form of a more insidious approach. In this newer scenario, a hacker will contact a target and inform them that they have not encrypted the data, but will post all of it publicly unless demands are met. This is effectively threatening a breach with public release of private data and client files. This in particular illustrates how clearly needed comprehensive cyber insurance policies are in order to effectively do business.
An example of a network interruption scenario is as follows: Let’s say a computer virus has brought down your customer order system. It takes three days before technicians have repaired the system and have everything up and running again. It’s three days worth of lost money in orders and order processing, plus the cost of the network security technicians needed to do the repair work. The costs can really add up quickly.
In this situation the cyber insurance policy protects your business by reimbursing lost profits, as well as any additional expenses incurred while systems were down after an initial 8-hour down time threshold.
Network security, similar to network interruption, is the result of a virus affecting your system and the potential loss of business and costs to repair the system, with some additional issues. With network security issues, the virus could spread to several key customer websites, bringing down their systems as well. Though these two instances of cyber exposure are almost interchangeable, the risk posed to customers via the virus on your site is the key difference. There can be issues with redirection if someone has stolen your site, there can be domain theft issues, and virus transfer to client sites- again stressing the need for cyber insurance protections to be in place.
Cyber insurance policies respond to this kind of situation by covering lawsuits brought by the customers impacted by the virus transmissions while still covering the cost to repair any damage to your data files.
The final piece of the cyber exposure puzzle is media liability. This one is more nuanced than the others, and relates to communications via the internet and the slanderous, defamatory language that employees could use. Let’s say you have a Facebook page for your business, and a customer chooses to post a complaint. One of your employees sees the complaint and decides to respond to it by posting a reply that accuses the customer of lying. This could potentially lead to a lawsuit. This kind of scenario may not be expected, but in this increasingly social media driven environment, is highly possible.
Media liability can also be related to something as simple as copyrighted images or content being used for private business pages. A Google image search for a car or non-stock image being used for an Instagram post for your company could result in a call from a lawyer with a request for response and demand for payment. Fortunately, with a cyber insurance policy, content related lawsuits are covered.
I Need Cyber Insurance. What is the First Step to Getting Coverage?
Cyber insurance policies are strongly recommended to protect almost any kind of business. If your data is sensitive or opens you to regulatory or civil litigation risks, it’s highly likely that you will benefit from purchasing cyber insurance to protect your business.
In most cases, there is a template that can be used to assemble a policy quickly and easily for small businesses, law firms, accounting firms and the like. Larger and more complicated businesses that may have more variable needs can take a bit longer, but as long as the basic areas of concern as listed in this article are covered, you can be assured that your business has a reasonably good cyber insurance policy. It’s important to reach out to an insurance professional to help you assess your needs and get your policy in place as soon as possible. Every bit of information exchanged on the internet on behalf of your business can put you at risk- but with the right policy, you can be assured that your company is protected.