Why you need cyber insurance

The adage used to be “nothing is certain in life but death and taxes,” but thanks to the efforts of innovative hackers across the globe, that can now be changed to “death, taxes, and security breaches.” To paraphrase Federal Trade Commissioner Julie Brill, there are two types of companies out there, those that know they’ve been hacked and those that haven’t yet learned about it.

Massive data security breaches have already grabbed headlines multiple times in 2015, and most companies are paying attention. In a previous post, I discussed seven things corporate management needs to know about data privacy and security. I’d like to add one more item to that list: cyber insurance.

In past years, very few insurance companies wrote cyber insurance policies. However, since high-profile security breaches began taking over weekly headlines, companies now have several policy options available to them. They are also highly customizable based on each company’s particular needs. For example, not all companies use cloud-hosting services or store highly sensitive, personally identifiable information. However, all companies do store valuable data. A breach could present significant liability or risk.

Headlines often highlight credit card numbers, but so much more is at stake, such as Social Security numbers, intellectual property, and small pieces of information that all could be used to build a profile. There really is no limit to what information could be used and exploited. The bottom line: Every company needs to take steps to reduce its risk, and obtaining cyber insurance is one of those steps.

Following are several types of coverage areas worth considering:

1. Coverage against third-party claims. This provides protection from liability when you have others’ information in your possession and it gets compromised. Sometimes this extends to your hosts if your information is in the cloud, but sometimes it does not.
2. Breach remediation and notification costs. This often includes credit monitoring costs, identity fraud insurance policies, and forensic audit costs.
3. Computer program and data recovery. Usually this is your own coverage and may not cover your clients if you have their information. This can be very expensive, and other options include investing in secure backup systems. Depending on the nature of your business, this can be critical, but it’s often costly.
4. Business interruption coverage. This is key for companies that outsource primary business functions. Business interruption damages are often classified as consequential, which is not often the reality in a security breach situation.
5. Extortion coverage. This is an area many companies never thought about until the Sony Pictures data breach. Even Sony wasn’t a true extortion case, but it had the overtones for it. This is a must if you have particularly valuable information on your systems.
6. Defense coverages. This can apply to third-party claims, and there are also options for regulatory claims. It can be very costly, but it’s important to consider, particularly as the Federal Trade Commission has shown great interest in investigating security breaches to determine whether companies are adequately protecting consumers.
7. Communications and media coverage. It is well known that a security breach can leave its most measured mark on a brand. If you are a higher profile company, this could be critical.

(Continued)

In addition, there may be other coverage options depending on your company’s needs. For success, work closely with your insurer to obtain the coverage that is right for you, and also consult with your IT department and legal advisers. You will also need to have solid agreements with subcontractors and hosts in place to ensure that you are covered, as those are often key components in the underwriting process. If your legal agreements or IT systems present a risk, your premiums may be much higher.

Ultimately, you should work closely with your C-level, IT, and legal teams to implement the best processes, and then work with a trusted insurer to position your company well in the current security landscape.

Mindi Giftos is an attorney with the law firm of Whyte Hirschboeck Dudek S.C., practicing in the areas of intellectual property and technology law. She can be reached at mgiftos@whdlaw.com.

Click here to sign up for the free IB ezine — your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.