Princeton, N.J. – Many business owners subscribe to the philosophy that purchasing cyber insurance is enough to help them sleep at night. Think again. Despite the overwhelming proof that cyber attackers target businesses around the clock, 24/7, cyber insurance continues to be an afterthought. Compounding this situation is that basic limits are often thrown in for “comfort.” The following are out thoughts for ascertaining coverage in return for the premium.

The “Risk” Piece of the Puzzle

Data is clearly what cyber criminals are after. Before determining the level of insurance required, there must be an understanding of which of the following is at risk:

  • Client’s SSN, EIN’s, bank, investment/brokerage account details, complete financials, etc. are lucrative to cybercriminals
  • For audit clients, whose financials are “in hand” before they are distributed, cybercriminals would use this information to play with the stock market. Would this protect the firm against insider training?
  • If any information collected at the time of due diligence or forensic work is leaked due to an IT network weakness, would cyber coverage address the fallout?
  • If wealth management services or private client accounting services are offered and there is online access to client’s funds, what if a cybercriminal obtains such credentials and performs a theft of client funds?
  • In this era of increased outsourcing of IT systems, data management systems and operational services – such as tax preparation work and data analytics – is there a level of confidence in the third-party network that you rely upon? Should you get third-party coverage?

The main takeaways are to better understand your risks, inventory your technology assets and know where data originates, passes, transforms and is ultimately stored and shared. According to a 2016 NetDiligence study, data loss through a cyberattack is just a fraction of all data breaches. Your own risk-based scenarios should analyze the probability for your organization and have cyber insurance provide the most appropriate coverage.

The “Inclusions and Exclusions” Pieces of the Premium Puzzle

  • Most general liability insurance policies will not cover indirect or consequential loss due to loss of third-party customer data and may need a cyber rider.
  • Cyber-insurance policies may not cover an actual theft of funds due to fraudulent wire transfers. This may require an expansion of crime coverage policy.
  • Vulnerable aspects of an insured’s network topology, such as unsecured wireless network, unencrypted portable devices or an uncorrected security deficiency already known to the insured, may not be covered. Review the expectations of the policy and ensure they are in constant compliance of such policies.
  • Will your insurance coverage extend to cover breaches that may occur at service providers abroad if you outsource? What is the level of compliance expected from such service providers?
  • Include in your policy Rogue Employee Coverage.
  • Most insurance policies would exclude a breach of contract and unfair trade practices.
  • Understand the limits on regulatory defense, fines coverage and settlement, if included.
  • Are all (digital and paper) records covered?

The “First Party and Third Party Coverage Options” Pieces of the Premium Puzzle

  • First-party coverage includes loss directly suffered by the insured
  • Third-party coverage options include coverage for legal claims by third parties brought against the insured

Solving the Premium Puzzle

While insurance is a matured marketplace, cyber insurance is the new kid on the block – growing and still defining itself! Cybersecurity should be a part of a company’s broader Enterprise Risk Management program and involve discussions with professionals who offer unbiased guidance. That starts with evaluating cyber insurance policy offerings and ensuring the right pieces to the puzzle are in place.