What Is Cyber Liability Insurance?

Written by Kara Mueller, IT Support Specialist, Certified Computer Examiner

WHAT IS CYBER LIABILITY INSURANCE?

Cyber liability insurance covers liability and financial losses that result from data breaches and other cyber events. It can cover legal fees, notifying customers about a data breach, restoring personal identities of affected customers, recovering compromised data and repairing damaged systems.

Businesses and their vendors that have access to customer or employee personally identifiable information or protected health information are increasingly required to have cyber liability insurance to protect all parties and the data involved.

WHY DOES YOUR BUSINESS NEED CYBER INSURANCE?

Remember file cabinets?  It used to be that a file cabinet was like your personal bank vault – holding the papers that defined and valued a business. From employee records to bank statements, that file cabinet had everything necessary to keep things running.

To protect those files, some drawers were locked.  Some file cabinets were kept in executive offices with limited access, keys were hidden, and office doors were locked.  The building is insured by a policy that would offer compensation should theft or fire occur.  Security alarms and systems can be installed.  Some buildings have officers and cameras watching for suspicious activity.  Today, businesses have the need or are required to employ additional measures outside of physical protection, like sending data “offsite” or “into the cloud” for backup.

Most of the above-mentioned physical, preventative measures remain in place today – but now, there is the need to protect computers and information that is not stored on paper.  Fewer file cabinets can be found in offices.  Now drawers hold office supplies, a box of tissues, or extra toner for the printer.

So, who is protecting the electronic files?  The data?  A layered security strategy is best. You can have anti-virus software, firewalls, training, policies, and additional measures in place to protect your business.  But what happens if there’s a theft or crime that you never saw happen?  What if the criminal is not an actual person to apprehend, the damage isn’t a fire that you can put out, and the records aren’t there for you to retrieve and pull from backup?  Building insurance isn’t going to cover a break-in that didn’t happen.  The damage isn’t by fire or water – so what kind of insurance claim do you file?

There are hostages in this disaster, but they aren’t people – they are your priceless files.  The very ones that keep your business humming and running and hold all of the value of your operation, your people, and your clients.

DOES YOUR BUSINESS QUALIFY?

Most insurance providers request the completion of a risk assessment, survey, or questionnaire prior to issuing a Cyber Insurance policy. In completing these exercises, many businesses realize that they are not as protected, proactive, or technologically sound as they think.

How would you currently answer these questions?

  • Do you have a layered security strategy that includes employees training, security policies and procedures, technology (firewall, anti-virus, system patching/updating, encryption, and backup solutions)?
  • Are you a Business Associate under HIPAA and meeting all of the requirements of a BA?
  • Do you have annual risk assessments?
  • Has your organization appointed a security officer?
  • Do your employees get continuous security training?
  • Do your Business Associates sign agreements?
  • Does your organization have a documented backup procedure in place?
  • Do employees protect passwords? Is there a password policy in place?
  • Does the organization encrypt email to prevent unauthorized access to PII/PHI?

These questions are just examples of what can be asked by an insurance provider.

NOW WHAT?

Let’s take a ransomware attack for example. The ransom will be set, and you have no choice but to pay it – but with what?  With your savings?  With funds from the business?  If you do that, how will you pay your employees?  What if your clients find out?  Will they trust you?  How will you regain that trust and ensure that this won’t happen again?  Do you have to report this to the authorities?  Does that mean you have to hire a lawyer?  And did someone just say they will sue you for negligence?

Should you just shut down and run?  That feels like the only solution, but it’s not even close to feasible.  You have a family.  Your employees need this job.  You need this job.

And THAT is why you need cyber insurance.

Consider this: the first car was invented before 1900.  Auto insurance became mandatory in 1927.  How many disasters had to occur before we realized that cars were not going anywhere, and measures had to be put in place to protect individuals?  Don’t be caught in that gap with your business.  In this case, ignorance is not bliss, it could mean the difference between survival and demise of your business.

This is the new normal.  Times have changed, and so has the way in which you need to protect your business.