Insuring against cyber threats is not exactly a new concept, but most companies — two out of every three — don’t have cyber insurance policies. Despite recent headlines about major security breaches, growth in the cyber insurance market may actually be slowing. According to New York-based brokerage firm Marsh LLC, the number of cyber insurance policies sold in 2012 increased 33 percent compared to 2011 – but grew only 20 percent in 2013.
It’s not difficult to understand why. Because the concept of cyber insurance is relatively new, the market can seem complex and inconsistent. There has been a significant variance among carriers in their understanding of technology and cyber security. Cyber insurance policies can be pricey, too. Some premiums go as high as $35,000 for a $1 million in coverage. Still, the costs of cyber insurance pale in comparison to those of a major breach. According to a study by the Ponemon Institute, the average data breach cost $5.4 million in 2012 — representing an average $188 per compromised customer account.
Therefore, it’s worth it to at least understand what cyber insurance is all about – and to what extent it can benefit your organization. Here are six need-to-know facts about cyber insurance to get you started:
Your Umbrella Policy Is Not Cyber Insurance…
Cyber insurance, being more of a specialty offering, is different from general liability and professional indemnity insurance. General liability policies frequently cover basics like physical damage. If a hack, a virus or even a simple software bug creates a data loss, data breach or server downtime, your general liability policy might not compensate you for your loss and costs. Indeed, many insurers specifically exclude electronic losses from their general policies. Cyber insurance policies, on the other hand, can and frequently do cover these situations.
…but There May Be Some Redundancies
Sometimes, however, there is some overlap. Data losses as a result of physical damage to or theft of devices could be covered by some general policies. Manufacturer warranties also sometimes cover physical damage — even accidents. In limited situations, a data breach or intrusion as a result of negligence may even be covered by certain professional errors and omissions policies. Therefore, it’s best to thoroughly review your existing coverage before going shopping for cyber insurance policies. You can then ask your insurance agent for a less comprehensive policy in exchange for a reduced premium.
Not All Cyber Insurance Policies Are Created Equal
Cyber insurance is still considered to be relatively nascent. Despite being over a decade old, there is not a lot of standardization among cyber insurance policies. Consequently, a standard policy may include undesirable exclusions. It is important to assess your organization’s needs, go over your proposed policy carefully, and negotiate with the carrier over terms that don’t fit your needs. What’s more, don’t hesitate to shop around. According to L. D. Simmons, a partner in multinational law firm McGuireWoods LLP, insurance carriers are still struggling to effectively price the cyber insurance market. Some have a better grasp on cyber security risks and costs than others; consequently, the swing in premiums for identical policies from different carriers can be huge.
Cyber Insurance Can — and Should — Go Beyond Hacking Protection
Some cyber insurance policies may not reimburse for the costs of data loss. Others may reimburse only certain types of costs.
In the wake of a number of high-profile hacks on companies like Target, cyber insurance may be thought of as a measure to take in case of a data breach or data theft. It is just as important — arguably even more so — to be insured against data loss. Just over four years ago, Gartner published a study in which the company found that 94 percent of companies that suffered a major data loss went out of business within two years. Of those companies, more than 45 percent were put out of business “immediately.”
Even a relatively minor data loss can bring huge costs to bear. Massachusetts General Hospital had to pay a $1 million fineto the US Department of Health and Human Services when an employee of Partners HealthCare (the largest healthcare provider in Massachusetts, of which MGH is a founding member) left the records of 192 patients on a train.
Fortunately, Partners HealthCare had a cyber insurance policy in place that covered regulatory costs due to data loss. Consequently, MGH was able to have the fine offset by the policy.
Cyber Insurance Is No Substitute for Good Security…
Just like auto insurance is not a license to drive drunk, cyber insurance is not an excuse to throw caution to the wind when it comes to cyber security. Carriers typically require you to have a certain level of security already in place to qualify for coverage.
In any event, you will be required to provide an assessment of your organization’s current cyber security. The assessment — typically conducted by a third-party (unless your business is small enough) — includes such details as password management, data backup procedures, and security configurations.
…but It Will Probably Improve Your Security
Obviously, the risk assessment of your security practices will impact not only your qualification but also your premiums. In this sense, cyber insurance is inherently likely to improve your cyber security because it forces you to review your practices – and encourages you to make them better.
What’s more, many carriers will proactively help you secure your data in addition to insuring it. To help ensure a costly payout won’t be necessary, a number of insurance companies offer risk management services to help their clientele. These services can include security plan development, data security training to employees, detailed vulnerability assessments and more.
The value of these services is evident not only from a security standpoint but also from a compliance standpoint. “Being able to prove that they weren’t negligent could save organizations millions in the long-run,” explains Jamie Bouloux, a cyber insurance liability executive at AIG. “[I]f something happens when a client loses data, they can tell the regulator that they did everything within reason to try to ensure that there was an environment of security where its employees knew how to handle client information.”
Joe Stanganelli is a writer, attorney, and communications consultant. He is also principal and founding attorney of Beacon Hill Law in Boston. Follow him on Twitter at @JoeStanganelli.
