Establishing Digital Trust: Don't Sacrifice Security for Convenience
Recently, eSecurity Planet covered the basics of cyber insurance. There's more to cyber insurance, however, than just everyday data breaches and losses. Cyber insurance policies can provide coverage for a wide variety of incidents and types of damage. On the other hand, there is still not much standardization among cyber insurance policies (many aren't even called "cyber" policies), so it is important to carefully review the exclusions of a policy you are considering – and compare them against your needs and risk.
That said, here are seven important, non-obvious things you might not realize cyber insurance can cover:
Content Injury Liability
Sometimes, someone will pretend to represent your company online – and the results can be disastrous. Someone who has it out for your company might smear your company's good name online – or smear others online while pretending to be one of your employees.
Other times, your company itself might find itself a villain. Perhaps something on your website infringes upon another party's intellectual property. Perhaps your online advertising or data analytics program ran afoul of consumer protection or privacy laws. Or perhaps an employee of yours posted something on your Facebook page that he really shouldn't have and has created liability for you.
Fortunately, cyber insurance policies now frequently cover online content-related liabilities such as these – commonly including coverage for defamation, intellectual property infringement, and privacy violations, among other things. This is especially helpful because some general liability policies don't cover these types of claims.
There's a lot of nasty stuff hackers can do with your data assets. Some enterprising hackers – realizing that your data is probably more valuable to you than it is anyone else – will try to extort you in various ways. Cyber extortion can take many forms – including threats to publish sensitive data, frequent DDoS attacks until you pay up, and even using ransomware to prevent you from accessing your own data. A cyber extortionist doesn't even need to take or control any of your data if they're creative enough; they might just threaten to defame you online or spam your client base.
Fortunately, the costs of cyber extortion are among those some cyber insurance policies can cover – including efforts to stop the extortion and even payoffs. And, of course, any fall-out that results if cyber extortionists make good on their threats.
It's generally not a good idea to give in to an extortionist if you can help it. Paying up may just encourage a cyber extortionist to continue the threat and raise the price. Stand up to a cyber extortionist, however, and you might find your servers knocked offline or your data gone.
Cyber insurance companies know how important it is to cover business interruption costs – especially given the high likelihood of going out of business after a data loss. With the right policy, a business interruption claim can help cover your recovery costs and even lost profits while you get back on your feet if you're eligible.
A data loss represents more than the loss of the intrinsic value of the data. A data breach carries costs beyond those of regulatory fines and notification compliance. In both types of instances, companies face losing something else: good will.
Cyber insurance carriers understand this. Some carriers will cover – and even assist with – crisis management in the event of a breach, including public relations, marketing and consumer education. After all, your insurance company wants you to stay in business.
Offline Data Losses
It seems counterintuitive that a cyber insurance policy should cover a "non-cyber" loss. In some cases, however, your policy may cover a data breach or data loss that occurred in an "offline" fashion. This is especially important, given data thieves' heavy reliance on social engineering.
It can also protect you against loss or theft of physical data. For instance, when a healthcare employee left the records of nearly 200 hospital patients on a train in Massachusetts, the hospital's extensive regulatory fines were covered by cyber insurance.
When something does go wrong, it is important that it not happen again. A number of cyber insurance policies will thereby offer coverage for data forensics, so that your security team can thoroughly investigate breaches while they are occurring and after they occur. This will help you to not only put a stop to ongoing breaches, but also figure out the full extent of the damage of a breach – information your carrier wants just as much as you do.
What you don't know can hurt you. It's common for organizations to fail to realize that they've been the victim of a data breach until weeks, months or – in some cases – years after the fact. Accordingly, you should consider retroactive coverage for prior, undiscovered breaches. It will cost more, but – depending upon your organization, your data, your security and your overall risk profile – it may be worth it.
Joe Stanganelli is a writer, attorney and communications consultant. He is also principal and founding attorney of Beacon Hill Law in Boston. Follow him on Twitter at @JoeStanganelli.