The threat of a cyber-attack is hardly virtual. From covertly installing malware that holds a victim company’s data hostage, to soliciting confidential information via email under the false pretense that they are privy to such material, hackers continue to improve their methods of digital infiltration. And while the impact of these attacks is costly, it is insurable. In December 2016, Yahoo reported that a single 2013 cyber-attack compromised over one billion of its user accounts by obtaining its members’ full names, telephone numbers, birthdates, and passwords.
A company need not be the size of Yahoo to experience a cyber-attack. In fact, nearly two-thirds of all attacks target small and medium-sized businesses. A Guide to Cyber Risk, Allianz Global Corporate & Specialty (2015). A 2014 National Small Business Association report revealed that almost half of the 845 surveyed businesses had experienced at least one security breach, with nearly 60 percent of those breaches triggering business interruption. The report also estimated that the average cost associated with responding to each small business cyber-attack was in excess of $8,600.
A business that falls victim to a data breach today should expect to pay around $190 per compromised record. Charles N. Insler, Defending Against Today’s Digital Threats, Data Management and Security (2017). And if the business does not have a cyber insurance policy – not unlike two-thirds of companies within the United States – it should expect to pay the entire remediation cost. According to Andrew Bagrin, founder and CEO of the cybersecurity company My Digital Shield, few businesses recognize the impact of a breach until it is too late. Karen E. Klein, Insurance for When You Get Hacked, Bloomberg (2014).
Given that 2017 is expected to bring an increase in the number of cyber-attacks worldwide, now is an ideal time to consider purchasing cyber insurance. Because cyber insurance policies have only been available for approximately 12 years, there are still no real standards for pricing or coverage. For this reason, businesses should determine the expenses and incidents for which they seek coverage prior to meeting with their insurance provider. Presently, cyber insurance policies may offer coverage for the following expenses or losses:
- Forensic Investigation. Hiring third-party assistance, such as forensic experts, to determine the cause of the cyber-attack and how to prevent a future occurrence.
- Privacy Breach and Notification. Informing customers and affected parties of the breach, as well as providing credit monitoring or identity theft protection to those whose privacy may have been compromised.
- Data Breach. Recovering lost data or restoring compromised data.
- Damaged Hardware and Software. Restoring, updating, repairing, or replacing affected hardware and software.
- Business Interruption. Monetary losses, including profit loss, due to network downtime.
- Extortion Liability. Expenses related to ransomware attacks and other acts of cyberterrorism.
- Reputational Damage. Hiring public relations firms to mitigate reputational harm resulting from the security breach.
- Legal Fees. Expenses from arising from the security breach, including payment of regulatory fines and penalties.
Any chosen cyber insurance policy should include a least six months of retroactive coverage for data breaches. This is because, on average, it takes a network owner over 200 days to realize that a security breach has occurred. The Cost of Immaturity, The Economist (2015).
Additionally, any company’s policy should provide protection against claims brought by its employees. Hackers are hardly selective when soliciting sensitive data from their victims. Therefore, cyber-attacks can implicate personally identifiable information from not only clients, but employees as well. Insler, Defending Against Today’s Digital Threats. In the same vein, an employee can also be a perpetrator of a data breach – willingly or otherwise. As such, any cyber insurance policy should also include a provision ensuring coverage in the event that a business encounters a cyber-attack due to the conduct of someone on its own payroll. Id.
Unfortunately, cyber security measures are often lagging behind their criminal counterparts in the digital arms race. Data breaches threaten the integrity of businesses now more than ever, and any company’s insurance policy should include a cybersecurity provision to reflect this trend. No business in the electronic age will ever be completely immune from a cyber-attack, but with the right insurance policy, it can obtain a significant degree of protection against the unknown threats in cyberspace.