As a small business owner, CarTek understands the importance of protecting your business.  Typically, we focus on helping companies to lower their risk by conducting assessments and providing cyber security solution recommendations.  However, there is another piece to the puzzle that is extraordinarily important in lowering risk.  That is the act of transferring risk with the purchase of cyber security insurance.  These types of policies have been around for a few years, but because of all of the widely publicized cyber attacks, there has been a tremendous increase in interest in purchasing these policies.

 

Consider some of these statistics:

1. The global cost of cybercrime will reach $2 trillion by 2019, a threefold increase from the 2015 estimate of $500 billion.
2. According to the Verizon Data Breach Investigation Report from 2015, “The forecast average loss for a breach of 1,000 records is between $52,000 and $87,000.”
3. 60% of small businesses that are breached go out of business within 6 months of the breach.

As you can see, based on these statistics, having a cyber security insurance policy that will help you to transfer some of your risk is a good idea.  

 

Now, before you run out to your nearest insurance company and purchase a policy, there are some things that you need to consider.  As a business, even if you have cyber security insurance, you will be expected to demonstrate that you have exercised “Due Care” in protecting yourself.  According to uslegal.com, due care can be defined as “ the effort made by an ordinarily prudent or reasonable party to avoid harm to another, taking the circumstances into account. It refers to the level of judgment, care, prudence, determination, and activity that a person would reasonably be expected to perform under particular circumstances.”  In other words, with respect to protecting your business from a cyber attack, “Due Care” says you have made reasonable efforts that an ordinary person would make to protect the information of your business, and more importantly, the information of your customers.  You can compare it to the warranty for your car.  For example, if you have an engine problem and you attempt to have it covered under the warranty, the first thing the warranty company will do is verify that you have kept up with the reasonable amount of maintenance that an ordinary person would perform.  So, if the warranty company finds that you haven’t changed the oil in five years, be assured that they will not cover your engine problems.  You must show that you have taken reasonable precautions (due care) to protect your business for the insurance policy to pay out.

 

Below is a list of some of the things you will need to have in place to ensure your policy is enforceable in the event of a breach.  Typically, this will be investigated during the underwriting process. The requirements will vary with the insurance policy and carrier.

 

• Company Security Policy to include an Acceptable User Policy
• Security Log Collection and Review
• Centralized Access Control System
• Network based firewall
• Anti-virus
• Incident Response Plan
• Regular Vulnerability Assessments

 

As far as the policy is concerned, there are some specific coverage provisions that you will want to ensure that the policy covers.  The list below has been compiled from two sources, proassurance.com and naic.org

 

Coverage Provisions:

• For losses and defense costs associated with a wrongful act resulting in a breach.
• For regulatory fines and penalties and/or a regulatory compensatory award, and defense costs from security or privacy breaches.
• Loss of digital assets through damage, alteration, corruption, distortion, theft, misuse or destruction. Plus failure of the computer system and non-physical business interruption and extra expenses.
• Coverage for claim expenses, assessments, and fines imposed by banks and credit card companies from non-compliance or payment card company rules.
• Coverage for lost revenue as a result of an adverse media report, or customer notification of security or privacy breaches.
• Coverage for liability for security or privacy breaches. This would include loss of confidential information by allowing, or failing to prevent, unauthorized access to computer systems.
• Coverage for the costs associated with a privacy breach, such as consumer notification, customer support and costs of providing credit monitoring services to affected consumers.
• The costs associated with restoring, updating or replacing business assets stored electronically.
• Business interruption and extra expense related to a security or privacy breach.
• Liability associated with libel, slander, copyright infringement, product disparagement or reputational damage to others when the allegations involve a business website, social media or print media.
• Expenses related to cyber extortion or cyber terrorism.
• Coverage for expenses related to regulatory compliance for billing errors, physician self-referral proceedings and Emergency Medical Treatment and Active Labor Act proceedings.

Therefore, when you purchase cyber security insurance, remember your insurance policy is not a replacement for having a solid security program.  It merely allows you to transfer some of your risk.  

 

Does your current cyber security program demonstrate “Due Care”? CarTek Consulting can review, develop, and implement cyber security programs that ensure your policy is fully enforceable in the event of a breach.  Contact Us

 

Citations:

 

Constantin, L. (2014, April 25). 5 Things You Need to Know About Cybersecurity Insurance. Retrieved July 08, 2017, from http://www.cio.com/article/2376802/security0/5-things-you-need-to-know-about-cybersecurity-insurance.html

 

Cybersecurity. (2017, April 3). Retrieved July 08, 2017, from http://www.naic.org/cipr_topics/topic_cyber_risk.htm

 

Cybersecurity Coverages. (n.d.). Retrieved July 08, 2017, from https://www.proassurance.com/healthcare-professional-liability-insurance/cyber-liability/

 

Ferrillo, P. A., & Marciano, C. (2015). Http://ljournal.ru/wp-content/uploads/2017/03/a-2017-023.pdf. Bloomberg BNA World Data Protection Report,15(1), 1-6. doi:10.18411/a-2017-023  

 

Legal, I. U. (n.d.). USLegal. Retrieved July 08, 2017, from https://definitions.uslegal.com/d/due-care/