Don’t forget the “I’’ in cyber insurance
Being a victim of cybercrime can be terrifying. Knowing you’re insured is intended to bring some comfort… unless you discover that your cyber insurance policy doesn’t actually cover your loss. This occurred recently when a so-called “Trickbot’’ virus infected a client’s network and recorded employee user credentials to siphon money from corporate accounts.
Unfortunately, while these kinds of attacks are becoming the norm, so is the insurance carrier’s response to the client: Claim denied because their policy didn’t cover this type of loss. As businesses grapple with protecting against cybercrime, I repeatedly see standard Crime and Cyber policies that do not cover particular types of cyber-attacks or the businesses are under-insured for the losses they incur.
Don’t forget the “I’’ in cyber insurance and ask yourself: “Do I have the coverage I need and am I doing what I need to do to safeguard my data?’’
Increasingly, companies are also being forced to focus on their readiness for a cyber attack and the correctness of their response. Businesses can see reduced insurance rates if they have cybersecurity safeguards – and can also have trouble collecting on policies if they’ve been negligent.
The recent Equifax data breach is a case in point that has insurers rethinking the responsibilities clients have to maintain good data hygiene. And while it’s too soon to see the impact, the recent admissions by Uber that it covered up the theft of personal data from around 57 million accounts is sure to have repercussions in how underwriters view claims.
In the Trickbot case, the company’s policy was missing Computer Fraud and Money Transfer coverage, which covers the unauthorized transfer of money via a computer. But what all businesses need is to make sure they take a comprehensive look at their coverage to ensure against gaps.
Coverage to fit the crime
Cybercrime is more than lost data and broken computers. Attacks have crippled or slowed factories, delivery services and the ability to serve patients or customers. Frequently ransomware attacks result in real-world business downtime because even if the hackers are paid off, fixing the damage or restoring the information can be a long and involved process.
Don’t forget the legal and reputational damage. If you are the victim of a major hack attack, your business will need to engage an attorney in defending against claims filed by your clients. Your company may also need the help of a public relations firm to help restore confidence in your business and brand.
Many insurance companies are including or offering cyber coverage in their Business Package policy, Professional Liability policy, or Director’s and Officer’s Liability policy. While this coverage is better than having no cyber insurance coverage at all, it may give you a false sense of security. Coverages may be very limited, and fail to keep pace with, or apply to, the losses incurred.
Computer Fraud and Money Transfer coverage is one example of additional protection you may need, both to safeguard against thefts against your accounts as well as attacks that affect customer credit cards and accounts. Additional riders for ransomware are also becoming more common and are frequently offered either as part a cyber insurance package or as added coverage with more traditional kidnap and ransom policies.
The bottom line is that the damaging tentacles from a cyber attack can reach into virtually all your businesses operations, causing more significant financial losses and even physical damage that standard policies may not cover.
Protection begins before an attack
Benjamin Franklin’s famous saying that, “An ounce of prevention is worth a pound of cure,’’ certainly applies to today’s cybercrime world. Not only can prevention ensure coverage in case of a hack attack, but it can also help reduce your insurance rates.
Developing and maintaining a robust cyber response plan is also a meaningful way to build trust with clients by showing that you take safeguarding their information seriously. A program needs to encompass both software and hardware protections as well as staff training that warns of various scams hackers use to “phish’’ for passwords and other information.
A good first step is having an independent review of your insurance from an expert who can examine your vulnerabilities in all areas and recommend the type and level of coverage you need. Your insurance carrier may be able to recommend experts that can assist you in developing a cyber response plan and staff training.
Former FBI Director Robert Mueller’s warning proves increasingly prescient: “There are only two types of companies: Those that have been hacked and those that will be hacked.”
Don’t wait until it’s too late to make sure you have the insurance protection you need.
Theresa Kane, Boyer & Ritter’s Director of Insurance Services, is a Certified Insurance Counselor and provides unbiased Insurance Review Services to clients. Boyer & Ritter does not sell any insurance products nor favor any particular provider. Contact Theresa at 717-761-7210 or email@example.com