One of the most challenging issues facing companies today is cybersecurity. Just look at the recent high-profile businesses, such as Equifax, Uber, Target, etc., that have been attacked. But what many companies don’t realize is that cybersecurity risks and insurance to transfer those risks, isn’t just for big business. Often smaller entities are victims of attacks, extortion, etc. - the hackers believing that since they are smaller, they are likely less savvy, thus making them easier targets.
Here are 5 misconceptions or myths of cyber insurance coverage:
Cyber coverage is just for technology associated with a business.
The broader scope of “Cyber” coverage is for Network and Privacy Liability, which also encompasses those insureds who keep records in soft and hard copy that contain personal identifiable information. This is a common oversight of potential buyers as many will presume that if they don’t have a website, or it’s hosted by another party, they don’t have exposure – that’s just not true. Paper records are covered, like those (old) employment applications, personnel and customer files, credit card receipts (with carbons) that are used if systems go down, etc.
So, it’s not just a laptop that goes missing with data, or a hack that can be covered, but what about that storage unit full of old company files that was long forgotten, then sold at auction. Where are the records now… somewhere? The policy could respond to cover defense costs, damages, etc. related to that loss too.
I have a “hold harmless” or other indemnification from the service provider/site manager to fall back on, so we don’t have exposure.
Well, even if that’s an iron-clad agreement, there will likely still be attorney fees incurred to enforce it and/or defense costs until that indemnification kicks in. Also, insureds that fail to respond timely and get out in front of the matter with crisis management could find a greater overall loss incurred. Typical Network Security and Privacy Liability insurance programs include loss mitigation/crisis response and guidance services as well as defense cost coverage in their base forms. These costs aren’t typically covered to the extent needed under other insurance policies today (in fact, they could be excluded specifically), BUT, some carriers are evolving their forms to address these in a more comprehensive solution.
Read more on how Cyber Insurance can protect your business with Embroker’s Cyber Insurance Guide.
My company is too small to be hacked.
More than 80% of small to medium businesses had been victims of cyberattacks, and 60% of small businesses, who have been hacked go out of business within six months! Everyone is vulnerable. More and more small businesses, governments, nonprofits, and others have been victims of ransomware, email phishing attacks, and other hacks.
My General Liability policy will protect my company.
Commercial General Liability insurance (CGL) protects your business assets from bodily injury and property damage claims as they relate to claims of negligence made by a third party. It is not intended to cover the financial loss of a third party. The industry standard ISO General Liability Form also excludes such losses in its base format. While some very basic sublimited coverage might be offered for additional premium, payment of such loss can erode CGL limits and coverage is also typically subject to a deductible.
Think about it this way - you want the right tool to do the job - well, as respects Network Security and Privacy Liability, most CGL policies provide as much protection from the elements as a mosquito net would in a rainstorm. You may stay dry for a little while, but it’s not going to cover you for the long-run in the way you need it to. Whereas, a dedicated policy is a true shelter from the storm.
Cyber Insurance is too expensive.
Today’s Network and Privacy Liability market is competitive both in respects of pricing and retentions/deductibles. The biggest factors in determining program structure and costs are:
- Risk class of insured
- Coverage amount/limits sought
- Deductible/retention appetite of an insured
- Number of unique PII or PHI records stored or maintained on the insured's systems.
Many carriers will offer indications with just these basic data points. However, a great way to determine if your business is mitigating its risk of loss (and thus potentially helping to drive its cost of risk down), is to take a full application and work through the questions. Those application questions can help shine a light on potential vulnerabilities, improvements needed with respects to areas of compliance (legal/regulatory) and offer insight into what underwriters may want to see in the future as a company scales.
All risks change over time, and your coverage needs vary too. It is always best to work with an experienced broker who understands your business’s specific requirements. But if your business is hacked, it will probably cost a lot of money, and cyber insurance will certainly help you recover.
Learn more about the Embroker difference. By pairing data and technology with expert guidance, we make it easy for businesses to buy insurance intelligently.