Table of Contents
Can data breach insurance protect your business from the worst effects of network security and privacy liability failures? Let’s find out.
First of all, it’s important to realize that data breaches are serious business. According to the Breach Level Index, more than 9.7 billion data records have been lost or stolen globally since 2013 as a result of data breaches. And even though cybersecurity spending is rapidly increasing, cases of data breaches are at an all-time high. Additionally, data breaches are becoming more and more expensive, with the average cost reaching $3.86 million per occurrence in 2020.
With such enormous costs associated with data breaches, managing their risk is becoming more and more important. Having adequate data breach insurance, also known as network security and privacy liability coverage, is a paramount consideration for organizations of all sizes and industries, but particularly those whose business model is dependent upon online interactions and transactions.
Who Needs Data Breach Insurance?
Every business that collects, stores, and manages confidential and sensitive customer information should consider purchasing data breach insurance. If you store names, social security numbers, credit card information, or sensitive health records, you are a particularly lucrative target for cybercriminals.
Laws and regulations dictate that your business is responsible for keeping that information safe. If your company suffers a data breach, the costs for your company can be extremely high.
Even if you don’t collect invaluable customer or partner information, you probably store your business documents in your company computers or cloud storage space. No matter how many layers of security you have, consider data insurance as your ultimate protection to ensure your business operations can continue to run smoothly in case of a breach.
Types of Insurance You Need to Cover Data Breaches
Data breaches are rapidly increasing in complexity and can cross borders between coverage types, thus rendering standalone data breach insurance policies inadequate. For instance, a cyber insurance policy will protect your business from losses related to cyber attacks and security breaches that compromise the proprietary data stored on your networks. And a technology errors & omissions policy will cover your liability and legal costs if a client sues you because of a data breach on their network that stems from a failure on the part of your product or service.
Thus, combining cyber liability and technology E&O policies into one program with shared limits and complementary coverage is a cost-efficient way to purchase business insurance for startups that provides optimal protection.
Types of Attacks Data Breach Insurance Can Cover
Data breaches can come from a variety of sources. Not every breach is caused by sophisticated hacking attempts and many can stem from human error or mundane oversights, which doesn’t make them any less damaging. To help you understand what your company is facing, here’s a breakdown of the most common data breach sources you may experience:
Hacker attacks: Criminals are becoming more sophisticated and cyber risks can come in various forms, including phishing, denial of service, malware attacks, ransomware attacks, and password attacks. These attacks are especially dangerous because they are sometimes very hard to detect. It typically takes companies six months to discover that an attack has occurred, allowing hackers to do significant damage.
Physical theft or loss of devices: Although the main cybersecurity concerns are digital, physical breaches can represent a significant risk as well. Laptops, smartphones, and other physical data storage devices can end up lost or stolen and lead to serious data breaches.
Data theft/leaks: Employees of your company might access sensitive files without authorization and with malicious intent. According to a study by Verizon, 12% of data breaches are related to privilege abuse, which includes employees misusing information they’ve been granted access or purposely sharing, copying, or using data without authorization.
Human error: Something as simple as including the wrong person in an email chain, or clicking on suspicious links, may lead to a serious data breach. 90% of system intrusions are the result of human error, so it is important to have strong security protocols and training in place to reduce risk.
First-Party vs. Third-Party Data Breach Insurance
First-party coverage insures those direct expenses that you may suffer as a result of a data breach. An extensive insurance policy should typically cover the following first-party costs and expenses:
- Data loss, recovery, and recreation
- Business interruption/loss of revenue
- Digital extortion attempts
- Deceptive transfer of funds
- Forensic investigative work
- Public relations activity
- Mandatory remediation charges- notifications, credit, and identity monitoring
Third-party insurance provides protection against liabilities arising from a data breach that releases proprietary information, or your failure to properly protect that data.
In addition, if you share data with an independent contractor, and their security is breached, your organization can still be found liable, which will also be addressed by third-party coverage.
What Data Breach Insurance Doesn’t Cover
There are certain exclusions to the data breach coverage, and you should make sure to read the fine print on your policy. Typically, data breach insurance policies won’t cover you if someone sues you for system vulnerability before the breach. It also wouldn’t reimburse your security reinforcements or future lost profits, as some coverages do, unless you add that endorsement to your policy.
Data breach insurance wouldn’t respond to your or a third party’s intellectual property theft due to a data breach. If you want your insurance to cover this kind of theft or to potentially cover patent infringement, you should talk to your insurer about your specific exposures and design a policy that would best respond to them.
You should also note that your data breach policy might not respond to an incident caused by a social engineering attack. You can add this coverage as an extension to your standard policy to ensure your business is covered.
What Is the Difference Between Cyber and Data Breach Insurance Coverage?
Data breach insurance looks a lot like first-party cyber insurance since it primarily covers your losses in case of a data breach. The biggest difference is that data breach insurance responds to all types of data breaches when hackers steal or compromise your data. Cyber insurance policy responds to other kinds of cyberattacks.
Suppose you are a data breach victim. In that case, a robust policy should respond to it and cover your average data breach costs related to the incident, starting with the notification and credit monitoring costs and extending to containing reputational damage by hiring PR experts.
Not every cyber insurance policy covers data recovery and recreation, but you should ensure that your data breach insurance does.
Cost of Data Breach Insurance
Given the potentially devastating cost of data breaches, premiums can vary significantly based upon the scope of the policy, the size of your organization, the extent of your internal system safeguards, and the number of unique Personal Identifiable Information (PII) or Protected Health Information (PHI) records stored or maintained on your system.
The good news for insurance buyers is that there’s an adequate supply of insurance products, with many major insurers offering coverage and extremely competitive pricing.
It is most important, however, to work with the right partners who understand your unique needs and exposures related to your industry in order to ensure you obtain the proper coverage for the best price. If you need more help or information about protecting your business from data breaches, you can reach out to our team of expert brokers to learn more.
Many assume that only technology companies are threatened by cybercrime, but in reality, no business today is entirely safe from cybercriminals.