Many dangers lurking in cyberspace, like computer hackers or software viruses, can threaten an online business. So if you own an online business – whether you’re a solitary blogger working from a laptop or the head of a thriving online marketplace with hundreds of employees – experts say it’s important to consider cyber security liability insurance.
Many companies don’t give this kind of insurance a thought, however. A 2012 survey of 153 companies by consulting firm Towers Watson found that 72 percent hadn’t purchased insurance to protect them from liability in case of a data breach or other cyber catastrophe.
“A lot of times, businesses just flat-out don’t even think about cyber risks,” says Bill Knepper, a commercial insurance and risk management consultant in Florida. Or, he says, some business owners think they’re covered by their home insurance or other business insurance policies – but they’re not.
What is cyber security insurance?
Cyber security liability insurance is a type of specialized commercial insurance that can cover a variety of cyber risks that might be caused by hackers, scammers, technology snafus or even your own actions (example: you write something on your blog and get sued for libel). Coverage varies by insurance company, and business owners can customize policies to fit their needs.
There are two main areas of coverage.
1. Damage to your own business.
Known as first-party coverage, this coverage could protect you from unexpected expenses or financial disasters caused by cyber security problems.
For example, a cyber security liability policy could reimburse you for lost profit if your website crashed because of computer worm or a disgruntled former IT employee, according to Matt Prevost, assistant vice president of cyber and professional liability at The Philadelphia Insurance Cos., which specializes in coverage for small to midsize businesses.
This coverage also could pay for various costs involved in sorting out a cyber security issue, experts say. This might include paying a forensic specialist to figure out which information was stolen, contracting with a PR firm for damage control or hiring a lawyer to help you navigate your responsibilities to customers whose private information was compromised.
2. Liability for harm caused to others.
Also known as third-party coverage, this protects you when a data breach or other cyber mishap hurts other people, such as your employees or customers.
For example, if a hacker gains access to your customers’ names and other private information, including Social Security and bank account numbers, you might have to notify the affected people and even the state attorney general. You then could be sued or even fined by a government agency, says Ken Goldstein, vice president at insurance giant Chubb.
Requirements to notify victims of a data breach vary based on state law, and experts say 46 states have some type of requirement. Cyber liability insurance also could kick in if you inadvertently transmit a virus from your website to a customer’s computer or get sued for libel over a blog post.
Shopping for cyber security insurance
Coverage varies by insurance company, so that makes it difficult to compare policies, Knepper says.
However, the variety allows an agent or broker to put together coverage that fits a business’ needs. For instance, Knepper says, a blogger might want to focus on coverage for online libel, while the owner of an online auction site might be most concerned about protection in case of a data breach.
It’s best to pick an insurer that allows room for tailoring of coverage to your needs. For example, Philadelphia Insurance has eight types of cyber coverage that can be mixed and matched depending on need, Prevost says. To name a couple of options, the company sells coverage for violating state and federal privacy laws, which could cover the costs of a privacy attorney to help the policyholder follow state notification laws along with the costs of notification. The company also offers coverage for acts of a rogue employee who damages the company’s computer network, this could include paying for computer forensic analysis to assess the damage, as well as repair costs.
Goldstein says it’s important to find an insurer that has a history of offering this kind of coverage. “Expertise is key,” he says. Experienced insurers will have relationships with specialists, such as privacy attorneys and forensics experts, who can lend a hand on short notice, Goldstein says.
Keeping your company secure
When a business owner buys a policy, the insurance company often will conduct a risk assessment and make recommendations on how the company can shore up security –encryption and firewall, for instance – to prevent an attack in the first place, Goldstein says. Chubb also offers companies a premium reduction for taking certain security precautions. For example, he says, if a company hasn’t written an incident response plan, Chubb might suggest a business that can create one, and then lower the premium once the plan was in place.
It’s also important to be aware what exclusions your policy contains. For example, Prevost says, many policies exclude incidents where the policyholder failed to use encryption – the process of keeping your data away from cyber spies. So, if a company employee lost a mobile device containing sensitive information that was not encrypted, any related costs might not be covered.