HNI Minnesota President
Cyber security and privacy breaches are making more and more big headlines. Just think of The Home Depot's recent revelations about compromised credit card data and the Target debacle earlier this year.
According to a 2013 study, the average cost of a privacy incident for a company is $3.5 million. Of that sum, about $575,000 goes to defense attorneys and $737,000 covers crisis services, including forensics, notification, and credit monitoring for victims.
These eye-popping numbers and the alarming frequency of data compromises were the catalyst for our recent HNI University webinar, Cyber Risks Looming in the Transportation Industry. Cyber liability expert Kevin Zinter of AmWINS, a specialty insurance distribution firm, covered what makes a good cyber liability insurance policy. He also covered exclusions that could spell trouble down the road.
The bottom line is it's crucial to fully understand on the front end the coverage you've signed up for. The alternative is waiting to dig into your policy when you have a claim... and risk an unpleasant surprise.
What's in a Good Cyber Liability Policy?
A solid cyber liability policy should contain a mix of these elements. It's likely they will have different names or terms, and the elements could be combined. The language depends on the carrier, but keep your eyes peeled for these critical coverages:
1.) Privacy/Security Liability
This element covers third-party claims that allege failure to protect personally identifiable information (PII). Breaches could be through a network or information security failure or unauthorized access/use.
2.) Notification Costs
This is the main premium driver within a cyber policy. On average, it costs $2-$4 per compromised record to let victims know their data were breached.
3.) Crisis Management and Forensic Expenses
This is the second-biggest premium driver in a cyber policy. It includes the cost of hiring crisis management firm to guard your brand in the face of a breach and forensics experts to determine the breach scope and a solution.
4.) Regulatory and Defense Penalties
This covers the cost of handling inquiries and investigations, as well as the fines and penalties from enforcing bodies, such as the Federal Trade Commission, attorneys general, etc. Because there's more legislation regarding protection of confidential data, it's safe to assume there will be more enforcement.
5.) Extortion/Threat Expenses
Very often a company will not make public the threat it's facing. This element even may cover the cost of paying off an extortionist who promises to expose intellectual property or shut down a computer system if demands are unmet.
6.) Business Interruption
This probably is the least purchased coverage. It covers downtime caused by breaches in a company's network.
This coverage is most relevant for retailers and online companies. It covers libel and disparagement, and a good policy covers social media, too.
8.) Hacker Damage
This covers the cost of repairing, replacing, and restoring damaged or destroyed data the insured possessed. The goal is to return contracts, employee info, W-2's, logistical routes for trucking firms, and other data to its pre-breach state.
9.) Payment Card Industry (PCI) Fines/Penalties
This is important for businesses that take in credit card information. It covers financial penalties for having a poor system for securing sensitive payment card information.
What Makes a Cyber Liability Policy a Poor Fit?
Watch out for the following policy exclusions. Exclusions could be policy elements that weren't a good fit for your organization, which means you save premium dollars. But take it from our subject matter expert: You don't want to learn about omitted coverages when it's time to make a claim:
- Losses arising from unencrypted portable devices.
- Notice of claim timing and limitation of expenses. A specific time frame following the incident dictates whether a claim is accepted and paid out. (The problem is, sometimes it takes a while to realize there's been a breach!)
- Failure to update antivirus and maintain security levels referenced on the application.
- Failure to implement the risk controls and procedures referenced on the application.
- Wear and tear on computers and aging equipment being used by insured. It's gray on how a carrier can determine that your equipment is too old.
- Coverage for proceedings. A good policy will offer coverage for all regulatory and defense costs, not just fines and penalties.
The webinar offered more coverages and exclusions that deserve scrutiny when reviewing a policy. To discover other cyber liability policy elements, click the button below to access the slide deck and webinar recording. Our subject matter expert also listed underwriting questions that go into quoting a cyber liability policy that can't be missed. Check it out! (While the webinar's focus was the transportation industry, most of the content can be applied to other sectors, too!)
Have you ever had to manage a data breach? What advice would you give a company facing a similar situation? Please sound off in comments!