According to a 2013 study, the average cost of a privacy incident for a company is $3.5 million. Of that sum, about $575,000 goes to defense attorneys and $737,000 covers crisis services, including forensics, notification, and credit monitoring for victims.
These eye-popping numbers and the alarming frequency of data compromises were the catalyst for our recent HNI University webinar, Cyber Risks Looming in the Transportation Industry. Cyber liability expert Kevin Zinter of AmWINS, a specialty insurance distribution firm, covered what makes a good cyber liability insurance policy. He also covered exclusions that could spell trouble down the road.
The bottom line is it's crucial to fully understand on the front end the coverage you've signed up for. The alternative is waiting to dig into your policy when you have a claim... and risk an unpleasant surprise.
A solid cyber liability policy should contain a mix of these elements. It's likely they will have different names or terms, and the elements could be combined. The language depends on the carrier, but keep your eyes peeled for these critical coverages:
This element covers third-party claims that allege failure to protect personally identifiable information (PII). Breaches could be through a network or information security failure or unauthorized access/use.
This is the main premium driver within a cyber policy. On average, it costs $2-$4 per compromised record to let victims know their data were breached.
This is the second-biggest premium driver in a cyber policy. It includes the cost of hiring crisis management firm to guard your brand in the face of a breach and forensics experts to determine the breach scope and a solution.
This covers the cost of handling inquiries and investigations, as well as the fines and penalties from enforcing bodies, such as the Federal Trade Commission, attorneys general, etc. Because there's more legislation regarding protection of confidential data, it's safe to assume there will be more enforcement.
Very often a company will not make public the threat it's facing. This element even may cover the cost of paying off an extortionist who promises to expose intellectual property or shut down a computer system if demands are unmet.
This probably is the least purchased coverage. It covers downtime caused by breaches in a company's network.
This coverage is most relevant for retailers and online companies. It covers libel and disparagement, and a good policy covers social media, too.
This covers the cost of repairing, replacing, and restoring damaged or destroyed data the insured possessed. The goal is to return contracts, employee info, W-2's, logistical routes for trucking firms, and other data to its pre-breach state.
This is important for businesses that take in credit card information. It covers financial penalties for having a poor system for securing sensitive payment card information.
Watch out for the following policy exclusions. Exclusions could be policy elements that weren't a good fit for your organization, which means you save premium dollars. But take it from our subject matter expert: You don't want to learn about omitted coverages when it's time to make a claim:
The webinar offered more coverages and exclusions that deserve scrutiny when reviewing a policy. To discover other cyber liability policy elements, click the button below to access the slide deck and webinar recording. Our subject matter expert also listed underwriting questions that go into quoting a cyber liability policy that can't be missed. Check it out! (While the webinar's focus was the transportation industry, most of the content can be applied to other sectors, too!)
Have you ever had to manage a data breach? What advice would you give a company facing a similar situation? Please sound off in comments!