Every business has cyberrisk. What are you doing about yours?

Many employers underestimate their risk of a cyber breach and the overall cost of cyber claims.

Data breaches have increased 23 percent in the last year, according to the Symantec Internet Security Threat Report 20. The average cost of a data breach also is now at $4 million, the Ponemon Institute’s 2016 Cost of Data Breach study found.

“With the rising number of breaches and costs associated with them, cyber insurance should be a key component in every company’s insurance portfolio,” says Angela Corcoran, client service supervisor at Arthur J. Gallagher & Co. “If employers don’t have cyber coverage, now is the time to reach out to their insurance advisers. For those employers who’ve already purchased cyber policies, it is important to ensure that their limits are adequate to cover their risks.”

Smart Business spoke with Corcoran about the latest cyberrisk developments.

What risks can cyber insurance cover?

Every organization has some sort of cyberrisk, even if it isn’t transacting business over the internet. Any entity that interacts with the public or hosts a website has cyber exposure. Any employer that collects even a minimal amount of personally identifiable information is at risk of a privacy liability claim. Additionally, all employers are vulnerable to cyber extortion — a threat of a cyberattack on their website or computer systems in exchange for money.

Cyber policies are designed to insure against these scenarios and more. Most policies provide first-party coverage, which responds to direct losses to the insured, and third-party coverage, which is designed to cover the insured’s liability to others.

Also, cyber policy components provide coverage for things like network security, privacy liability, breach response, media liability, extortion, etc., which can be tailored to fit each employer’s particular risk. For example, retailers or businesses that accepts credit card transactions can buy PCI Assessment coverage that will pick up costs associated with assessments against the company for breaches of Payment Card Data Security Standards. The appropriate limit is partially determined by the number of credit card transactions each year and the company’s PCI compliance level.

How can an employer determine what level of insurance to get?

There’s no magic formula to determine the proper amount of cyber limits. Every business is unique. Employers can reach out to their insurance advisers who should have tools and models that can help drill down to appropriate limits based on their exposures.

What’s happening with the coverage prices?

A year ago, cyber rates were increasing rapidly, due to high-profile data breaches. In the past six months, rates seem to have stabilized; however, expect continued rate fluctuation as claims evolve.

Are there emerging products that employers should watch for in 2017?

Cyber insurance is ever evolving. As cybercriminals get bolder and more sophisticated, new exposures arise, forcing insurers to constantly revise their underwriting and claim handling approach.

A recent addition to some cyber policies is social engineering coverage, sometimes referred to as fraudulent impersonation or cyber deception. Coverage is provided for the deceptive misleading of a company’s employees into releasing funds or confidential information to an illegitimate third party. This can happen when an employee receives a fraudulent email that looks like it’s from the CEO. The email requests funds to be wire transferred to an account, and only afterwards, does the employee realize that the email was a fraud. Social engineering coverage can sometimes be added to crime policies as well as cyber policies. All employers should consider this, as all companies are vulnerable.

What else would you like to share?

Many employers have a false sense of comfort in response plans that have not been adequately tested. It’s a good idea to sit down with senior management, key personnel and insurance advisers for a tabletop exercise, a ‘fire drill’ to simulate the company’s response to cyber claim scenarios. This allows employers to vet their current response plans, identify shortfalls and focus on where changes can be made, in order to strengthen their response to potential cyber claims.

Insights Insurance/Risk Management is brought to you by Arthur J. Gallagher & Co.