Why not every cyber policy is the same — and what to do about it

In business today, people are starting to recognize the need for cyber insurance, after hearing about hacker attacks.

“People look at what happened to Target and still say that’s not going to happen to me, but cyber breaches involving small companies have tripled,” says Charlie E. Bernier, Esq., principal consultant of Professional Liability at ECBM.

The average breach costs about $7.2 million — for any size company — so a cyber claim could bankrupt your business.

But if you’ve decided to buy cyber coverage, what happens next?

Cyber coverage doesn’t have standard forms, and not every carrier’s policy is the same, Bernier says.

Smart Business spoke with Bernier about getting cyber coverage with the right limits, endorsements and exclusions.

What do cyber policies generally cover?

Cyber polices typically provide both first-party and third-party coverage. First-party coverage insures for losses to the insured’s own data, lost income or other harm to the business from a data breach or cyberattack. Third-party coverage insures for the liability to third parties, such as clients.

Some companies buy a cyber endorsement for an errors and omission policy, but that never covers first-party losses.

How should businesses obtain full first-party coverage for all scenarios?

Even if it’s through an endorsement to your cyber policy, you need to ensure the first-party coverage includes business interruption and reputational harm. After you discover a cyber breach, your business is stopped while you go through your systems, and this lost revenue can add up. In addition, after you notify people about lost information, you want to get reimbursed for reduction in profit during the period after the breach. There’s a good chance you’re going to lose customers due to reputation damage.

What’s important to know about the third-party coverage?

The most common mistake is not getting enough breach notification limit coverage and not setting coverage for regulatory action proceedings.

If your company discovers a cyber breach, under state and federal law, you must notify everyone whose information has been compromised. The limit needed depends on the type of personally identifiable information (PII) and amount of records you hold. As an example, a $500,000 limit is not enough for most retailers. With a few questions, your insurance professional should be able to tell how much it will cost to notify people, and therefore help set the correct limit. The ROI is six to one; for every dollar you spend on premium for a cyber policy, you save $6 per breach.

Also, you should get full coverage for regulatory action proceedings. If your company faces a government regulatory proceeding for a breach or not storing information properly, the policy should cover both the defense of that proceeding and the fine you’ll pay if you lose.

What are exclusions to avoid?

Some policies include an encryption exclusion. If one of your employees has his or her laptop stolen, which is only password protected but not encrypted, then with this exclusion the coverage is void.

Two other exclusions to avoid are a failure to upgrade software exclusion and a failure to maintain exclusions. Both of these severely limit the claims you can file.

What else do employers need to know?

A Verizon study found 66 percent of cyber breaches discovered in 2013 happened months or years prior. Don’t ever get a cyber policy that starts when you buy it. It’s worth asking for unlimited prior acts but don’t take less than a five-year retroactive date.

It’s not common, but it’s possible to include indemnification coverage on the policy. For instance, if your law firm is working for a bank, the bank can say, ‘You can’t defend our cases and work for us unless you agree to indemnify us for your breaches of PII.’ Then, if your firm loses PII, you have to pay for the notices your firm and the bank are required to send out. Cyber insurance will cover this indemnification.

Finally, keep in mind now is the time to buy a policy, with insurance carriers hungry to write cyber. The prices will never be lower and the power of the buyer will never be higher than it is right now.

Insights Risk Management is brought to you by ECBM