Before the breach: selecting the right policy and the application process
1. Be sure to consider all possible areas of exposure and ensure your business has enough coverage for its risks
Cyberattacks are costly and can shut down a business completely if the business’ networks and computers are bricked and unusable, if the business cannot afford recovery costs, if the business faces third-party liability or if the business cannot survive any temporary loss in income. Costs can vary and rise quickly. It is vital to fully assess all potential exposures that your business might face and to ensure adequate coverage – including coverage for business interruption, ransomware payments, third-party liability, data recovery costs, legal fees, PR experts and payment to customers if the business is found to be at fault. In determining what losses are likely, consider things like damage and loss of a computer system or data, a business shutdown, potential fines and penalties, liabilities following data loss, reputational damage, theft and extortion.
2. Keep your IT security officers and stewards of IT systems in the loop when completing cyber-insurance applications
Cyber-insurance applications increasingly focus on cybersecurity infrastructure and controls. An inadvertent error in completing the application may be used as a basis to deny coverage, so it is important to consult the people with the most information about your business’ information technology systems and keep them closely involved with the application process.
3. Coverages to consider
The key here is understanding your company’s specific risks and exposures. For first-party costs, where the company is hacked or is subject to a ransomware attack, look for coverage for notification and credit monitoring expenses if your customers’ personal information could be stolen in a data breach. These expenses add up quickly. Some policies cover credit monitoring and identity theft protection services for customers as well. For third-party costs, look for liability costs associated with a breach of personally identifiable information. Also look for coverage for lost business income and extra expenses due to a cyberattack, including express coverage for mitigation costs, particularly if you use your own IT and cybersecurity salaried employees to respond to an attack to the extent they are working to respond to and recover from a cyberattack. It also is important to look for defense costs in the event your business is sued following a breach.
4. Consider obtaining retroactive coverage
Breaches can occur months before they are discovered. Consider whether your business would benefit from retroactive coverage of breaches that occur before the date of policy inception. This is particularly important for first-time buyers of cyber coverage.
5. Consider obtaining coverage for employee or vendor acts
Insurers may decline claims if an employee or vendor with access to data was at fault. Look for policies that include coverage for these kinds of incidents. Some policies bar coverage for the “rogue” acts of employees but cover the negligent acts of employees. This issue is increasingly important given the rise of social engineering fraud. Also, be aware of sublimits that may leave your business without sufficient coverage following a social engineering fraud loss.
- Cyberattacks are on the rise.
- Cyber-insurance policies can help businesses get back on course after an attack.
- Policyholders must be mindful of some common pitfalls.