Finding the Appropriate Level of Cyber Security Coverage

Cyber risk and data breaches have quickly moved from the occasional occurrence of a small shop or government institution that didn’t appropriately protect their information, to the normal topic of conversation when referencing well known household names. In reading a recent article by Alan Lyons in the New York Law Journal, “Finding the Right Level of Cyber Insurance Protection,” there was reference to how businesses today may still leverage more “traditional” types of insurance policies (like commercial general liability, commercial property, and employee dishonesty) and expect them to pick up the bulk of the costs in the event that they have a security breach. The reality of the situation is that things have changed–cyber liability is a real risk that has to be separately accounted for by an organization.

Cyber liability coverage is a must. Information, especially personal information, has real value. With the increase in cyber-crime events over the past few years, it can be a game changer for an organization and the people that rely on that organization if it experiences a security event. Lyons points out in his article, and appropriately so, that there are really a couple of items that need to be considered when finding the appropriate cyber liability coverage:

1. What does it cover / what events does the policy protect against?

2. What kind of a limit does the organization need on the policy?

The first question: “What does it cover and what events does the policy protect against?” is really where the business needs to dig in and understand its risk. Perform risk assessments, look at your industry, and identify where the business and its customers have the most to lose. This is how Businessolver has approached these very questions for years. We have had the opportunity to look at a number of different policies, evaluate our business, see what similar industries have experienced, and find a policy that encompasses the most important things. For example, we make sure that we are covering “prior acts” back to the point when we first started serving our customers. And that we have all of our PHI and other protected data covered under the policy. These are important parts of the equation that may or may not be covered depending on how the policy is written.

The second question, “What kind of a limit does the organization need on the policy?” is really the more challenging question that every company will have a difficult time answering. Even when armed with the data and statistics provided by the Ponemon Institute, Verizon, and an insurance broker, an organization can never be entirely confidant that they have the right level of coverage. These sources give good examples and historical trends, but every company is different. Fortunately, Businessolver continues to take the approach that an organization can almost never be over insured in this area. Each year we continue to push the limits and identify where we can find adequate and appropriate levels of coverage for our business and our customers.

Cyber risk is not going away. When you’re in the business of providing a web application that moves data from point A to B, this risk is only going to continue to grow. While strong security and strong internal controls are essential for an organization in this space, companies can no longer ignore cyber liability insurance in their overall risk management strategy.