Data is critical to many modern businesses. If your business stores sensitive data such as social security numbers, credit card numbers, driver’s license numbers, health records or other confidential information about your customers, partners, or vendors in an electronic format, you may be at risk for a hack or data breach.
Cyber Liability Insurance is meant to cover your business against liability and property losses caused by cyber attacks such as hacks, data breaches, denial of service attacks, and viruses. Commercial general liability policies usually exclude coverage for cyber liability, so you may not have coverage for data breaches under your primary general liability policy.
If your business is hacked and your customers’ personal data is stolen, they may sue your business for the violation of their privacy. Also, government regulators or credit card networks may issue fines or penalties against your company in the wake of a data breach. Cyber Liability Insurance can help pay for the financial costs of these lawsuits or fines.
Additionally, a cyber attack can create additional costs for your business. You may have to hire consultants to recover your data and run advertisements to notify your customers of a data breach. If your business is extorted, Cyber Insurance can provide coverage for the costs of ransom. Also, if your business operations are disrupted by a hack or virus, Cyber Insurance can provide compensation for your lost profits. Cyber Insurance can provide financial protection for all of these situations.
Who needs Cyber Liability Insurance?
Business Owners who store personally identifying customer information may need Cyber Liability Insurance if they collect any of the following information:
- Credit card numbers, or if you store other bank or payment information.
- Personal information such as names, email addresses, phone numbers, addresses, social security numbers, or driver’s license numbers.
- Health and medical information.
- Trade secrets or patent applications belonging to your clients.
For small businesses, cyber liability can sometimes be added on to a Business Owner’s Policy as an endorsement or additional coverage. It is also available on a standalone basis.
Cyber Liability Insurance can provide protection for data breaches other than hacking and viruses. It can also protect against employee mistakes such as emailing data to the wrong person or losing a laptop with sensitive personal information.
What does Cyber Liability Insurance Cover?
Cyber Liability Insurance covers the financial losses from data breaches, hacking, viruses, denial of service attacks and other similar cyber events.
Cyber liability coverage has two major components: third-party liability coverage and first-party coverage. Third-party coverage provides protection when a customer, vendor, partner, or other party sues you for allowing a data breach to happen. First-party coverage protects your company when you incur expenses from a data breach or when your company is hacked. You may choose to purchase either or both types of coverage.
Third-Party Liability Coverage
The third-party liability coverage provided by cyber liability insurance provides protection against lawsuits filed by clients or others against your business as a result of a breach of their security or privacy. These lawsuits can accuse your business of failing to adequately protect data you possess that belongs to customers, employees, vendors, or others.
Some of the claims that third-party liability may cover include:
- Lawsuits, judgments, and settlements against your business that arise from a data breach.
- Legal and attorney’s fees to defend against lawsuits for data breaches. Cyber liability policies generally have “shrinking limits” of insurance, which means that any legal defense costs reduce the limits of insurance.
- Network security claims resulting from a data breach, or the inability of others to access data you store. This can include viruses and malware, denial of service attacks, or unauthorized access by a hacker or rogue employee. It can also cover your business if you have trade secrets or patent applications for clients that are exposed in a hack or data breach.
- Privacy claims alleging you were negligent in failing to protect sensitive data of others stored on your company’s network and systems. In addition to hacks and viruses, privacy breaches can include a breach of a physical record, such as files tossed into a dumpster. It can also include human error such as a lost laptop or sending a file full of customer account data to the wrong email address. Privacy claims can also include the wrongful collection of personal information.
- Employee privacy liability if sensitive data about your employees is stolen from your company systems.
- Fines, penalties, and costs to respond to regulatory inquiries. Costs you owe to banks to reissue credit cards are also covered.
Third-party liability insurance is generally written on a claims-made basis, which means coverage is only available if the claim is submitted while the insurance policy is active. Most general liability policies are written on an occurrence basis, which covers claims submitted after the policy ends if the event causing the claim occurred while the insurance was active.
First-party coverage covers the financial losses your business incurs due to a data breach or hack. These costs can include:
- Notifying your customers or employees affected by the breach. Many states require businesses to notify affected customers or employees if personally identifying information is involved in a data breach.
- Providing credit monitoring services to those affected by the data breach. Although most states do not require providing credit monitoring services after a data breach, it can be a helpful tool to aid your public relations efforts.
- Hiring technical consultants or lawyers to find out whether a breach happened, the extent of the breach, and any regulatory compliance necessary.
- Advertising and public relations costs to educate customers or other affected parties about the breach and help to fix your company’s reputation.
If your company’s electronic data is lost, damaged or corrupted due to a hack, virus or denial of service attack, you can be covered under first-party coverage. This coverage also extends to data belonging to others stored on your systems.
First-party coverage will reimburse your company for the costs to restore or recover the lost or damaged data, as well as the costs to hire consultants to help you restore or repair your data.
Data recovery coverage usually does not cover data loss due to mistakes made by your business or your employees. For example, if your employee accidentally deletes your critical business data, it would not be covered.
Because commercial property coverage usually excludes coverage for electronic data, having this data recovery coverage can be valuable if your company experiences a hack or cyber attack.
Business Income Insurance (also known as Business Interruption Insurance) is also available on many Cyber Liability Insurance policies. A typical business income insurance policy that is attached to a commercial property policy only covers perils that cause physical damage. Usually, commercial property coverages do not provide coverage for electronic data.
If the loss or destruction of data leads to a disruption in your ability to do business, this coverage can pay for the loss of business income your business experiences.
For example, your business is hacked, and data critical for your sales team to sell on a daily basis is destroyed. Your business income insurance under your commercial property policy will not provide any coverage, even though you will experience lost sales and profits. Cyber liability coverage can reimburse you for the lost sales and profits when data is lost due to a cyber attack.
Note however that this coverage only applies to lost profits that are directly a cause of the cyber attack. If your sales decline due to a hit to your reputation from the data breach or cyber attack, these declines will not be covered, as they are not directly caused by the breach or attack.
First-party coverage can also cover cyber extortion. If your business is threatened with damage to your computer systems or networks unless you pay a ransom, this insurance can provide coverage. For example, a hacker may gain access to your computer network and threaten to delete all your data unless you pay them money. Or, a virus infects your computer and the extortionist threatens to release confidential data on your company unless you pay their demands.
This insurance can provide coverage for the money you spend to respond to the extortion demand, as well as any ransom you pay. The insurer’s consent is usually required before you pay these expenses.
Deductibles and Sublimits
Many cyber liability policies have sublimits for first-party coverage. A sublimit is part of the limits of insurance, but it places a maximum on the amount of coverage for that type of loss. For example, if you have a cyber liability policy of $1 million, with a 50% sublimit on first-party coverage, the most the policy will pay for first-party losses is $500,000, and the most it will pay for all kinds of losses including first-party losses is $1 million.
Many cyber liability policies also have a deductible, which means that your business retains part of the risk of the loss, up to the amount of the deductible.
Also, many policies have a waiting period, during which losses will not be covered. For example, a policy with an 8 hour waiting period will not pay for any losses incurred during the first 8 hours of a network outage.
What isn’t covered by Cyber Liability Insurance?
Cyber Liability Insurance is primarily designed to protect your business from cyber attacks. However, there are some exclusions to the coverage from this insurance. These include:
- Damage to your business reputation as a result of a data breach.
- Costs to fortify and improve your internal technology systems.
- Lost future sales because customers avoid your business after a breach.
- Loss of intellectual property owned by your business.
- Damage to your business caused by your own or your employee’s actions. For example, you install new software that causes your network to go down for several days.
Reducing the Risks of Cyber Liability Claims
Cyber Liability Insurance should be your last line of defense against hacking, viruses, and data breaches. It is best to be proactive and take precautionary steps to reduce your exposure to cyber liability.
After a data breach, customers or clients may be less interested in doing business with you in the future.
Some ideas for reducing your cyber liability exposure include:
- Install all the latest software and security updates.
- Hiring an IT security consultant to audit your systems and create a security plan.
- Backing up your company data on a regular basis and storing it in the cloud or offsite.
- Limiting access to sensitive information by employees using passwords for electronic data and physical locks for physical files.
- Using network security software and firewalls, including the use of virtual private network (VPN) software.
- Training employees on the importance of keeping customer and partner data confidential.