Cyber / Data Breach Insurance
We live in an era of big data. Many everyday activities are wrapped in it— visiting the doctor, paying bills, or getting an insurance quote. This data is immensely valuable to a number of people, as it can be used to access accounts and take money, steal corporate secrets, or get sensitive information that can be held hostage. One out of four companies are likely to be breached in 2018. More than that will be attacked. Any secure system can be breached—in fact, 90% of small businesses are affected by a data breach each year. Every company that touches sensitive data is at risk for these breaches. This is evident in the big security breaches from huge companies and even national intelligence agencies. Even with excellent and expensive cyber security, people in an organization can be bribed, tricked,or scammed. With the huge increases in big data availability, software issues, wireless connections, the cloud, and potential ins from the any networked physical divide, a small business has a big risk of suffering a data breach. If your company provides a software or other data handling service and you suffer a breach, you are responsible for even greater costs.
Hackers steal millions of valuable identities, passwords, credentials, medical records, bank accounts, social security numbers, trade secrets, and more from both tech firms and also everyday businesses that have employee records, client records, engage in online commerce, and more. We exist for these inevitable troubles. Every year more data is accrued by companies with the potential of doing incredible amounts of damage. Here at RF Insurance we offer comprehensive cyber insurance policies that go beyond what is often offered as endorsements to a Commercial General Liability policy while offering a huge discount.
If your house had a one-in-four chance of catching fire every year, a smart person would get home insurance before they even had a home. Every business needs some form of cyber insurance.
What is Cyber / Data Breach Insurance? Why Do I Need Cyber / Data Breach Insurance?
Cyber insurance is the insurance you need to protect the value of your digital assets. It’s important to note that even if you have standard business liability insurance, you are not covered in the areas of cyber insurance. Cyber insurance applies to both first- and third-party businesses keeping data, or selling software to clients. Cyber insurance covers privacy issues, Internet- or network-related intellectual property rights, and many of the collateral costs of a successful breach.
Types of Cyber Attacks
Insider and Privilege Misuse
Though outside security is important to prevent external breaches, the biggest threat to most networks and databases is the company’s employees. This doesn’t mean that you need to start a witch hunt, but limiting access to sensitive data and taking good care of your employees can reduce the amount of malicious data breaches where employees seek to sell or steal company or client information and secrets. Many companies also lack real-time IT denial to fired employees, causing undue risk if the employee is taking the end of employment poorly. Further issues may occur if the user hasn’t been following proper password safeguarding or creation, has been tricked, or is, most commonly, just negligent.
Network and Computer Hacking
Cyber intrusion into a network can occur in a number of ways, including brute force hacking,
malware (viruses, worms, and other forms of malicious code), and other cyber system or network intrusions. With the advent of the digital age still only a few decades in the past, most people do not understand the complexity and ways that software and other systems work. Hackers with extensive knowledge about the workings of networks, software, encryption systems, and other aspects of the cyber world can wreak havoc when they gain access or even partial control of an account. Most malicious hacking attempts target user information to commit credit card fraud. Additional issues can include cyber extortion by threatening online business disruption, data destruction, information ransoming or theft, and more.
When people think of physical breaches of a network they oftentimes imagine high-risk situations where a clandestine operative secretly enters a company premises and manually hacks a network. Although this is possible, in reality, it’s often as simple as a hacker leaving a flash drive somewhere an employee might pick it up and later use on a company computer. Once opened, snippets of code can enter the system and start making changes to data or programs, or it can reach out and contact other computers to allow a person access to the network or database.
One of the more overlooked methods of hacking for cyber security is the use of phones and other parts ot the Internet of Things (IoT) made of anything that can share data and network for work purposes. Most critical is the use of modern phones. It is impossible to know what apps or malicious programs might exist on their phones without their knowledge. Employees using personal phones almost inevitably do some sort of work on them and, in the process, open your networks and data up to attacks.
Social hacking, also known as “phishing”, is one of the more insidious, and hard to defend against forms of hacking. Social hacking comes in many different forms. In almost all of them computers are used only to mine the Internet for personal information about you, an employee, or your business. Using this information, hackers will develop a game plan to convince people into giving up enough information about you or your company to breach your security without any red flags. In one instance in 2015, two teenagers got access to the CIA director’s email and personal information by first getting his phone number, finding his provider, then pretending to be Verizon employees helping a client, and getting access to their file on the director. This allowed them enough information to convince AOL to grant access to his email without a password. They stole key information, including copies of his security clearance application, which contained enough data to open further breaches had they not been caught.
What Businesses Are at Risk?
Significant threats exist for any business that keeps employee data, social security numbers, driver’s licenses, and other client information, or stores trade secrets, patents, intellectual property, and more on hard drives, in the cloud, or with third party data storage. Industries that are most at risk include:
Cyber attacks are common for tech startups. Hackers looking to steal innovations or client information. Tech startups, IT services, and firms in the IoT must contend their security against a number of variables outside of their control. They have much higher risk due to their professional exposure to lots and lots of data, sensitive information, and huge potential losses from client claims, intellectual property, and loss of business. This means that their cyber insurance must cover elements of general liability insurance in areas like E&O coverage.
Software for service businesses face the same vulnerabilities as other tech firms, but are at higher risk for other types of attacks and claims. Providing software for a client increases risk of unauthorized and accidental dissemination, deletion, or corruption of data, and may allow a successful hack to expose vast amounts of client data, costing them millions and opening your company to resulting claims.
E-commerce businesses working with other e-commerce platforms and software are still liable for many elements of data theft and breaches. This is because of the aforementioned issues of security negligence of contractors or employees, or socially engineered breaches that create plausible reasons for an employee to give away information regarding the company that can result in a breach. Even if you are using third-party software, you are still liable for stolen data that has resulted from employee or contractor negligence, insufficiently strong passwords, or user identification systems. In the event that a breach occurs, a company will be investigated for PCI compliance. This is the legal requirement of any business that accepts credit card payments to host and store their data with a PCI compliant hosting provider. But being PCI compliant doesn’t mean that you cannot be sued. Even after a business is PCI compliant they can still lose hundreds of thousands of dollars through lawsuits. Any PCI compliant firm should have the protection of Cyber Liability Insurance for the high chances of a breach.
Nurses, doctors, and support staff, from hospitals to pharmacies or even third-party insurance administrators, or the insurance companies themselves, are especially susceptible to data breaches and cyber risk. All over the world, professionals in healthcare use a variety of software that takes in and organizes patient information. Even the most basic systems must take in social security numbers driver’s license numbers and other forms of identification, creating valuable, high-risk stores of information. Although ongoing and severe cyber security attacks and breaches have pushed industry giants into vastly increasing their breach prevention efforts, breaches still occur—and have drastic consequences for the businesses. A PwC Health Research Institute study on the cost of major healthcare breaches estimates the cost of each record lost at $200 for liability, and each breach after can lead to loss of business and reputational damage.
Small Businesses, Hotels, Restaurants
Despite their lack of regular online presence, restaurants and hotels oftentimes rely on networks and systems to store data on clientele and payments, and can be liable for certain types of breaches. Even PCI compliant businesses are liable for potential breaches and the repercussions that can have in terms of lost value, disruptions to business, and damage to image. Simple point-of-sale accounting systems from third-party contractors or SaaS businesses can be breached through employee or contractor negligence. Most dangerous is the lack of password or cyber risk policies at hotels and restaurants to ensure strong protection from their end.
Manufacturing and R&D
For many companies, the biggest risk isn’t so much losing client information, but losing their own work. This risk can seem apparent when dealing with tech companies that work primarily on digital products, but the risk is just as real for companies that create physical products like cutting-edge phones, cars, industrial ovens, and thousands more. According to Verizon and other major data networks, hundreds of breaches occurred in manufacturing last year alone. For companies that depend on being on the cutting edge, this means that millions of dollars of funding, security, and valuable reputation and business is lost or damaged. This is an ongoing issue as companies and countries all over the world try and get caught up to compete in an ever more sophisticated marketplace.
As noted, the threat to industries and businesses do not end there. Cyber security is a key issue within the sectors of education, the public service, utilities, leasing, rental services, and more. Without cyber liability insurance, the risk of losing vast amounts of money and opening yourself up to lawsuits is a real potential that can destroy immense amounts of work, lives, and livelihoods.
Cyber liability insurance is not a blanket, agreed-upon term. Among the hundreds of firms that offer cyber insurance, they all differ drastically in wording of policy and in coverage areas. In general, cyber insurance covers the consumers and producers of technology services or products. However, the lines of cyber security often blur with general liability insurance.
These areas of cyber insurance are further broken down into two different coverage types: third-party coverage and first-party coverage.
First-Party Coverage applies to costs directly involved in responding to issues that occur on your business’ end. That can include breaches of security, rogue employees, successful hacking, theft or destruction of data, business interruption, and more.
Third-Party Coverage applies to costs accrued from third-party attempts to sue you, file claims against you, or when regulators demand information from you.
E&O Coverage – Third Party
Cyber liability insurance and general liability insurance are similar and overlap in terms of E&O coverage—which is very important for SaaS and IT services. Errors and omissions—also known as E&O—coverage is not traditionally cyber insurance, but overlaps with cyber insurance coverage for many IT firms and SaaS companies. Like any high impact profession like a doctor of lawyer, you are obligated to be good at what you say you will do. If your IT or SaaS services are a key element to damages a client suffers, your SaaS or IT firm can be held liable. No one wants to make an error, but even in the most thoroughly vetted documents and software, costly errors can occur. As recently as 2015, one of Apple’s iOS updates opened their phone line to unprecedented security breaches. E&O cyber insurance covers these bases and is key for SaaS companies and tech start ups, small and large. IT professionals, consultants, and even app developers need E&O coverage.
Overlapping into general liability insurance, this pays for damages and claims from faults in advice or product that causes damages to a client’s business. This is critical for IT firms and SaaS businesses.
Privacy Liability Including Employee Privacy – Third Party
This pays for damages and claims from “Privacy Wrongful Acts” harming any 3rd party or employees. “Privacy Wrongful Acts” (Any privacy breach by “you” for which you are legally responsible. Including independent contractors.)
Privacy Regulatory Claims Coverage – Third Party
Cyber insurance policies with this cover both first-party and third-party claims, network security, and physical records. This includes discarded hard drives, paper files, manuals, company laptops, or even errant emails and correspondence that were accidentally or intentionally sent to the wrong person. Privacy Regulatory Claims Coverage covers payment of regulatory fines, consumer redress funds, and claim expenses (attorney fees) arising out of “privacy wrongful acts.”
Security Breach Response Coverage – First Party
Security breach response coverage is critical for IT firms, SaaS businesses, and manufacturing, or anyone dealing with intellectual property. This reimburses costs from crisis management costs (cost to employ public relations consultant), breach response costs (breach response professionals, cost to notify, legal expense, and credit monitoring— if obligated or voluntarily incurred).
Trigger: Security Breach (accidental disclosure of personal information by you or on your behalf. Theft of data, unauthorized access, or use of personal information stored on your computers.)
Security Liability Coverage – Third Party
Security liability coverage is a critical part of E&O coverage, for breaches of the Security Wrongful Act regarding improper conduct of computer systems, security, and protection of information. This includes the inability of your 3rd party to gain access to agreed upon services, failure to prevent unauthorized use, or failure to prevent transmission of malicious code
Trigger: Security Wrongful Act
Multimedia Liability Coverage – Third Party
Media Liability Insurance covers third-party actions such as libel, slander, and intellectual property, copyright, and trademark infringement for the company and its products. Though usually a part of general liability insurance, this coverage area has shifted over to the area of cyber insurance in recent years due to growing online presence of companies. General liability insurance DOES NOT cover the online presence of companies.
Trigger: Multimedia Wrongful Act (acts committed by you or on your behalf via the Internet that cause damages).
Cyber Extortion Coverage – First Party
Groups may threaten business or gain and hold sensitive data hostage from companies such as trade secrets, private information, intellectual property, and more.
Trigger: Cyber Extortion Threat (requires credible threat from others)
Business Income Coverage – First Party
When cyber security is breached, loss of data, stalled business, and damages to reputation add up. Common amounts measure in the hundreds of thousands or millions of dollars.
Digital Asset Restoration Coverage – First Party
When digital assets are damaged in the event of network disruption, or unauthorized access, digital asset restoration coverage pays for restoration costs.
PCI DSS Assessment Coverage – First Party
A bank or financial institution sends audits to ensure that your business is handling any card-holder’s information in a manner that meets the Payment Card Industry Data Security Standard (PCI DSS). This is common especially after data breaches. When your business is not in compliance, you can be subject to legal ramifications. PCI DSS assessment coverage covers damages and claims resulting from a PCI DSS Assessment.
How Much is Cyber / Data Breach Insurance?
This is a great question. There isn’t an exact right way to calculate the proper coverage amount. Cyber insurance for a hotel is not the same as cyber insurance for an tech startup or a cutting-edge manufacturing client. In general, we calculate based off of $200 per compromisable record and focus on making all of our cyber insurance as affordable and effective as possible.
Cyber / Data Breach Insurance for Small Businesses
We start a policy with under a million dollars in liability for small businesses like e-commerce and restaurants or hotels. Most breaches for a small businesses run around $100k in losses, so we aim for policies that cover up to $1M or lower.
Cyber / Data Breach Insurance for Large Businesses
For larger companies, or where a business deals with a lot of data like IT, SaaS, or other tech and research and development firms, we often look at policies that cover between $2M to $5M in liability.
The RF Cyber / Data Breach Insurance Difference
Our cyber insurance is famous for striking the elusive balance between effective coverage and affordable rates. For instance, our rates are often 50-70% less than what is offered in the market. We know that saving money is important as you grow your business. We have gone through the market information and run the numbers to make sure that we offer the most competitive rates possible. All our clients have concierge agents on call to answer your cyber insurance questions and walk you through this complicated field. We understand the importance of your company’s future and safety. You likely have questions, and we have answer. Contact us to speak with one of our agents or to start a quote.