Although cyber insurance policies can cover some of the damage caused by a business disruption, they don’t always address some of the key issues that arise during a data breach, like the cost of reputation damage and loss of customers. In order to fully protect your business, a cyber insurance policy should be coupled with a thorough business continuity plan (BCP). Here are a few things to keep in mind about cyber insurance policies.
Before coverage can apply, businesses experiencing a breach have to meet certain requirements. In order to ensure that the incident isn’t something that happens frequently, many cyber insurance policies require businesses to wait six to 12 hours before the incident can be deemed a legitimate business disruption. Larger companies typically have to wait even longer due to the assumption that they can afford more loss before needing any aid.
Furthermore, cyber insurance policies don’t always provide reasonable coverage for ransomware attacks. Although this type of coverage — called “cyber extortion” coverage — varies, many times the policy deductible will cost more than the ransom amount. Others cover the cost of paying the ransom but require a business executive to agree to pay the ransom, which is strongly discouraged by the FBI.
Every cyber insurance policy is different depending on the industry and size of the business, but the most common components of cyber coverage are errors and omission, media liability, network security and privacy. However, a few important areas that are not currently covered by cyber insurance are reputational harm, future revenue loss and the cost of IT system improvement.
Sometimes cyber insurance doesn’t even cover the full cost of a data breach. When the P.F. Chang’s restaurant chain was hacked in June 2014, the chain’s cyber policy only covered $1.7 million of the total cost. Due to some exclusions in the policy, the coverage did not apply to an additional $1.9 million that P.F. Chang’s reimbursed to Bank of America for charges made as a result of leaked credit card information.
Risk of Misinterpreting the Policy
If you have a cyber insurance policy in place, ensure that you understand what specifically is covered in the event of a data breach. Sometimes, even though a policy has cyber extortion coverage, it may not cover “first-party” costs like public relations expenses, profit loss during downtime and the cost of investigating the breach. Or in some cases, the policy will cover data breach costs only if the breach is committed by someone within the company’s walls or as a result of human error.
One example of a business misinterpreting its insurance policy occurred in April 2011, when Sony’s PlayStation network was hacked, causing Sony to lose $178 million in profits. Sony sought coverage from Zurich and Mitsui Sumitomo Insurance Company, which filed suit in New York state court, stating it was not obligated to cover the hack because Sony had misinterpreted a phrase in the insurance policy. The courts sided with Zurich, citing the fact that the policy requires the policyholder to commit the act, and Sony’s breach was committed by a hacker.
Cyber Insurance Works Best With a Business Continuity Plan
Although cyber insurance helps cover certain costs of a data breach, it’s not enough to completely support your organization in the event of a breach.
Business continuity planning requires you to identify weak points in your organization, such as out-of-date IT infrastructure, lack of an off-site data vaulting solution and employees who are uneducated about cyber security best practices. Proactively identifying these vulnerabilities ultimately helps reduce the chances of a cyber breach from occurring.
If your business is still affected by a breach despite your precautions, a business continuity plan helps mitigate the impact of areas cyber insurance doesn’t cover, like developing plans for managing the business’s public image after a breach, testing processes for getting systems back online and helping employees get back to work again.
What are you doing to improve cybersecurity in your business? Let us know in the comments.