Between 2013 and 2015, the number of records exposed by data breaches grew from 49 million to over 121 million, costing companies an average of $201 per record lost, or a total of $9.8 billion.
The growing frequency and cost of cyber attacks has led many companies to purchase cyber liability insurance. Premiums for these policies are expected to surpass $20 billion by 2025, up from $2 billion in 2015, according to Allianz Global.
Despite the growth in cyber insurance coverage, however, policies often fail to keep up with the latest cyber threats. As a result, many companies that have been victims of cyber crimes—even those with cyber liability insurance—have lost profits, struggled to fully recover from attacks, and have been held liable for cyber damages.
To be fully protected, here are 5 components that a company’s leadership team needs to ensure are included as part of its cyber liability insurance policy.
1. Ransomware protection. When ransomware attacks occur, an organization’s files or entire system are locked until a specified amount of money/ransom is paid to the perpetrators. 2016 has seen a string of ransomware attacks targeting a number of industries, especially healthcare. Ransomware typically comes from either compromised websites or email attachments, and employees are tricked into opening attachments that then install ransomware. Due to the large amounts of damage caused by ransomware attacks, cyber insurance providers are sometimes reluctant to expose themselves to such a high level of risk, and therefore don’t always offer ransomware coverage in their basic policies. As a result, companies considering insurance should ensure that ransomware protection is included.
2. Legal tender vs. monies. As ransomware attacks continue to increase, it is essential for insurance policies to clearly define and cover both “legal tender” and “monies.” Legal tender refers to government issued circulating currency, while monies refer to a medium of exchange that will hold value for a long period of time. In the cyber realm, this is most often the Bitcoin, which is the type of payment usually demanded by those committing a ransomware attack. Companies without coverage for monies may not be eligible for reimbursement of a paid ransom in the event of a ransomware attack.
3. E-business interruption. In the digital age, the operation of a company’s website is often directly linked to its ability to do business and earn money. However, in the event of a cyber attack, websites are often disrupted—a server can fail or ransomware may lock a web page. Companies, especially those that depend solely on e-commerce for their sales, must be sure that their cyber policy covers e-business interruption.
4. Third-party corruption. One common way that malware is introduced into a company’s system is through a third party. If a business unknowingly sends a corrupted email to another business, thereby compromising their system, the question becomes: who is responsible? The affected business may hold the sender/third party responsible, even if the harm was unintentional. In this instance, if the “culprit” is sued by the affected business, it may be assumed that an insurance policy will cover the costs. However, if coverage for third-party corruption is not explicitly stated in the policy, it is likely not covered. As a result, the business that unknowingly passed along the virus will have to deal with the costs of repairing the damage from the incident.
5. Exclusions. Even if the four previous components are included in a cyber liability policy, they can count for little if companies do not carefully review the exclusions within a policy. For example, a company’s policy may exclude:
- Paper files containing protected information
- Unencrypted data
- Claims brought by regulators or by the government
- First-party notification expenses for disclosing personal health information, corporate confidential information or personal identifiable information
As cybersecurity threats continue to evolve, it is vital for companies and their leadership teams to be constantly analyzing and updating their cyber liability policies. Failure to do so can have potentially disastrous consequences.