Cyberattacks make big news because they often lose businesses big money.
Take, for instance, the CDK cyberattack earlier this year. The dealership software provider went down for nearly a month and lost dealerships more than $1 billion, according to Anderson Economic Group.
Insurance policies can help cover some of a loss — if they’re written properly.
What does insurance cover?
Rex Benfield, executive vice president of Paladin Business Consulting, a vendor-neutral technology company, says most insurance policies come down to what you want to cover.
Cyber policies can help protect businesses against losses resulting from a cyberattack. They can include coverage for data breaches, attacks on data held by vendors and other third parties, cyberattacks at home and abroad, terrorist attacks and more, the Federal Trade Commission (FTC) says. Optional coverage may include features such as lawsuit defense and breach hotlines.
[RELATED: Best practices for distributors to reduce cyberattacks]
“The biggest thing in looking for a cybersecurity policy is what exactly you’re wanting to cover,” Benfield says. “It’s not a one-size-fits-all kind of thing.”
Nikki Ingram, AVP head of cyber risk services for Zurich Resilience Solutions and SpearTip and keynote speaker at the 2024 Successful Dealer Award Summit, says the good news is there’s some overlap in deciding what coverage you need with formulating the general requirements for a security program.
“A big thing with insurance, and it also goes with cyber management in general, is to have a formal, documented plan,” Ingram says. “It doesn’t have to be expensive. It doesn’t have to be complicated.”
[DOWNLOADABLE: Sample Incident Response Policy]
Your insurance broker can not only help you decide what coverage you need, but also help set up a plan to show you did your due diligence, having the governance piece in your coverage plan and documented to the best of your ability.
“Most are quite happy to work with you,” Ingram says.
Finding coverage
Benfield approaches the same problem from the company’s perspective, helping his clients find what the company needs to have, wants to have and what they can do without, before tackling the underwriting process on behalf of his client.
He says some applications can be several pages long and the insurers themselves are “kind of picky,” with terms and conditions that must be met before underwriting can take place.
That’s part of the due diligence Ingram spoke of.
She says there are two kinds of policies available: First-party coverage and third-party coverage. First-party coverage protects a business’s data, the FTC says, including costs such as legal counsel, recovery and replacement of lost or stolen data, customer notification and call center services, lost income, crisis management and public relations services, extortion and fraud, forensic services, and any fines or fees related to the incident.
Third-party coverage protects a business if a third party brings claims against it. This covers things such as payments made to customers affected by the breach, claims and settlement expenses related to disputes or lawsuits, defamation losses or losses related to copyright or trademark infringement, costs for litigation and responding to regulatory inquiries, accounting costs and more, the FTC says.
Ingram says business owners should, of course, always read over the policies to fully understand what they cover and what they don’t. Typically, she says, policies do not cover any activity related to prior breaches or technology system improvements, even if they improve system security.
[DOWNLOADABLE: Sample Security Awareness and Training Policy]
Speaking of reading terms and conditions, Ingram says to carefully scour those of any third-party solutions you use for backups.
“I’m a big supporter of technology and leveraging where possible, but are you doing due diligence so it helps you and doesn’t hinder you,” Ingram says. She advises policyholders to read those terms so they know their data is safe.
Take advantage of services
Ingram says some insurers may also offer value-added services to help business owners sort through what can seem like an overwhelming amount of information. Zurich, for example, will do things such as offer a complementary incident response workshop or a 30-day cloud monitoring service.
Brokers also are more than happy to help businesses improve their security and adjust premiums as they go.
Benfield says some business may need to put certain services in place to become insurable, and those practices also can improve their security. These include employee training, vulnerability testing, penetration testing and response plans. He recommends vulnerability testing be done monthly or quarterly and penetration testing done every six months to annually.
[DOWNLOADABLE: Sample Cyber Incident Response Plan]
“You may have started one premium, but as you mature your cybersecurity program, carriers can quote you more competitively,” Ingram says.
Even if businesses don’t think they need coverage, Ingram encourages them to consider the bigger picture. Imagine a threat actor, she says, and what they’re likely to go after. Can they monetize any information directly from your business or can they use it as a launchpad to bigger companies you work with? An example would be getting customer information from hacked systems and sending invoices, pretending to be the hacked business, and collecting customers’ money.
“You’ll see a lot of cyber policies that may have some other elements,” Ingram says. “Work with your broker on understanding what exactly is your need and coverage.”