Avoiding catastrophic business loss through cyber liability insurance

The benefits could be greatest for small businesses, which could be devastated by a data loss and its complications

Hardly a week goes by that the national media does not report on another Internet data security breach, denial-of-service attack or other cyber loss affecting Fortune 500 clients and their thousands (or hundreds of thousands) of customers. The costs of simply investigating and responding to these losses -- not to mention the resulting lawsuits and regulatory fines -- can be staggering. For instance, the Ponemon Institute estimates that response costs can be as high as $200 per compromised record. It is not difficult to understand how total costs for a wide breach can quickly escalate well into the millions of dollars.

Enter the insurance industry. Historically, in the face of a third-party claim, one would turn to general liability or other policies. Yet coverage under general liability policies is typically limited to "property damage," which may include physical damage to servers, for example, but probably not loss of the data itself. And while crime, fidelity or errors and omissions policies may provide some coverage, again they would typically exclude the lion's share of the expense of a cyber loss. The response has been a line of policies -- known as cyber liability (or data/privacy liability) policies -- specifically tailored to cyber risks.

It is certainly true that large data breaches or denial-of-service attacks at large corporations -- as well as losses of laptops and other mobile devices -- get the most media coverage. But smaller companies can and do face such losses and thus can benefit from mitigating their risk through cyber liability insurance. And in some ways, cyber liability insurance is even more appropriate for smaller businesses. Large companies typically have the foresight and ability to manage cyber risk up front and the sophistication to deal with losses when they arise. For smaller businesses, this is not always so, but the playing field can be leveled to some degree through insurance.

Cyber policies do not simply indemnify a business for the damages it must pay its customers. A good cyber policy does much more. For instance, one of the first tasks a victim of a cyber loss must do is investigate the cause, often with the use of IT forensic examiners. Then, the company has to comply with mandated notices that must be sent to potentially affected customers. And of course once word is out about the loss, the victim must manage the negative media attention. Cyber insurance can defray expenses at each of these stages. For instance, cyber insurance can even pay the costs of hiring a public relations firm to mitigate negative publicity following a breach. Such insurance can also pay to retain law firms to determine an insured's rights to indemnification under independent contractor agreements. Cyber insurance can even pay to monitor affected customers to ensure that they themselves do not become victims of identity theft. Cyber insurance can likewise cover the costs of paying regulatory fines and penalties. Given that there is no uniform regulation of data privacy protection worldwide, simply negotiating the fine with the myriad jurisdictions involved in a wide breach can be herculean. One should thus not lose sight of these "non-indemnity" benefits of a cyber policy.

While a large company may be able to absorb these expenses, typically a smaller company cannot.

Smaller companies are also less likely to have robust social media procedures and policies in effect for employees. Businesses are more and more often sued for defamation, unfair competition, breach of privacy and related claims arising from employee postings on social media of all types. Again, cyber liability policies can be tailored to respond to this type of liability.

To continue reading this article register now

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon