According to FBI Director Robert Mueller, "there are only two types of companies: those that have been hacked and those that will be…." Computer hackers stealing our personal information (social security numbers, bank accounts, addresses and phone numbers, etc.) are all over the news. By all means, let's increase our network security. But, insurance can play a vital role here as well. With apologies to Director Mueller, there are two other types of companies: those that electronically obtain and maintain sensitive personal information and those that hire others to do so. Insurance can help in both situations. What type of insurance, who should carry it and how much coverage is needed?
Cyber Liability Insurance
Other insurance policies may be triggered, depending on the nature of the data breach (including commercial liability, business income loss, directors and officers, errors and omissions, professional liability, and others), but the only way to make sure that you have coverage for the types of losses and liability claims associated with data breaches is to obtain Cyber Liability coverage. If you don’t have it, you're not alone. Only about 30% of businesses do. And it is buyer beware right now. The policies have only been widely available for about 5-7 years, the scope of coverage varies and there is very little case law out there interpreting the policies. Talk to your broker or insurance lawyer about which coverages are right for your business.
Who should carry Cyber Liability Coverage?
Both your company and any third party vendors who have access to your employee, customer, or client personal information should carry Cyber Liability coverage. For those third party vendors, you probably already require that they show proof of commercial liability or professional liability coverage of a certain amount. It's time that you require that they show proof of Cyber Liability coverage as well. If the relationship is significant and ongoing, you should require that the vendor add your company as an additional insured under the vendor's Cyber Liability policy too. That way, your company will be directly insured for the vendor's cyber liability conduct.
How much Cyber Liability Coverage is needed?
As always, the questions of how much coverage you need for your business, and how much coverage you should require of your vendors, are not easy to target. A recent study of the costs of data breaches shows that the average organization cost of a data breach is $1.4 million! Of course, the size of your organization and the number of files with confidential data can greatly affect the cost of a breach scenario. The recent Target data breach event is projected to potentially exceed $1 billion. The best advice here is to consult trusted brokers or insurance lawyers who can help you work through these questions.