The Singapore Ministry of Health reported that the health records of 14,200 HIV positive patients had been hacked and released online. An Oklahoma government server storing FBI investigation records was found to be accessible to the public. A Texan City Hall had to shut down all digital operations after a ransomware attack. And Citrix, a multinational SaaS (software as a service) company serving 400,000 businesses, suffered a data breach where hackers had access to sensitive information for approximately six months before it was identified.
445 million cyber attacks have been detected in the United States alone since the start of 2020.
And a recent study conducted by the Internal Data Corporation of Canada found that “cybersecurity incidents are occurring on a regular basis and the cost of these compromises is at an all-time high. The average cost per organization of responding to, and recovering from, cyber security incidents increased to between $4.8 – $5.8 million, up from $3.7 million last year.”
Cyber attacks are now a very real threat to businesses of any size, in any industry. If your business handles or stores personal/sensitive information online, cyber liability insurance should be a priority.
What is cyber liability insurance?
Cyber liability insurance covers a business in the event of a data breach or other cyber event where sensitive information (e.g. contact information, financial, personal health records, etc.) is involved. A policy can cover errors of omission (the business didn’t do something they were supposed to do) or commission (the business did something they were not supposed to do). It provides financial assistance for the extraordinary costs that can result from an attack.
Cyber liability is not typically included within general liability insurance and must be purchased separately.
Learn the different types of cyber attacks
Cyber attack techniques are constantly evolving. So it’s important for your business to stay up to date, take appropriate preventative measures, and respond swiftly if an event does occur. The most common cyber attack tactics are:
- Malware – malicious software (spyware, ransomware, viruses, etc.) breaches a system and installs a damaging software that can execute various actions within the network
- Phishing – communication (typically email) that attempts to steal sensitive information by imitating a reputable source
- Man-in-the-middle (MitM) attack- like the name implies, an attacker interrupts communication between two parties and can steal data transferred between the two parties
- Denial-of-service attack – an attacker overwhelms a system with traffic to the point where it cannot process legitimate requests
- Structured query language (SQL) injection – malicious code is inserted into a system and permits access to sensitive information
- Zero-day exploit – a network attack executed immediately after a vulnerability is discovered and before it can be fixed
- DNS tunneling – malware is encoded into a system and allows for secretive communication and extraction of data, undetected by firewalls
Remember that human error frequently plays a role in cyber attacks. An employee falls for a phishing scam. A predictable password is used. A free USB drive installs malware on the company computer. Cyber attacks can be unintentionally initiated by the most innocent of employees. That’s why education is so important. The more your team understands the types of cyber attacks (and the potential fallout), the more likely they are to identify a threat.
Who needs cyber liability insurance?
Any business that handles or stores sensitive information online should prioritize cyber security.
Sensitive information can include:
- Contact information (phone, email, address)
- Personal identification (SSN or SIN)
- Health records
- Credit card information
- Banking information
- Driver’s license
- Intellectual property
When considering cyber liability insurance, remember that your business may be held liable for a third-party vendor’s data breach. To avoid this, many businesses require their third-party vendors to carry sufficient cyber liability insurance and explicitly state in the contract that they will not be liable in the event of a cyber event.
Cyber liability statistics to know in 2020
According to Verizon’s 2020 Data Breach Investigation Report:
- 70% of breaches were perpetrated by external actors
- 22% of breaches were caused by human error
- 28% of breaches involved small business victims
- 58% of victims have had personal data compromised
- 43% of breaches were attacks on web applications (more than double the previous year)
- 37% of breaches stole or used credentials
- 86% of breaches were financially motivated
Cyber liability testing
Risk assessment and testing can be incredibly eye-opening for businesses on the fence about purchasing cyber liability insurance. System testing can flesh out potential weak points and vulnerabilities in your infrastructure and inform your priorities for insurance coverage.
A thorough risk assessment can expose the potential fallout from a cyber attack, including:
- Length of time before an attack is detected
- Cost to replace damaged hardware/software
- Business interruption costs
- Implications to customers
- Legal implications
According to Forbes, 2020 cyber liability trends favour comprehensive scenario-based testing over data assumptions. Not sure how to execute a risk assessment? You can hire a cyber security company to conduct the assessment for you. An assessment could include:
- Social engineering testing – tests internal processes for identifying phishing schemes; evaluates awareness and resiliency of your internal team
- App and mobile security testing – tests applications you create and those you use for weak points
- Cloud/network hacking – tests how easy it is to get into the system
- Hardware and internet of things (IoT) testing – tests the collection of devices (IoT) that can connect to each other (e.g. vehicle, smart watch, tv, laptop, etc.)
- Source code review – tests your key softwares to identify weaknesses
Underscoring the importance of prevention and risk assessment, the Financial Post reported:
“Canadian companies are still overconfident in their abilities to successfully defend against cyber security attacks. Many are now realizing the need to implement a cyber resiliency plan in order to better prepare, defend and respond to incidents,” said Theo Van Wyk, Chief Technology Officer – Security at Scalar Decisions. “The rise in the percentage of successful breaches coincides with the shift in cyber security efforts from protection against attacks to improving detection of malicious attacks and responding to and recovering from incidents.”
When do I need cyber liability insurance coverage?
As the saying goes, the best time to plant a tree was yesterday. The same rings true with cyber liability insurance. Cyber liability insurance should be as commonplace as general liability. Without sufficient coverage, your business is exposed to potentially devastating fallout from a cyber attack.
“… Zogby Analytics survey of 1,008 small businesses with up to 500 employees, found that after suffering a data breach 10 percent went out of business, 25 percent had to file for bankruptcy and 37 percent experienced a financial loss.”
Any business that deals with sensitive information online needs coverage, regardless of how small the business may be. It’s better to be proactive than reactive.
Cyber liability insurance coverage plans & details
The primary goal of cyber liability insurance is to protect the business itself, but there is a larger scope. Depending on the type of cyber event, affected third-parties (like customers) may have to deal with:
- Identity theft
- Fraudulent account activity
- Impact to credit score
- Legal fees
- Exposed personal information
Cyber liability insurance plan types
First-party coverage typically covers costs associated with:
- Repairing damaged hardware/software
- Public relations response to mediate damaged reputation
- Notifying the affected parties (e.g. public notice, contacting clients, call center)
- Business interruption
- Incident investigations
- Credit monitoring services
- Recovering data
Third-party coverage typically covers costs associated with:
- Regulatory body fines/fees
- Breach of contract claims
- Legal action (negligence claims, settlement costs, etc.)
How much does cyber liability insurance cost?
There is no standard cyber liability insurance policy, so each provider may charge something different. According to a 2019 study, “the average cost of cyber liability insurance in the United States was $1,501 per year for $1 million in liability coverage, with a $10,000 deductible”.
A risk assessment and careful audit of potential vulnerabilities can help determine the ideal coverage for your business. Cyber liability cost factors can include:
- Coverage needs – the more data entrusted to your company, the higher your needs, and the more expensive the insurance
- Preventative measures – what security measures have you already taken to mitigate risk? Antivirus protection, password policies, limited employee access, etc.
- Industry – businesses that primarily online have an inherently higher risk. Similarly, you can expect to pay a higher premium if you collect highly sensitive data (e.g. financial or medical records)
- History – if your business has already experienced one or more cyber events, you may have to pay a higher premium than if your business had a clean record
Cyber liability insurance isn’t cheap but it is important. So when considering a policy, carefully consider the potential consequences of facing a cyber attack with insufficient coverage.
What’s NOT covered?
Like any insurance policy, cyber liability insurance has exclusions. Coverage can vary by provider, but common exclusions are:
- Bodily injury or property damage (typically covered by general liability insurance)
- Property loss (typically covered by commercial property insurance)
- Criminal activity such as theft or fraud (typically covered by commercial crime insurance)
- Social engineering/manipulating someone into transferring funds (typically excluded or a separate policy)
Cyber liability insurance carriers leading the industry
AXA XL provides cyber liability insurance to businesses around the world for industries ranging from livestock to aerospace to entertainment and leisure. They offer personalized risk consulting services to help businesses identify system vulnerabilities, evaluate resiliency, and forecast the economic impact to your business caused by a cyber event.
In addition to risk consulting, AXA XL lists coverage for:
- Technology Products and Services
- Professional Services
- Privacy and Security Liability
- Data Breach Response and Crisis Management
- Privacy Regulatory Defense Costs and coverage for any fines and penalties assessed
- Business Interruption and Extra Expense
- Data Recovery
- Cyber Extortion and Ransomware
- Available Enhancements
- Social Engineering
- System Failure
- Dependent Business Interruption
Chubb is a cyber liability insurance carrier that offers a suite of cyber risk solutions for businesses of all sizes, with no minimum premiums. Your premium scales based on your needs. Most policies are eligible for a minimum of $10 million of coverage, up to a maximum of $100 million.
Chubb’s services include loss mitigation, incident response, partner networking with other cyber experts, and a 24/7 incident reporting mobile application.
Co-operators offers a cyber liability insurance called “Privacy Breach Coverage”. This is an add-on to a general business insurance policy and covers liability and expenses.
Liability coverage ranges from $100,000 to $1,000,000, with no deductible. Privacy breach expense coverage ranges from $25,000 to $250,000, with no deductible. Co-operators also offers loss prevention and remediation services including:
- Breach counseling
- Crisis management
- Client notification assistance
- Remediation services
- Media relations support
- Legal support
American Insurance Group (AIG) offers stand alone cyber liability insurance policy or endorsed into a financial, property, casualty policy. There are six coverage channels available, each offering a variety of features/services. The range of coverage includes:
- Third-party claims arising out of or alleging financial loss as a result of, failure of
the insured’s network security or a failure to protect confidential information
- Investigation and defense of regulatory actions arising out of a failure of the insured’s
network security or a failure to protect confidential information, including coverage
for such fines and penalties if allowable by law
- PCI-DSS (Payment Card Industry Data Security Standard) assessments for the failure
to protect payment card data
- Costs of notifications, public relations, and other services to assist in managing and
mitigating a cyber incident; legal consulting and identity monitoring costs for victims
of a breach are included
- Forensic investigation costs due to a covered cyber event
- Costs to restore electronic data from duplicates or, if not possible, costs to research,
gather and assemble electronic data due to a covered cyber event
- Responds to a material interruption of an insured’s business operations providing for
business interruption and certain expenses due to a covered cyber event
- Reimbursement of ransom payments incurred in terminating a covered cyber event
- Business income loss resulting from physical damage to property due to a covered
- Loss associated with first-party property damage due to a covered cyber event
- Third-party claims alleging bodily injury or third party property damage caused by a
security failure or privacy event
- Third-party claims alleging bodily injury and third party property damage caused by
a breach of a computer system that is part of an insured’s product
Travelers offers a suite of cyber liability solutions:
- CyberRisk – customized coverage for any size business, based on business needs
- CyberFirst – created specifically for companies within the tech industry
- CyberFirst – created specifically for public entities (municipalities, counties, utilities, transit authorities, etc.)
- CyberFirst Essentials – created specifically for small businesses
Travelers also offers pre and post-breach services to customers (at no additional cost) to assist in education and risk management.
AmTrust Financial specializes in insurance for small businesses. With a maximum policy coverage of $1,000,000, the AmTrust cyber liability insurance policy includes first and third-party coverage.
First-party coverage includes coverage for privacy breach response services, cyber extortion, data protection, and business interruption. Additional post-breach services are also included in the policy:
- Notification services for up to 100,000 affected individuals
- Call center services for 90 days after an incident (or longer if required by law)
- Public relations and crisis management expenses
- Initial breach investigation and consulting for legal and computer forensic services
- Discretionary notice coverage to notify individuals potentially affected by the breach
Remember these 5 key points about cyber liability insurance
- Cyber attacks affect businesses of all sizes, in all industries.
- Cyber liability insurance is NOT typically included in general liability insurance and must be purchased separately or as an add-on.
- There is no one standard cyber liability insurance policy; a cyber risk assessment can help inform what your business needs.
- The cost of facing a cyber event without liability insurance is likely far greater than the cost of a policy.
- Cyber attack techniques are constantly evolving, so keep up to date and regularly review your policy.
Make sure your website is secure
Whether you’re handling health information, accepting payments, or simply have an email sign up for a blog, you need a secure website that will safeguard information from cyber threats.
You’ve probably noticed that most websites nowadays begin with HTTPS in the URL bar. HTTP stands for Hypertext Transfer Protocol and is an information transfer protocol. The “S” in HTTPS means that the site has an SSL certificate and your information is transferred through a secure, encrypted channel on the web.
This is just one of many ways you can protect your website. Choose your tech stack wisely, have a company-wide password policy with frequent updates, educate your team, etc. Take the security of your website seriously.
Build a secure website with Tiller
We only build secure websites at Tiller. Why?
- Secure websites protect both your business’ and your customers’ information on your website.
- Secure websites get better conversions. Google Chrome uses a pop-up to highlight websites that are not secure and warn visitors that their information will not be protected.
- Secure websites rank better. Google prefers secure websites and will rank HTTPS sites more favourably than HTTP.
If you need a secure, reliable, revenue-driving website for your business, give us a call.