March 6, 2019
Tips for SMBs Buying Cyber Insurance
by Keith Moore
Bad news: Commercial general liability coverage no longer has sufficient cyber coverage. Good news: Cyber policy costs have plunged.
Cybersecurity continues to remain top of mind with business owners as breaches continue and cyber criminals become more proficient in their techniques for hacking into sensitive information. Couple that with increasing regulations, like GDPR, which put the onus on companies to protect consumer information, and businesses of all sizes are paying closer attention. In 2018, 30% of commercial insurance shoppers added a cyber insurance policy compared with just 12% in 2017.
According to a recent Cyber Trends report issued by CyberPolicy, contractual requirements from large corporations to third-party vendors and compliance requirements such as HIPAA, PCI and DCI are leading SMBs to shop for $1 million to $5 million coverage limits to satisfy these obligations. And for SMBs looking to do business with large corporations, many will find that vendor contracts now require cybersecurity planning and insurance, further protecting themselves in the event that partner data is compromised.
See also: The New Cyber Insurance Paradigm
As SMBs are comparing different policies, here are a few tips:
- Commercial general liability (CGL) coverage is no longer enough, as it typically has insufficient cyber coverage.
- Business owners should look at the policy coverage with respect to data protection and privacy risks, both for third-party claims and first-party mitigation costs. Cyber insurance policies vary quite a bit, with no real standard in the industry. Policies usually include some combination of first-party and third-party coverages. A business owner who is unsure about which is more important should consult with a cyber insurance expert.
- Coverage needs to provide protection for cyber extortion threats and other breach-related liabilities, including regulatory penalties, GDPR and merchant services agreements.
- Renewing coverage during the contract period is critical, as most cyber coverage is written as “claims made” coverage and will only cover claims during the policy period.
- Proper preventative measures should be embedded in operations for every company, with cyber insurance as the backup. The measures should cover how sensitive data is handled, encryption, password management and controlling access to information. Some policies will have resources for the business owners to help manage this process, something to consider when speaking with a cyber insurance expert.
- Both parties should consider documenting specific preventative measures in a contract. This ensures that everyone is in alignment and understands the expectations for risk avoidance.
- Often, certificates of insurance are all that is required as documentation in the contract. Consider including a full copy of your cyber insurance policy with the contract to prevent misunderstandings should a breach occur.
The good news for SMBs is that cyber insurance policies have become more affordable. In April 2017, the average monthly premium cost for a $1 million cyber insurance policy was $270. By June 2018, the cost had dropped to $77.
See also: New Approach to Cyber Insurance
As with most business operations, owners should always consult with their insurance representative when selecting cyber insurance. With any new policy, business owners should take the time to understand exactly what is covered under their insurance, how to manage their business operations to mitigate any security risks and what steps to take in the event of a breach.