Twenty years ago, no one had heard of cyber insurance, and a hacker was someone with a cough. As recently as 10 years ago, many people still did not know how exposed they were to clandestine attacks on their data.
Today, however, just about every business owner knows that their data is at risk and that the cost of a breach can be monumental. Data breaches occur every day, and not only to large companies like Yahoo, eBay Inc., JP Morgan, Chase and Home Depot Inc. Every company is at risk—big or small. Small Business Trends magazine estimates that 43 percent of cyberattacks focus on small businesses (those with 100 employees or fewer) and that 60 percent of small businesses close their doors within six months of a cyberattack. These are unsettling statistics, to say the least.
Unfortunately, the “It won’t happen to me” attitude is still prevalent, and many businesses, especially small ones, are not allocating any funds for prevention. The good news is that insurance is available, under which coverage is fairly broad, and costs are reasonable.
What Does It Cover?
The term “cyber” implies coverage for incidents that involve electronic hacking or online activities, when in fact, this product is much broader, covering private data and communications in many different formats (paper, digital files, etc.). While all cyber policies are different, a well-constructed policy will include a number of first- and third-party coverages. Ideally, your company’s policy would provide protection for:
- Privacy liability or security breach expenses—Privacy liability coverage should include the unauthorized release of personally identifiable information (PII) and protected health information (PHI), as well as corporate confidential information and programming errors that result in the disclosure of PII. Covered expenses include costs incurred to notify others that their personal information has been compromised, including overtime salaries paid to employees dealing with the issue; hiring a company to operate a call center; post-event credit monitoring services; and other reasonable expenses.
- Security breach response coverage expenses (public relations expenses)—This is a first-party coverage that reimburses costs incurred in the event of a security breach of personal, nonpublic information pertaining to customers or employees. It might include the hiring of a public relations consultant to help avert or mitigate damage to the insured’s brand. It could also include costs, such as information technology (IT) forensics, customer notifications and first-party legal expenses to determine the insured’s obligations under applicable privacy regulations.
- Security liability insurance—This policy specification provides coverage for the inability of an authorized third party to gain access to the insured’s computer systems; the failure to prevent unauthorized access to or use of a computer system and/or false communications, such as phishing (email hacking) that result in corruption, deletion or damage of electronic data, theft of data and denial of service; attacks against websites or computer systems of a third party; and liability associated with the insured’s failure to prevent transmission of malicious code from the company computer system to a third party’s computer system.
- Privacy regulatory expenses—In the event that a regulatory claim alleging a privacy breach or a violation of a federal, state, local or foreign statute/regulation with respect to privacy is made against you, this extends coverage for both legal defense costs and the resulting fines or penalties emanating from their aid.
- Multimedia liability—Under this provision, there is coverage for costs related to allegations that include defamation, libel, slander, emotional distress, invasion of the right to privacy, copyright and other forms of intellectual property infringement (patents excluded) in the course of your company’s communication of media content in electronic or nonelectronic forms.
- Cyber extortion and ransom—To avert potential damage threatened against the insured, such as the introduction of malicious code, system interruption, data corruption or destruction/dissemination of personal or confidential corporate information, the extortion and ransom coverage protects you from payments to a “bad guy.”
- Business income loss and digital asset restoration—A security compromise that leads to the failure or disruption of a computer system or an authorized third party’s inability to access a computer system may cause lost earnings and extra expenses for both the third party and you. Often, this is one of the most significant costs, along with costs to restore or recreate digital (not hardware) assets to their pre-loss state. All of these expenses are covered under this portion of the policy.
- Website publishing liability—Nearly everyone has a website these days. This coverage protects you from liability arising out of information posted on your website, which might include actual or alleged misstatements; infringement of another’s copyright, trademark, etc.; or violation of a person’s right to privacy.
- PCI-DSS assessment exposures—The Payment Card Industry Data Security Standard (PCI-DSS) was established in 2006 through a collaboration of the major credit card brands as a means of bringing standardized security best practices for the secure processing of credit card transactions. Merchants and service providers must adhere to certain goals and requirements in order to be PCI-compliant, and under specific agreements, may subject the insured to an assessment for breach of such terms. This aspect of the policy covers any unfortunate missteps in this area on the part of your company.
- Cyber deception or social engineering—The intentional misleading of the insured by means of a dishonest misrepresentation of a material fact contained or conveyed within an electronic or telephonic
communication and that is relied upon by the insured believing it to be genuine (spear phishing) can cost you, but this policy detail covers those expenses. - Computer fraud and funds transfer fraud—Both of these coverages pertain to theft of your assets by manipulation of your computer system or the computer system of your bank. These should be included as part of a comprehensive crime program; accordingly, they cannot be discussed in detail here. Be sure to ask your insurer about the proper steps to take.
One advantage of a cyber insurance product is the help line they provide. Most businesses that are hacked have never been hacked before, and the ability to speak with a consultant or attorney who specializes in data breach events is hugely beneficial. Additionally, the cost of cyber insurance is fairly modest. While prices vary depending on the type of business, most small businesses can expect to pay from $3,000 to $6,000 per year for $1 million of coverage. Rates for medium- and large-size businesses will be higher but are still quite reasonable based on the exposure.
Data breaches, privacy violations and other hacker-generated losses are not going away. Cyber thieves are getting more sophisticated, and every business is exposed. At a minimum, your company should complete a cyber insurance application and obtain a quote. Even if you elect not to buy the coverage, completing the application will provide insight on how you can manage the exposure.
The Cost of a Breach
The cost of a data breach for any company can be expensive. A 2017 Ponemon Institute and IBM Security study found that the average cost per compromised record in the United States was $225. Depending on the number of records breached, costs can run from the tens of thousands to $1 million or more.
The costs continue to add up after a breach, from investigations and legal fees to remediation, averaging $1.56 million in the U.S. Once a breach occurs, companies still have a 1 in 4 chance of suffering another breach within 2 years. Some companies might consider taking out cyber insurance to defray any costs associated with a breach.
Getting cybersecurity right at construction companies requires a cultural shift. The good news is that many constructions companies already have the template in place to make this shift—their safety programs. The same approach should be used to facilitate cyber awareness and best practices across your organization. With executive leadership mandating security awareness and training, the industry can make tremendous progress in addressing this growing problem.
Source: “What You Can Do to Improve Your Company’s Cybersecurity” by Shane Brown, constructionbusinessowner.com