An entrepreneur discusses cybersecurity insurance with his chief financial officer.

November 04, 2019

Does Your Business Need Cybersecurity Insurance?

Could you run your business without technology? Probably not. From digital banking to inventory management to cloud storage, the internet is an indispensable business tool. And as more business functions move online, companies are putting themselves, their customers, vendors and partners at ever greater risk of cyberattack.

“Technology is like fire," said Rocco Grillo, managing director of global cyberrisk services at consulting firm Alvarez & Marsal. “It's a wonderful tool, but you have to manage it. Fire keeps us warm and lets us make food. But if it gets out of control it can be destructive. That's how we need to think about technology."

More than 77 percent of businesses reported some type of cyberattack in the last 12 months, according to International Data Corporation. Radware, a cybersecurity company, estimates that the average cyberattack costs businesses more than $1 million, including data recovery, lost revenue and third-party claims.

More alarming is this stat: Within six months of a cyberhack, 60 percent of small and mid-sized businesses fold, according to the National Cybersecurity Alliance.

How should business owners respond to this growing threat? Cybersecurity insurance is emerging as a way for them to mount a vigorous response and get back up and running.

What is Cybersecurity Insurance?

As the name suggests, cybersecurity insurance will cover the damage your business sustains in a cyberattack. These policies come as standalone offerings or as a rider to existing business insurance.

“The insurance is a great way for small and mid-size businesses to deal with a cyberattack," said Judy Selby, a lawyer who helps businesses evaluate cybersecurity policies. “These companies often don't have the financial and technical resources to deal with a cyberevent."

Coverage is typically broken out into first-party and third-party policies.

First-party coverage pays for the cost of recovery in your own business, including legal bills, forensics, data restoration, lost revenue and crisis management. In addition, this insurance can help you deal with a ransomware attack, which is a fast-growing type of breach.

“Companies may think they don't need cybersecurity insurance because they don't have customers' financial data," said Grillo. “But if there's a business disruption like a ransomware attack, a business could be brought to its knees."

Cybersecurity insurance policies typically also have provisions for third-party coverage, which covers external claims that may result from a cyberfraud attack. For instance, let's say you're a jeweler with a robust ecommerce site. Hackers might make away with your customers' credit card numbers and your suppliers' banking details. No doubt, these third parties will hold you responsible for any losses. Third-party cybersecurity insurance can pay their claims plus the cost of credit monitoring to ensure that no further financial harm comes to those entities.

The Right Coverage

Companies of all sizes and in every industry can fall victim to cyberattacks. Determining what kind of coverage you need depends on your risk exposure.

“There are no standard cyberpolicies on the market," said Selby. “There are a lot of carriers writing different policies that have different terms."

Because there's a lot of competition in the cybersecurity market, there's room for negotiation, both over price and policy terms. Pricing depends on your industry, your exposure and what type of data you're holding. Health data, for example, is more valuable than credit card data and commands a higher price on the dark web.

The key is to identify your own risks and then find a policy that will protect against those risks.

“Traditional commercial insurance coverage may provide some avenues for coverage in the event of a cyber incident," Selby said. “But many insurers are vigorously fighting cyber-claims under non-cyber policies."

Grillo recommended identifying your business's most critical assets, what he calls your "crown jewels." Then evaluate your risks — both known and unknown, which a cybersecurity laywer, consultant or other professional can help you identify.

“You may not have sensitive data, but if your business is disrupted and you can't deliver to your end customer, it's going to impact your revenues and your reputation," Grillo noted.

Some businesses may be vulnerable to regulatory risks. “You might get fined for misuse of data or not having proper consents for what you're doing with the data," said Selby. “If you've got that kind of regulatory exposure, you'll want broader coverage."

Do Your Part

Even with the best cybersecurity insurance, you've still got to do your part to prevent a cyberattack. Again, Grillo used the fire analogy: “Just because I have fire insurance on my house, it doesn't mean I shouldn't care if my house burns down."

In fact, an insurer may not agree to underwrite your business if you don't have strong cybersecurity policies and practices in place.

“Insurers will likely want to ensure that a company has strong crisis management and disaster recovery plans and procedures in place before issuing a policy that provides coverage for business losses after a covered event," said Selby.

In general, there is no substitute for practicing something Grillo calls "cyberhygiene."

“Every business needs to take the time and effort to look at cybersecurity holistically," he said.

This article is for general information and education only. It is provided as a courtesy to the clients and friends of City National Bank (City National). City National does not warrant that it is accurate or complete. Opinions expressed and estimates or projections given are those of the authors or persons quoted as of the date of the article with no obligation to update or notify of inaccuracy or change. This article may not be reproduced, distributed or further published by any person without the written consent of City National. Please cite source when quoting. 

City National, as a matter of policy, does not give tax, accounting, regulatory or legal advice. Rules in the areas of law, tax, and accounting are subject to change and open to varying interpretations. You should consult with your other advisors on the tax, accounting and legal implications of actions you may take based on any strategies presented, taking into account your own particular circumstances.