The Expert Podcast

So, this question comes up all the time in our insurance division: Will cyber liability insurance be required of your business? Do you have to buy it? And of course, if you ask us (we're an insurance company), it's like asking a dog if he's hungry. Of course, we think you should have it. But to get some third-party unbiased opinions on this, let's take a look at what some other resources or other opinions are where they come in on this.

First of all, you see on the screen that this is the Federal Trade Commission (FTC), protecting America's consumers. They have a bulletin article that came out about cyber insurance, and it talks about recovering from a cyber attack and how costly it is. Cyber insurance is an option that can protect your business against losses. Why would the FTC want to help businesses protect themselves? Well, because the damage from a cyber attack can trickle down to consumers.

What should your cyber insurance cover? Data breaches, things like cyber attacks on your data by vendors and third parties, It should also cover lawsuits and regulatory investigations. This is key because if your business is attacked by a hacker or a cybercriminal, they're likely going to get your consumer records and your consumer data, and they're going to sell that on the dark web. Once that happens, there will be some regulatory agency that will do an investigation of your business because consumers and your customers were harmed. More than likely, there's going to be some governmental intervention, and you want to have what's called the duty to defend, meaning that your insurance company is going to help you if there's litigation, if there's a lawsuit, or if there's an investigation that you need to defend against. You want to have some coverage for that because it can get expensive. Also, it provides an excess of other applicable insurance. We're going to get into this. You have insurance right now. You have general liability. You probably have crime insurance. You may have surety bonds, but there are many things about a cyber attack that may not be covered, whether it's the depth or the scope of them.

First-party coverage to look for: First-party coverage protects your data, including customer information. Typically, this includes your business costs related to legal counsel, recovery and replacement of stolen data, customer notification (they can't say that enough, can they? They've said it three times already), lost income, and business interruption. So, if you're out of business for a week, two, three, or a month and you can't collect revenue, you want to have coverage for that. And not all policies cover this, so make sure you read the one you're getting.

Crisis management, public relations, cyberextortion, and forensic services to investigate the breach. Look, even if you have coverage that pays for all your legal fees and undoes the damage, you want to know how it happened because if you don't fix the breach, it could happen again the next day. Here you go: fees, fines, and penalties related to the cyber incident. These are first-party. What about third- parties? Third-party coverage protects you from liability if a third party brings a claim against you. Payments to consumers affected by the breach. Do you think that if your company is hacked and your customers' data is released on the dark web, your customers aren't going to be mad at you about it? They're not going to maybe look for recovery of damages from you? And that's going to have a cost of litigation, settlements, judgments, accounting costs, claims, and expenses related to disputes or lawsuits, defamation, and copyright infringement.

So, look, this is the FTC that protects consumers, suggesting to businesses that you want to have cyber coverage because they know that consumers are harmed. Let's take a look at another example. Here is a bill in the California Assembly. This was introduced back in 2020. It's still actually going through the legislative channels. The bill would require a contract that does business with the state that the contractor maintained cyber insurance. So, this is a requirement from the state of California that if you are a company that does business with California, you have to have cyber insurance. So, it's a requirement, and we're seeing this more and more with contracts, even private contracts, not with a government agency. If you're doing a contract with a big company, they're going to say, "Look, you need to have cyber insurance in order to be eligible for this contract." Government agencies may require it.

We'll look at a couple of other examples here from colleges. This is Tufts University. All contractors, vendors, and service providers coming onto university premises to do work or provide services are required to have insurance. What kind of insurance? Well, guess what? One of the things I know is that you have professional liability, umbrella, and cyber risk insurance. Not less than two million dollars per claim shall be maintained for the duration of the agreement. If a third party uses, stores, or accesses any information from the university, you have to have a two-million-dollar cyber policy. Is that an exception? No. Here is another requirement for cyber insurance and Eno insurance for contracts under a million dollars doing business with this company, and you have to have a cyber policy for lost disclosure and theft of data. You see their common element: they're worried about their customer data. In this case, it's the University of Nevada being hacked, and look, if you have a contractor or vendor connecting to your system, they're making you have cyber insurance. This is very, very common. Almost every contract now has this.

Here's a financial services company that does consulting and recommendations for businesses. "Why do I need cyber liability insurance again?" Remember, we're an insurance company, so this is biased. We believe these things. It doesn't make it true that we're biased, right? For businesses wondering when they need cyber insurance, the answer is now. Cyber attacks continue to grow. The average attack costs two hundred thousand; actually, right now, it's closer to four hundred thousand, but either way, even if it is two hundred thousand, that's still a lot of money. All businesses need cyber liability insurance. Again, you're asking a dog if he's hungry. We believe these things, but these are third-party opinions as well. Small businesses are often very cost-conscious, meaning that you want to pay your bills. I get it. They focus on their growing business; they can overlook critical risks and critical components.

What is cyber insurance? We know what this is: indemnification of legal fees, customer notifications. Here's the thing: none of these articles I've talked about most cyber insurance policies now, in addition to having what they cover, also have monitoring. It will monitor your network and your system every single day. So, if there is some kind of attack, they can catch it early. Most of these cyber attacks actually sit on your network for weeks or months before they actually strike, and if you catch them before then, you can actually undo the damage.

Why do criminals target small businesses? Small businesses are easy targets because they have less security in place than large companies. Look, if you're a criminal and you can make the same amount of money by breaking into IBM or Joe's Used Cars, who are you going to attack, right? You can still get 10,000 records from Joe's Used Cars that you can sell on the dark web, and you're certainly going to have less security at Joe's Used Cars. Cyber liability insurance augments and supports the efforts to recover, but it also prevents it in the first place in many cases. What are the losses you can have after a breach? Reputation: your customers, employees, and vendors are all going to look at you differently if you have a major crisis or drama. Your customer's financial data, productivity, and stolen funds—they can actually use this information to make you accidentally wire transfer money to the wrong place, and this happens quite a bit. Accounts payable gets hacked, and all your money goes somewhere else.

Last but not least, this may seem a little bit less on point than the FTC, but this is a good one. This is written by John Watkins for Thompson Hein LLP. This is important to see who this is first: The Firm Johnson LLP has a business litigation department, right? It's a law firm, and they do business litigation. They see these cases all the time come up in their lawsuits that cost businesses millions of dollars from a cyber hack, right? So, what this article talks about is the risks to all businesses. Cyberattacks are growing, and there's contractual requirements for cyber coverage. They're recommending to their clients that they put in contracts the requirement for the counterparty to have insurance. It can never be a substitute for preventative measures, but the cyber policy will probably include some preventative measures that the insurance company will take. Keep cyber insurance provisions specific, right? You can't just say in your contract that you have cyber insurance because there's no set definition of a cyber policy. They're all different; there's no one size that fits all. Every policy from every company is different, so you want to have very specific language. We saw this before: third-party and first-party coverage.

Make sure you're seeing what your policy covers and getting one that has the coverage that you want. Asking to see the policy, if you're a business, you may start to see some of your contracts require that you disclose your policy to the other party, right? Be realistic in your expectations; you don't want to sign a contract that says you have to have $25 in policy limits. Most companies get a two- to four-million-dollar policy, which is fine. Higher policy limits may simply be unavailable for small businesses. Not true; you can normally get two to four million in coverage and then get an umbrella policy that may ensure that.

What does John do? He does complex commercial litigation, so I'm guessing he is seeing some of these disputes come up. So, if you are a small or medium-sized business, take all this into account. According to the FTC and the State of California, many companies are requiring this coverage, and even if it's not required, it's probably a good thing to have in the long run. So, you know, you can reach us at riskcoverage.com, or you can contact your existing insurance broker to see what they have for offerings for cyber liability insurance because, in reality, you already have some other insurance anyway. You have general liability, fire insurance, and slip and fall coverage. The chances of those things happening right now are probably less than those of actually having a cyberattack. So, if you have a risk to your business that's greater than other risks that you already have insurance for, you probably want to think about getting some coverage for those risks so that you're not naked, uncovered, and unprotected against a type of damage that's more likely to happen than your building burning down.