I find that most business owners are in one of three categories when it comes to cyber security insurance:

  1. You haven’t purchased the insurance yet because you don’t know if you need it, and you don’t know if you can afford it
  2. One or more of your key customers required you to obtain a cyber insurance policy, but you aren’t clear on what it covers and how much you are paying for it
  3. You purchased it based on the advice from a peer or trusted advisor such as an insurance agent and you are still concerned that you don’t have the right coverage or enough coverage

I believe that almost all modern businesses need some type of cyber security insurance.  In this article I will clarify the need the cyber security insurance, explain the types of cyber security coverage, and give you some best practices for managing your costs and risks.

In the good ol’ days, a marauder would have thrown a brick through the front window of your liquor store and stole all the money from your cash register drawer or even worse… taken your best bottle of whiskey.  But in a digital world, the marauders come through whatever Wi-Fi network you are connected to and take your data or trade secrets.  They may demand a ransom from you to get your data back or simply sell it to the highest bidder.  The only good news is that they can’t get to your best bottle of whiskey.

The problem becomes more complex as the stolen data most likely belongs to other people and customers with whom you do business.  As such, you are morally, ethically, and in some cases, legally obligated to disclose the incident and may be liable for the damages and consequences.

The following are just some of the risks and costs you may encounter after your data is stolen:

  1. The person or group that stole the data may demand a ransom to get your data back. Like all great thieves, they most likely know the value of your data and what you can afford to pay to get it back.  The cost of a ransom can be in the thousands of dollars, and you will most likely be negotiating with terrorists hoping that your data will be safely returned after making the payment.
  2. You will need the help of a security expert such as BlueArmor to understand how the thieves broke in, what they stole, what your options are, and how to prevent them from doing it again.
  3. You may lose significant revenue while you attempt to become fully operational again.
  4. You will need to notify all the people and entities affected by the incident.
  5. One or multiple lawsuits may be brought against you, or you may be subject to one or more penalties and fines by government institutions.

Cyber security insurance coverage is designed to reduce the expenses associated with these risks.   As a relatively new type of insurance, the available providers, types of coverages, and premiums can vary considerably.  Depending on the insurance provider, the coverages can be either added to an existing business liability policy or sold as an individual policy.  Like auto insurance, you can choose coverage for the damage you do to other people called Third Party insurance and the damage you do to yourself called First Party insurance.  There is also a third and less common type of cyber security insurance called Technology Errors and Omissions that is obtained by those businesses that provide technology services or manufacture technology products.

Obtaining cyber security insurance isn’t as simple as getting an insurance policy for your new jet ski.  You’ll want a business insurance agent that represents at least one or more the of leading insurance providers, insists on working with a cyber security specialist like BlueArmor to understand your requirements, and actively monitors your renewal on an annual basis.  At BlueArmor, we work with a handful of highly skilled cyber insurance agents that we are happy to refer to you.

Regardless of your insurance coverage, your goal should be to avoid an incident.  Aside from the disruption in your business and the recovery costs, a data loss incident will most likely increase your cyber security insurance premium or worse yet… your reputation amongst you customers and partners.  Thus, I urge my clients at the very least to implement the essentials of a cyber security system including:

  1. A Firewall – Software or hardware device that only allows essential communications to take place inside and outside your network. A firewall significantly reduces a cybercriminal’s ability to access the computers within your private network.
  2. A VPN (virtual private network) and/or SASE (secure access security edge) solution – A combination of software and hardware that blocks cyber criminals from easily seeing communications between your computers and other software resources on both public and private networks.
  3. Multi-Factor Authentication – A fancy term describing the use of three or more pieces of information to access a software application (e.g., username, password, and access code that is sent to you via text).
  4. Desktop Malware Detection and Protection – Software that is installed on your computers and mobile devices that is designed to block intrusions and hidden installations of malicious software.
  5. Employee Training – Training your staff to be aware of the most common methods cyber criminals use to attack your network such as: An unassuming call asking for their password, a click of the mouse on an email attachment that appears to be an unpaid invoice, or a visit to a web site that doesn’t have the “little lock” icon on the left-side of browser search bar.

Having the essentials of a cyber security program significantly reduce your risk of a cyber-attack and potentially the premiums you pay for cyber security insurance.  Some insurance companies may even require some or all of the above protections in place to issue a policy and provide coverage.

Hopefully I have clarified the need for cyber security insurance, the options available, and best practices to avoid an incident.  If you have additional cyber security questions or concerns, please contact me for a free risk assessment.