Owners of small to midsized businesses are increasingly worried about their exposure to cyber risks, including data breaches, and are turning to insurance protection in greater numbers.
While that’s advisable, brokers and attorneys say the details are important, because cyber-risk insurance is evolving and carries many exclusions.
Oftentimes, business owners may think they’re covered, but some policies have exclusions that exempt business-interruption costs, said attorney Steven M. Richard, a partner at Nixon Peabody LLP in Providence.
So, if a hacker literally shuts down their business, those costs wouldn’t be recouped.
Business leaders have to determine what they need to protect, what internal resources they have to respond to a breach and then determine what they need to fill the gap.
That more businesses are responding with concrete plans, backed by insurance, is not surprising, given the adoption in 2015 of a Rhode Island law on identity-theft protection, which essentially requires all individuals and businesses that hold nonpublic, personal information to have a plan for protecting it.
That personal information ranges from driver’s license numbers to account or credit card numbers, medical or health information.
In the event of a security breach, the record holders are required to inform residents within 45 days. If more than 500 people are required to be notified, the business or entity has to tell the state attorney general’s office and notify credit reporting agencies.
All of those notification requirements can be costly, say attorneys. Cybersecurity insurance can cover those expenses and the costs of specialists who may need to be brought in to determine the scope and source of the breach.
For business owners, all of those risks should be weighed against the resources or budget they have for insurance.
“You want to be able to have coverage against as many out-of-pocket losses as possible. But also, coverage against potential third-party losses and suits,” Richard said.
In Rhode Island, cyber insurance can be purchased two ways – in moderate coverage through a business owner’s general-liability policy, and in more-advanced form through a standalone policy.
Over the past year, David Andrade, president of Carey, Richmond & Viking Insurance, in Middletown, estimates that he’s had 10-20 percent more people discussing their options with him.
Not all will purchase a policy, but the issue is getting much more discussion and review.
The marketplace has a variety of products. Each policy has exclusions and each one has different coverages.
“Are they all very similar? The answer is no,” Andrade said. “They have certain core coverages that you see in almost all of these policies. But every insurance company’s policy form reads a little different than anyone else’s. Our job is to go to the various companies that sell the product, and help our clients find a product that provides appropriate coverages.”
Most of them have basic coverage for notification and credit-monitoring services, and liability for losses incurred by either the business or third parties. For businesses that want more than minimum coverage, standalone policies can have liability coverage up to the multiple millions of dollars.
Is a data breach potentially that expensive? Attorneys say depending on the type of industry and business, yes.
If the personal information that is kept by a business is for people in multiple states, the laws in those states may also have to be complied with, warns Richard.
And while much of the national media attention has focused on large data breaches, it’s the small and medium-sized businesses that often are most at risk for cybersecurity crimes. “Because they may not have the resources to put in place all of the necessary precautionary steps,” Richard said. “But also, the post-incident responses can be very expensive.”
Andrade said increasingly, businesses are seeking out comprehensive insurance policies because their clients want to know what kind of security they have, and what kind of cyber insurance they have in the event of a data breach.
It’s compelling many businesses to seek out those coverages.
“Let’s say I’m a 1,000-employee group. And I’m going to buy health insurance from company XYZ,” Richard said. “All of my employees’ information is now going to be in this health insurance company’s information systems. As a good employer, I’m going to that health insurance company and I’m going to say, ‘What are your protocols for protecting nonpublic personal information?’ And two, ‘What kind of cyber insurance do you have in place if there is a security breach, and what is your action plan in the event there is a breach?’ ”
Mary MacDonald is a staff writer for the PBN. Contact her at Macdonald@PBN.com.