In the 2018 calendar year, there were more than 570 security breaches that compromised the identities of over 415 million employees and consumers around the world. Nearly half of these breaches were experienced by businesses, and while most of the news headlines we read tell us about large companies experiencing these breaches, the majority of them affect small businesses.
Along with general liability insurance, property insurance, and workers’ compensation insurance, cybersecurity insurance is becoming an increasingly critical form of insurance coverage now being considered vital for many businesses.
But, as a business owner, the question will invariably arise: “Does my insurance company have a say in my business’ IT or cyber security policy?”. In other words, can your existing insurance company require you to take specific cybersecurity measures in order to maintain coverage? Will your business insurance claim be denied if it is related to a cybersecurity attack and you didn’t have the right defense measures in place?
At Mission Critical Systems, we specialize in preparing businesses to deal with the inevitable threat of cybersecurity attacks. In this article, we’re focusing on the role of cybersecurity in an overall business insurance strategy, and we’re offering our perspective as a professional provider of outsourced cybersecurity services.
What Your Existing Policy Might Not Cover
Let’s look at what is covered by a typical general liability insurance plan for a typical business located in the United States.
Most off-the-shelf policies are going to protect your business from claims related to:
- Bodily injury
- Property damage
- Damage to property you’ve rented
- Other damage types not related to cyber attacks (depending on the policy)
Most general liability insurance plans are going to be included as part of an overall Business Owners Policy which may or may not include policy riders or addendums that call out coverage for cyberattacks that result in financial damages to your company.
Broadly speaking, most general liability insurance plans for small businesses are not going to include comprehensive coverage for cybersecurity-related damages. For businesses with this type of basic insurance, the underwriter is most likely not going to need to see any documentation of your IT security policy, nor are they going to require that you have such a policy in place in order to maintain your general liability insurance coverage.
This also means that should your business fall victim to a data breach, network hack, or other cybercrime, you’re not likely to have any recourse to recover the entirety of all incurred damages.
Cyber Insurance Policy Requirements
If you run a small business and you want to be sure you’re protected against potential cybersecurity attacks, you’re going to want to purchase cyber insurance coverage.
Most cyber insurance policies are going to include coverage for damages related to:
- First-party and third-party financial losses resulting from a data breach or cybersecurity attack
- Costs related to repairing damaged hardware and software
- Extortion money (or ransoms)
- Fines from regulatory bodies
- Negligence claims
For this coverage, most underwriters are going to require at least some IT security policy documentation. If you don’t have this, you might not be able to qualify for certain levels of coverage. If you run a business that stores, manages, or processes Personally Identifiable Information (PII), it’s going to be especially important to have up-to-date cybersecurity policies in place, with documentation you can readily supply to your insurance provider.
How to Prepare for Provider Demands
If you want to be sure you qualify for cyber insurance coverage, there are some steps you can take before requesting a quote from your insurance company:
- Communicate internally. Be sure to involve your legal, compliance, and IT personnel and make sure they know that this is a priority.
- Conduct an internal audit. Gather all information related to cybersecurity preparedness, ransomware protection, vendor management, and remote work procedures.
- Locate deficiencies and vulnerabilities. If you don’t know where your business might need enhanced cybersecurity defense measures, we can help.
- Obtain insurance provider questionnaires. To obtain cyber insurance coverage, most insurance providers will require that you complete detailed questionnaires related to your existing IT infrastructure and policies. Take a look at these beforehand to see what questions will need to be answered.
Don’t forget that bringing in the cybersecurity professionals at Mission Critical Systems is the single best way to ensure that your business is as prepared as possible for any cyberattack that might come your way.
For more information about how we can assist you, contact us today.