I recently came across an excellent article that provides insight on little-known tips that a business owner would want to know when negotiating Cyber Risk coverage. Very few insurance agents who specialize in business insurance have the necessary experience to advise clients on the proper coverage forms to purchase and on potential coverage pitfalls that should be avoided. To achieve the best outcome for a client, almost any Cyber Risk policy form should be specifically negotiated. To follow are the highlights of the article:

• Business Interruption (AKA Business Income) coverage is tempting, but may not be a good deal. Business Interruption insurance pays for lost profits in addition to continuing operating expenses and other extra expenses during the period of restoration to recover from a covered shutdown. However, since most shutdowns and network disruptions are quickly fixed, business interruption will usually never come into play due to the lengthy waiting period before coverage attaches.
• Make sure that you purchase an adequate limit of liability since data breaches can be very expensive due to the average cost per compromised file as well as statutory fines. Additional limits in increments of $1 million are normally very inexpensive; however, the average expense of a compromised client is $194 per electronic record and some states have statutory fines of $1000 in damages for each claimant. Therefore, it does not take that many compromised client files to reach multiple millions of dollars in damages.
• Beware inadequate sublimits for regulatory investigations, notification costs, and other crisis management expenses.
• Most Cyber Liability policies are written on a claims made basis with the retroactive date that is set to the first policy inception date. As a result, any unknown, but prior data breaches would not be covered under such a policy form. Because it can take some time to learn about data breaches, it is advisable to request a prior retroactive date which may be obtained from many carriers for a small additional charge.
• Beware the breach of contract exclusion. This exclusion can come into play arising from a data breach of customer, patient, or business partner confidential information if  such contract required the insured to protect the confidentiality of the subject matter of such contracts. Many carriers are willing to modify the breach of contract exclusion to address these situations.
• Many Cyber Risk policies require that the hired experts to be used in the event of a data breach or other triggering incident, whether IT professionals or attorneys, must be on a list approved by the insurance carrier. This can become a problem if the insured wants to use their own IT professional or attorney. The time to make sure that such IT professional or attorney is on the approved list is prior to the binding of coverage.
• Check to see if the capitalize policy includes a provision requiring prior consent before the insured incurs any immediate or rush expenses in response to a coverage triggering event. Some carriers will deny such expenses if they were not approved in advance. It may be prudent to insert a provision that such approval may not be unreasonably withheld.
• Beware policies with an allocation of defense costs provision for the payment of defense costs where such costs will be divided between covered and non covered damages portions. The better policy forms will pay 100% of defense costs even if only a small part of the damages or causes of action are covered.
• Some Cyber Risk policies don’t pay for damages to the extent that the negligence or errors and omissions were due to that of an outsourced third-party vendor. It should be clarified that coverage for the vicarious liability of the insured does exist for claims that arise out of the errors & omissions of vendors, consultants, and subcontractors.
• Some cyber risk policies specify that the deductible or self-insured retention can only be satisfied by out of out-of-pocket expenses paid by the insured. However, whenever a responsible vendor pays for such expenses due to the triggering of an indemnification provision, the insured should be given credit to the extent that such vendor makes payment. In other words, the Cyber Risk policy should dovetail with any indemnification provisions to satisfy the deductible or self-insured retention requirements.
• Attempt to negotiate a partial waiver of subrogation provision to take the place of any regular waiver of subrogation provision. Problems can arise if the Cyber Risk insurer pays a loss and then subrogates against any third parties who are responsible for causing the data breach. For example, a vendor may be responsible for the data breach, but the insureds written contract with such vendor may include a limitation of liabilities provision in favor of the vendor. The cyber risk carrier may consider such a provision to jeopardize its subrogation rights. The solution is to make sure that the policy provision allows for the insured to waive subrogation rights prior to a loss.

 Source: How to Negotiate Cyber Insurance; Rene L. Siemens and David Beck; attorneys; Pillsbury Winthrop Shaw Pittman, LLP; Insurance Law Community; LEXIS-NEXIS communities

Need any more incentive to purchase Cyber Risk insurance? Here are some eye opening statistics presented by the US House Small Business Subcommittee on Health and Technology: 

• 75% of small businesses believe that they are safe from hackers.
• 20% of all cyber attacks hit businesses with fewer than 250 employees.
• 60% of small businesses will shut down after a cyber attack.
• The average cost of a data breach is $6.75M at an average of $214 per compromised customer.

The cost of small business failure due to cyber attack is not just measured in terms of losses to local economy (revenues and jobs), but also includes the costs associated with the theft of trade secrets and intellectual property.

Cyber Risk insurance is becoming increasingly inexpensive each year. In the past, it could only be purchased on a standalone basis at a cost of around $2,500; however, it can now often be added to an existing Business Owners Policy by endorsement for around $500. Also, more online Cyber Liability vendors are popping up with highly discounted offerings.

Source: Small Business 2013/03/21 Small Businesses Don’t Recover From Cyber Crime

       * name                                                                 * credit card information
       * address                                                            *  banking information                               
       * date of birth                                                   * medical records                                          
       * social security number

and you are not currently purchasing data breach insurance then you are jeopardizing your business’s future. A data breach can be financially devastating and is happening to more businesses every year. It does not matter how large or small your company is as a data breach can happen to any business. Unfortunately, your General Liability, Commercial Property, or Commercial Crime policies do not provide the adequate coverage to protect your business.

A data breach is the unintentional release of your customer’s private information which is distributed or used by an unauthorized individual. Having a data breach in your company’s data base can happen in many different ways. We normally think of data breach as caused by a computer hacker, but data can be leaked from incorrect delivery or disposal of paper files, theft or loss of a laptop or smartphone, or illegal access to your customer database by a former employee.

Due to the fact that this type of incident is happening more and more often, a stand-alone insurance policy has been created to help business owners survive a data breach. Having a data breach happen in your company is not cheap. Companies that have experienced a breach may incur civil liabilities, governmental fines, data restoration expenses, notification expenses, and credit monitoring expenses.

This new E-Commerce or cyber insurance covers a wide range of risks all businesses face daily on the internet:

1.     Website Media Liability – Covers for errors, or misleading statements posted on a Website that may infringe on another’s copyright, trademark, or service mark; libel; and invasion of privacy.

2.     Security Breach – Covers the costs associated with a data breach, some of those cost are;

• Alert affected customers of the breach
• Perform a criminal examination to determine the data accessed
• Launch a call center to handle customers’ breach-related questions
• Implement credit monitoring services for affected customers
• Employ a public relations firm to help restore your company’s brand and business reputation
• Pay charges estimated by governmental agencies.

3.     Programming Errors and Omissions -Covers your business if a computer system transmits a virus to your customers, as well as negligence if performing tech services for others. 

4.     Repair Electronic Data – Covers the cost to replace any data or computer programs damaged by a virus or virtual attack.

5.     Lost Business Income – Covers any income that is lost due to your website or other computer systems being down.

If you do not have data breach coverage added to your commercial business policy then you could be setting yourself up for financial ruin! Keeping your customers private information confidential should be a number one concern. Make sure that your business is protected too! Don’t be one of the thousands of businesses being hacked each year with no protection.  Learn more about Cyber Insurance by calling Sadler insurance at 800-622-7370.

Source: ISO Products Perspective, An Agent’s Primer For Data Breaches, by Shawn E. Dougherty.