Cybersecurity insurance

Think of a task that takes 30 seconds to complete. Texting a friend. Making a cup of coffee. Drinking a glass of water.

In the amount of time it takes to do any of these minor tasks, a hacking attempt has been made — and more often than not, it’s been a successful one.

Verizon 2019 Data Breach Investigations Report found 43 percent of data breaches involved small business victims. According to an annual report from the FBI’s Internet Crime Complaint Center, or IC3, the top three targets of hacking attacks are health care, small-to-midsize businesses, and the government, respectively.

Within just the past few years, hacking attempts have rapidly increased.

For most companies, a threat of this nature can be a business-ending event. Cybersecurity insurance — also referred to as cyber risk insurance or cyber liability insurance coverage — can protect against a number of cyber-related threats and help businesses recover from an otherwise no-win situation. The most important thing to keep in mind, however, is just because you have cybersecurity insurance, coverage isn’t guaranteed for every situation.

“If you have business insurance, you know with a great deal of certainty that if you showed up one day and your office has burned to the ground, your insurance policy is going to cover that. With cyber liability, it’s not as clear-cut,” said Eric Hobbs, CEO of Technology Associates.

At Technology Associates, a full-service Cary-based technology solutions provider, Hobbs and his colleagues equip companies to defend themselves against the possibility of a cyberattack, but in the case that one has already happened, there is, unfortunately, not much that can be done.

Comprehensive insurance coverage can turn the tables on an otherwise hopeless situation — but only if companies fully understand what’s covered.

“If you’re a victim of a cyberattack, it’s too late to consider cybersecurity insurance coverage. You really need to rewind. You need to make sure that you have that incident response plan in place first,” Hobbs said. “Know what factors are covered by your coverage and which aren’t. Will your policy pay your ransom? Will it pay to get your data back? Will it pay for forensic costs to make sure that the hackers aren’t still in your system? Does it cover loss of business or loss of funds?”

“There was a law firm in Rhode Island that got hit with ransomware,” Hobbs continued. “They had to pay twice in order to get the decryption key over a three-month period of time, so they didn’t have access to any of their files for three months. They put in a claim to the insurer and the insurer paid out $20,000. That’s it. Their policy limited damage to computer equipment and data caused by viruses to $20,000. It didn’t cover costs related to loss of business revenue.”

In the end, the company took the case to court and weren’t able to recuperate any more than they already had. After all, their policy only covered direct physical loss or damage, not loss of business.

This isn’t necessarily the fault of insurance companies, however. With an increase in cyberattacks over the past few years, they’ve been forced to be more selective with their coverage options.

“It’s incumbent upon the person who’s buying the insurance to understand what’s going on. You need to get with a reputable insurance agent who can sit down and explain it to you in terms you understand, and that talk with your insurance agent needs to be included in your disaster recovery plan,” Hobbs explained.

For those interested in purchasing cybersecurity insurance, there are two types of plans that exist: first-party and third-party.

The former protects against damages to an individual or company (like data breaches, computer attacks, cyber extortion, business interruption and data recovery), while the latter covers damages to customers and partners (data compromises, privacy liabilities, media liabilities). Since there is no standard policy, most are highly customizable based on a company’s individual needs and risks, including selecting your own deductible.

Unfortunately, since there is no standard plan and cyber attacks are often costly, the cost of coverage can be costly. Meeting with an insurance agent can ensure you’re covering all of your bases while only paying as much as needed.

As with many cybersecurity-related fields, insurers are still learning the best methods for adequately covering risks, but many major firms hope to make improvements to coverage in the near future.