Check Point Research reports that ransomware attacks increased 93% in the first half of 2021 — having cyber liability coverage can help your company recover from damages that these attacks cause.
Editor’s Note: This is a guest blog contribution from CoverWallet.com Sales Manager Chris Ham. Chris shares his expert perspective on how businesses and other organizations can protect themselves from various cyber security risks through the use of cyber liability insurance.
Did you know that data breaches and other I.T. security issues can cost an uninsured company millions of dollars? Sophos reports the average price tag of a ransomware attack (including costs relating to ransom payments, downtime, technologies, personnel, and technological resources, and lost business opportunities) is $1.85 million.
Of course, ransomware is just one type of cyber attack that can cause damage to businesses. Cyber insurance is a type of coverage that protects businesses from lawsuits related to their computer security systems. The most common use of cyber insurance is providing settlements to customers following a cyber attack, and there are also many other situations where it is useful. We’ll explore what cyber liability insurance is and how having it can help you protect your business when things go sideways.
Let’s hash it out.
What Is Cyber Liability Coverage?
Before we get into the details, let’s go over the basics by answering the question, “what is cyber liability insurance?” Cyber liability coverage is a form of financial and legal protection for businesses and other organizations that use and store sensitive information (like Social Security numbers and credit card information). This is particularly important in the event that your sensitive data is exposed due to cyber attacks, data breaches, and other cybersecurity-related events.
Cyber liability coverage differs from general liability insurance, which covers businesses when their product or service results in either (or both) bodily injury or property damage. This type of cyber insurance is usually not included in general liability insurance, so it’s best to purchase this additional coverage to cover your bases.
Cyber insurance is ideal for companies that handle any type of personal or otherwise sensitive data, including:
- Personally identifying information (both of customers and employees),
- Financial account information,
- Healthcare information, and
- Intellectual property.
First, business owners need to identify the cyber threats that pose risks to their business and what their specific policies entail to understand what these policies do and don’t cover.
Examples of Cyber-Liability Costs
As you’ve learned, cyber attacks and data breaches aren’t cheap. Here are a few quick examples of some of the cyber liability risks and expenses you may find yourself facing:
- Ransomware costs — If you find yourself in the unlucky position of being the target of a ransomware attack, you may find yourself receiving an extortion demand for hundreds or potentially thousands of dollars worth of cryptocurrencies. Often, cybercriminals will base the amount of their ransom demands on the size of the target organization (the bigger the company, the greater the demand).
- System recovery costs — Recovering lost data or taking care of damaged IT systems and equipment can get very expensive. And what makes matters worse is if your business is unable to keep operating and experiences significant downtime. This inability to gain a future income will result in additional mounting losses for your organization.
- Liability for third-party damages — Customers and other third parties may hold you responsible for expenditures they incur due to a cyber-attack or other IT-related incidents in your company.
- Notification costs — Depending on your location and governing industry regulations, you may be compelled to notify customers if a data breach occurs or is suspected that compromises the client data you hold. And the more clients you have, the higher the notification costs may become.
- Regulatory penalties — Many federal and state laws compel businesses and organizations to safeguard customer information. (The same can be said about overseas regulations such as the General Data Protection Regulation [GDPR].) If a data breach occurs due to your company’s inability to satisfy compliance standards, you might face steep penalties.
What Cyber Liability Insurance Does (And Doesn’t) Cover
Cyber Liability Insurance isn’t a one-size-fits-all blanket protection cover. Coverages for specific risks will vary from one policy to the next.
What Does Cyber Liability Insurance Cover?
According to the Information Insurance Institute (III), specific forms of cyber events may be covered by regular business insurance plans, such as a Business Owners Policy (BOP). For example, if a hardware failure or malware causes you to lose valuable data, your insurance may cover some or all of the expenses relating to recovery or replacement. However, you’ll need to acquire stand-alone cyber liability insurance tailored to your company if you want coverage for a wider variety of risks.
Cyber liability insurance can cover the following risks:
- Identity theft or compromise.
- Data loss or corruption.
- Lost earnings that result from pausing business operations.
- Rebuilding one’s damaged reputation.
- Extortion carried out online.
What Does Cyber Liability Insurance Not Cover?
There are exclusions in all insurance policies that you should be aware of. In most cases, cyber insurance coverage will not cover the following risks:
- Property lost as a result of the breach.
- Lost potential (or future) profits or sales revenue.
- Upgrading software and security.
- Loss of value to your intellectual property as a result of theft.
However, these inclusions and exclusions don’t apply to all plans. This is why it’s always best to talk to your cyber liability insurance company to find out specifically what is and isn’t covered by your individual policy or policies.
Why You Need Cyber Liability Insurance to Protect Your Business From Cyber Crimes
It’s important to take steps to prevent cyber security incidents from occurring in the first place. This includes having the right security measures in place and training your employees to identify and safely respond to potential threats and phishing attacks. But prevention is only one part of the solution; you also need to have a way to protect yourself and your customers in the event that those other security measures fail.
Check out these real-world examples of cyber attacks to learn more about the advantages of cyber insurance and how it can help protect you in the event that you find yourself facing a cyber incident or event.
Reason #1: Phishing Causes Major Firms to Lose Millions
Researchers from the Ponemon Institute carefully examined cyber security attacks and came to a shocking conclusion: The average large company loses roughly $1,500 per employee due to phishing attacks. This adds up to a stunning $14.8 million losses, according to data from their study that was commissioned by Proofpoint. Overall, phishing is the most successful and most common type of cyber attack.
When phishing, a scammer uses an email or website to masquerade as a trusted company. For example, your employee could get a message claiming to be from Facebook, asking them to click on a link and enter password information to unlock their account. If an employee falls for a phishing scheme, they can end up giving away all sorts of sensitive data or downloading major viruses on a company network.
There are several ways that phishing leads to monetary losses:
- Loss of productivity because employees have to stop and deal with attacks;
- Costs to restore information after viruses infect an entire network;
- Funds that are accidentally sent to the wrong person due to a phishing scammer that impersonates a bank or credit card company; and
- Stolen passwords lead to data breaches that generate lawsuits from the affected parties.
The effects of phishing can be surprisingly widespread and reach far beyond your organization. Consider the 2014 Target data breach that resulted in 110 million customers having their credit card information stolen. It’s estimated that Target could be facing losses of up to $420 million due to this breach.
How did this happen? A security investigation by researcher Brian Krebs revealed that the cyber attack occurred when one of Target’s third-party vendors, an HVAC subcontractor, had its network credentials stolen by cybercriminals. It’s unclear why Target would give an HVAC company external network access or why the company’s access wasn’t isolated from Target’s payment system network.
According to the investigation, the attackers uploaded carding malware to a handful of point-of-sale devices within Target stores after a member of Target’s subcontractor’s team clicked on a phishing email. Within days, the bad guys had malware on the majority of the retailer’s POS devices and used that access to collect customer data from transactions as they were happening.
Target states in their official release that the cyber attack compromised approximately 40 million debit and credit card accounts as a result of the breach, which is thought to have taken place between late November and mid-December 2013.
What Can Cyber Liability Coverage Do to Help?
In these sorts of situations, liability insurance is beneficial. Like other forms of business liability insurance, cyber insurance will always help with the costs of lawsuits.
- If a customer alleges that you or an employee did not exercise reasonable caution in a phishing situation, your insurance can help pay legal fees.
- If your organization loses a lawsuit stemming from a cyber event, it will also assist you with paying for any court-ordered compensation.
- If you pay for additional coverage, your policy might also cover data recovery following the breach. However, it won’t compensate you for things like accidentally sending your funds to a scammer.
Reason #2: Ransomware Attacks Affect More Than One-Third of Companies
Did you know that cyber-attacks can hold your company for ransom? A new type of malware involves stealing control of your business. If an unsuspecting employee clicks the wrong link or plugs in a random flash drive, ransomware can seize control of your system, locking you out, stealing proprietary data, and making it hard to do your work. Then the cybercriminals will tell you that you have to pay money to get everything back to normal or keep your company business private. Cybercriminals may also exfiltrate data, which they can then use, leak/publish online, or sell to others.
This type of attack is surprisingly common. A shocking 37% of companies around the world have faced ransomware attacks, according to IDC. You could try to remove the virus or recover information independently, but this is costly and time-consuming, so 87% of companies opt to pay the ransom. IDC’s data shows this can be anywhere from almost $250,000 to $1 million for the average business.
In some cases, the consequences include more than just a payout. In 2017, the WannaCry cryptoworm exploited a hack in Microsoft Windows and locked down more than 200,000 computers. The criminals were able to shut down significant companies like FedEx, Nissan, and the U.K. National Health Service. These businesses could not operate for hours, resulting in productivity losses of up to $4 billion.
What Can Cyber Liability Coverage Do to Help to Protect You?
There are several ways that cyber insurance can help to protect your business in a ransomware situation. Its primary purpose would be to help you handle lawsuits from customers who were harmed by the interruption in service, and it might even give you the capital to pay a ransom. Depending on the coverage you have, your cyber liability plan “might” include assistance with extortion payments or data recovery.
However, keep in mind that law enforcement authorities in your jurisdiction may not allow or support you to pay a ransom. The FBI has made this position clear, stating that paying a ransom in response to a cyber attack will not be “supported,” as it will not guarantee a return of the stolen data, and payment would only encourage cyber criminality.
What does this mean for victims of cyber attacks? N.Y. defense attorney and cybersecurity expert Ryan Blanch believes that cybersecurity firms that help victim companies pay their ransoms could leave themselves open to prosecution by the U.S. Attorney’s Office. On the other hand, if the victim company were to pay the ransom itself without help from an intermediary, it would not face prosecution.
Clear as mud? Not surprising, as the DOJ’s position remains unclear until they publicly announce their policy on this. Blanch recommends that companies hire an intermediary if they fall victim to a ransomware attack. The intermediary should consult with legal counsel about best practices before negotiating and paying a ransom.
Reason #3: Data Breaches Increase Due to the Growth of the Remote Workforce
Not all cyber attacks involve directly taking money or credit card information from a company. A growing concern is fundamental data breaches. A data breach involves any sensitive information being stolen from a company. Hackers can sell this information to competitors, use it to attack the company’s customers, blackmail employees, or do other unethical things.
Data breaches have been on the rise lately, and experts believe the reason might be remote work. A survey from the security firm Tessian found that employees who work from home may not follow cyber security protocols or best practices. Employees need access to all sorts of sensitive information to do their job, but their home computers or networks are often not as secure as their office counterparts.
With data breaches, the financial losses are often indirect. Instead, losses from data breaches typically come in the form of regulatory penalties and lawsuits. Businesses have to protect customer’s private information. If the company fails to implement proper security measures, it can have to compensate customers for the privacy breach.
This can be surprisingly expensive. Consider the massive Equifax data breach of 2017. Over 147 million customers had their information stolen in a massive breach. The impacted customers faced all sorts of financial and legal issues. The company ended up in a prominent lawsuit with the Federal Trade Commission, and they were ultimately ordered to pay people $425 million in compensation.
What Can Cyber Liability Coverage Do to Help?
We get it: accidents happen. But even a simple mistake can wind up costing your company a lot of money in terms of noncompliance fines and lawsuits. Cyber insurance can be a lifesaver if you accidentally share a customer’s data with someone who should not have access to it. This sort of coverage ensures that massive lawsuit settlements do not bankrupt you.
In any data breach, you are legally required to notify affected parties. A good policy can also help with the costs of tracking down and notifying so many customers. While your policy does help with lawsuit settlements, it will not cover things like upgrading your software to prevent future hacks.
Reason #4: Business Email Compromise Results in the Most Costly Losses
Next on the list of example reasons where cyber liability insurance can be helpful: email-based cyber crimes. Business Email Compromise (BEC) attacks might not be as well-known as phishing, ransomware, and data breach attacks. However, they can have some of the most concerning consequences because they cause the highest financial losses. A BEC scam is technically a type of phishing. However, this scam directly steals money instead of just trying to sneak some information or get into your system.
In a BEC attack, an employee will get an email message that appears to be requesting a legitimate business service. Some examples include:
- Wire transfer fraud: A company that regularly pays for big purchases via wire transfer gets an email telling them the wiring information has changed. They end up accidentally sending several payments to a random scammer’s bank account.
- Invoice scams: A company’s accounts payable department gets invoices from someone claiming to be a creditor. They then learned the bills were fraudulent.
- Legal fine scams: In these scams, a person may get an email telling them the company has violated some law. The email will threaten them with further legal consequences if they do not pay a fine.
- Gift card scams: A secretary supposedly gets an email from the CEO, asking them to purchase many gift cards for employee rewards. The secretary is told to buy them with the company account and then email the gift card serial numbers back to the scammer pretending to be a CEO.
These scams are less common, but as you can probably tell, they result in significant losses. One cleverly constructed BEC attack can get tens of thousands of dollars from a company in minutes. Unlike what happens following other scams, it is usually impossible to trace the criminals and get the funds back. The loss of funds can end up interrupting your workflow and making it hard to meet payment deadlines.
Reason #5: DDoS Attacks Cost the Average Business $50K (Or More)
Distributed denial of service (DDoS) attacks are a somewhat unusual cyber issue. DDoS attacks block people from accessing critical information, services, and resources instead of stealing proprietary information or money. Attackers can use bots or other programming tools to overwhelm a company network, keeping you from accessing your data or keeping customers from reaching your site.
DDoS was viewed as a harmless prank for many years, often used to bully a rival social media forum. However, these attacks have increasingly targeted organizations’ websites and services, affecting public and private sector organizations alike. In some cases, DDoS can come from a rival company, hoping to shut down your network and steal your customers. Some DDoS attacks are also extortion, where criminals demand money to stop the DDoS attack.
These attacks can be surprisingly pricey. A study by Corero Network Security shows that DDoS assaults may cost up to $50,000 in lost earnings, attack mitigation, and lost productivity. Companies lose revenue while their system is down, and they might have to pay a ransom to get their system back up. Furthermore, this price tag doesn’t necessarily factor in lost revenue stemming from losing customer trust and the ability to make future sales.
Security experts report these attacks are becoming increasingly sophisticated, so it can be hard for the standard I.T. team to protect from an attack. In the future, DDoS attack costs might be on the rise.
What Can Cyber Liability Coverage Do to Help?
Whether or not your cyber liability policy covers a DDoS attack will usually depend on the fine print. It is becoming increasingly common for cyber insurance to bundle in insurance for DDoS. However, some older policies might not cover the costs associated with DDoS because it used to be a relatively uncommon type of cyber attack.
If your policy does cover DDoS attacks, it will usually help repay you for things like mitigation to restore your system or repairs to a damaged system. Less direct costs, like losing the opportunity to work with a business, are not typically covered.
Final Thoughts on Cyber Liability Insurance
As you can see, cyber liability coverage has all sorts of applications. It can help with everything from privacy breaches to credit card theft. In addition to paying for lawsuits, your cyber insurance can help with many other expenses caused by a cyber attack. If you run any type of business or organization, it’s best to get this type of coverage as soon as possible.
With technology becoming an increasingly important part of modern business, the risk of cybercrimes is on the rise. Each year, more and more companies face hacks, data breaches, scams, and other issues. Taking the time to protect yourself can ensure that you avoid the disastrous effects of cybercrime.