One of the questions we get often at RoundTable is from organizations asking whether they should get cyber liability coverage and, if so, what they should look for in cyber liability coverage.
This post is meant to provide as clear of a response as we can provide to that question.
The answer starts with gaining a clear understanding of risk. A common term in the risk management field is “risk mitigation”. For many years I found the word “mitigation” annoying in this context because I was taught by my father to never deploy the word “utilize” when “use” would do just fine and “mitigate” seemed, to me, synonymous with “reduce,” a simpler word everyone understands. I’ve since changed my mind on the word “mitigate.”
There’s a cliche in sports about a great player that goes like this, “You can’t stop him, you can only try to contain him.” I’m not sure of the origin, but I first heard the phrase spoken about Michael Jordan. This applies to risk. Risk is part of existence. You can’t stop it. But there are things you can do to contain or “mitigate” risk.
First, let’s think about the kinds of bad things that can happen in a cybersecurity context. If we think about things like ransomware, account breaches, data loss and fraud, there are different consequences that may apply.
Downtime - we can’t work or we have to spend time fixing ( or “remediating” - in risk management parlance) the incident
Reputational Damage - our organization may suffer reputational damage from the incident
Financial Loss - We may literally lose money through fraud or theft or we may have to spend money on resources to help us respond to the incident
Let’s break it down into four basic actions you can take in regard to risk. All of these together are where the word “mitigate” comes in. Risk mitigation is looking at your risks and deciding which of these actions to take.
Avoid
Reduce
Transfer
Accept
Avoiding risk is the first option and generally the best if it’s available. Let’s say you are collecting social security numbers (SSNs) of clients and you identify that as a risk because it’s sensitive information you are collecting and keeping. But you also realize that you don’t USE the SSNs for anything and don’t need to collect or keep them. You can easily AVOID this risk by ceasing the collection of SSNs and deleting the ones you have. Risk avoided.
This is where most cybersecurity work happens. If you are concerned of the risk of your email account being breached, you can’t easily AVOID this risk because it would mean not having an email account. But you can REDUCE this risk by having a strong password and employing two-factor authentication (also known as 2FA) to increase the security of your account.
If you are concerned about the data loss if your email account is breached and the attacker deletes all my emails, I can implement a backup solution to automatically backup my email account. Cybersecurity measures (or “safeguards) such as backups, passwords, two-factor authentication, encryption, training and incident response are all measures to REDUCE the risk of various threats.
THIS is where cyber liability insurance fits in. Transferring risk means moving the consequences of a bad thing happening to someone else. It’s making it someone else’s problem. One example is credit card processing.
Most small organizations have a third-party processor handle the credit card transactions on their website. They understand that collecting credit cards comes with risk and that they can’t avoid this because they need to accept credit cards. Reducing the risk of accepting credit cards can be quite intensive, so many organizations choose to TRANSFER this risk to a credit card processor (such as PayPal or Stripe).
It’s the third consequence listed above, Financial Loss, where cybersecurity most often applies. What cybersecurity insurance can do is TRANSFER the financial risk from various cybersecurity incidents to the insurer. You pay the insurer some annual fee, say $2,000, and in exchange they accept the TRANSFER of $1,000,000 of your financial risk.
It’s important to understand that you are ONLY transferring the financial consequences of an incident. You can’t meaningfully transfer the downtime consequences or the reputational damage consequences. That’s not to say the money you could be reimbursed by your insurer couldn’t be used to limit the downtime and reputational damage consequences, but you still haven’t TRANSFERRED those risks. You keep those yourself (lucky you!).
Which takes us to the last thing we can do with risk. Accept it. Going back to our email example. I can’t avoid the risk of using email because it’s a business critical tool. I have already reduced the risk of a breach by using a strong password and two-factor authentication. I have transferred the financial risk of an email breach by purchasing cybersecurity insurance.
Even with all these “mitigations” in place, I STILL have risks of downtime if my account is breached or I forget my password. I still have risk of reputational damage if my email account is breached and sensitive communications are exposed.
At this point, I choose to ACCEPT those remaining risks. And here’s a key point - WE ARE ALL ACCEPTING ALL KINDS OF RISKS RIGHT NOW. I could get hit by a meteor or stray piece of space garbage at any minute. I COULD reduce this risk by living underground, but I’m not going to do that. I accept that risk. What I think is most important is UNDERSTANDING the risks you face, UNDERSTAND what options you have to manage (mitigate) those risks and then continuing on with life.
Life is risky. That’s what makes it fun, right?
Hey, what about the original question - Should we get Cyber Liability Insurance or Not? And if so, what kind of coverage should we get?
If you look at your risks and see a lot of FINANCIAL risk that could be effectively TRANSFERRED to an insurance company through cybersecurity insurance, then the answer is a resounding YES. For most organizations, this is a clear and obvious YES.
The next question is then, what should be covered? This gets tricky, as it’s going to vary from organization to organization. Here’s a basic list of six (6) key coverages you typically want in your coverage (adapted from 7 Key Coverage Elements of Cyber Liability Insurance)
Forensic Expenses
You have determined that data has been compromised and need to investigate what happened, how it happened, and what information was accessed. The expenses to hire an outside forensic team for discovery is covered.
Legal Expenses
You may need legal representation in order to determine the scope of the federal and state notification requirement breaches. You will also need legal counsel to defend you in the event a suit is filed against you.
Notification Expenses
The costs incurred to comply with notifications via email, physical mail, etc.
Regulatory Fines and Penalties
Any fines imposed by regulatory authorities such as GDPR, CCPA New York SHIELD, etc.
Public Relations Expenses
The manner in which the breach is reported to the media is crucial to restoring your reputation and maintaining your clients, vendors, business associates, partners, and patients.
Liability and Defense Costs
It's not uncommon for class action lawsuits to be filed against you following a breach. You will need legal representation which can be of your own choice or appointed by the carrier. Either way, coverage is available for these costs.
There are a lot of resources out there, but we like the various articles and guides published by Woodruff Sawyer. You can start here with a short 101 article or download their 13 page cyber liability guide here.