By David Peters, CPA
This article originally appeared in the Summer 2022 issue of The South Carolina CPA Report
Whether you are in the insurance industry bubble (like me) or outside it, I am not sure that I have ever seen an insurance product that is more misunderstood or underappreciated than cyber liability insurance. Ten years ago, there were just not as many insurance companies writing these policies as there are today. During my time as the CFO of Compare.com, I remember an underwriter telling me about cyber insurance being one of their new product offerings. He talked about how his company was an “innovator” and the “first to the market” with this exciting and cutting-edge product!
At the time, it seemed that many insurance companies really didn’t understand the risk associated with the cyber claims they were taking on by writing a policy. Many of the insurers that could quantify the risk were still reluctant to hold a product out to the public. Customers just weren’t clamoring to buy this new type of insurance. After all, who did business over the internet?!
Times have certainly changed. After the pandemic, it seems that nearly every company is active on the internet. While the need for cyber policies has certainly increased, companies still seem reluctant to add them to their insurance program. Smaller companies especially seem apprehensive. Their leaders think the product is too expensive or they don’t do enough internet-based business to warrant it.
Cyber insurance is still not a standardized insurance product; however, some things are nearly always true across all company offerings. First, cyber policies cover not only internet selling but also the collection of data from customers and potential customers. This often comes as a surprise to companies. Even if they don’t have a product they sell over the internet, they may still have cyber exposure from simply collecting information. Any personal information collected and stored by a business is a potential exposure.
Second, cyber policies are priced primarily based on the number of records that are kept. While the types of data kept are important (personal information represents a higher level of exposure than other types of information), normally, just the sheer quantity of data makes a difference. The more data a company keeps, the more data it can lose in the event of a breach. For an insurance company, this means higher average claims costs that must be passed on to the consumer. For the CFO, this means that a cost versus benefit decision must be made. The more data a company keeps, the more it knows about its customer’s buying behavior and tendencies. It also means higher cyber premiums. Deciding how much data to keep and how long is critical to finding a balance between paid premiums and market insights.
Third, cyber policies will generally cover regulatory fines and penalties resulting from a data breach. While many people know that cyber policies cover customer costs in the event of a data breach, they are often surprised to find out that many policies also cover regulatory costs. They may help cover the cost of a public relations firm, credit monitoring of affected customers, as well as data recovery costs. Recovering from a data breach is often more than simply reaching out to clients with a letter telling them there was an incident. Costs can escalate very quickly. Insurance can help keep those costs down and allow a company to focus on rebuilding its public image.
Common Items Covered Under Most Cyber Policies:
- Notification Costs
- Credit Monitoring
- Costs to Defend Claims by State Regulators
- Fines and Penalties
- Loss Resulting from Identity Theft
- File Recovery Costs
- Investigation Costs
- Data stored on laptops and other portables
- Information stored on the cloud
- Information stored both offline and online
- Advertising and other content
- Crisis management and PR costs
- Cyber extortion
This is not to say that cyber policies will cover everything. They won’t cover the loss of a company’s reputation with the public. It won’t cover the time it takes to rebuild IT morale either. However, it does give a company a fighting chance to recover after a breach. With companies doing more with data and web-based sales than ever before, there is no doubt that the need for cyber insurance will continue to increase, and the product will continue to evolve.