In today’s business world digital information is fundamental to everyday operations. Whether it’s financial applications, e-mail communications, supply chain management, content management, sales order processing, or customer relationship management systems, data is the backbone of business. The more reliant a company is on digital data, the lower its tolerance for any interruption in application or data availability caused by “cyber-threats”. And the recent rise in high profile “cyber-incidents” such as computer viruses, data theft, identity theft and other cybercrimes make it critically important to keep data secure, available, and organized. So what happens when a data loss or breach occurs? More specifically, what is the recovery strategy? Consider these scenarios:
SCENARIO #1– You own a small business and one of your employees accidentally opens up an email that has a computer virus attached to it. The virus crashes your computer network but not before spreading itself to everyone in their contact list, including all your customers. As a result, one of your customers gets the same virus, wipes out their whole network and now they are suing you for damages.
SCENARIO #2: You run a non-profit organization. Your website gets hacked by a virus and it corrupts all of your content then emails a virus link to all your donors. You rush to take the site down but not before a lot of damage was done, plus you now must spend thousands of dollars to have your computer network and website rebuilt. Meanwhile several major donors are not pleased with the way things were handled so now you lost their sponsorship (income).
SCENARIO #3: A disgruntled former employee logs in to your network and blocks access to your company website so your customers cannot access their accounts nor do business. After two weeks of this everyone is upset because they cannot operate normally and you’re losing customers by the hour. Not only have you lost customers but now you can’t get them back and some are suing for damages.
What do these three scenarios have in common?
None of the losses would be covered under typical business insurance policies. The Insurance Service Office Building and Personal Property Coverage Form, which covers damage to your property, covers loss of data but only up to an annual limit of $2,500. Commercial General Liability Policies cover claims against you for damage to others property, but damage to data is specifically excluded. Not only is the damage to data excluded, but damage (including bodily injury) caused by a loss of data is specifically excluded as well. This means the full financial impact of these scenarios would fall directly on your business! Times have certainly changed and the fact is most businesses aren’t prepared for these kinds of scenarios yet they are happening everyday at an alarming rate, with more privacy and security breach headlines in the news, and that’s only a small portion of what is actually happening but is not reported. According to the Cincinnati Insurance Board most companies, particularly small businesses are woefully unaware of the implications of cyber-threats. “Cyber losses are increasing and the cost to recover from a data breach can be staggering”, says the board’s Executive VP Ron Eveleigh. “At this time coverage is limited for these cyber losses but the coverage is evolving. Some policies will provide limited coverage for broad data and privacy breaches but right now the majority of commercial general liability policies need a specific endorsement for cyber-peril coverage.”
That said there are three things you should do in order to avoid major losses caused by cyber-related threats.
Ask your insurance agent to do a review with you of your businesses cyber risks.
“Be sure to inform your agent of any e-commerce activity that your business does and what kinds of and whose information you store on your network”, says Brian Fey, VP of Fey Insurance Services, Oxford, Ohio. “This would even include any information on subcontractors who do some of your e-commerce activity or help in running or maintaining your computer network. At the same time be sure to have them review your current coverage and see what possible gaps exist in your current plan as it pertains to covering cyber threats unique to your way of doing business.”
Inquire about “cyber-risk” coverage for loss of, or damage to data.
“Be sure to ask not only about coverage for loss of your data, but also for your liability for loss of others data as well as the damage that can be caused by the loss of data” says Martin Dvorchak, CPCU and consultant for CORE Risk Services, a Cincinnati, Ohio based Risk Management and Disaster Recovery firm. “Endorsements and/or policies to cover your data are readily available. So-called Cyber Liability policies are available to cover your liability for loss of data. There are many versions of these policies available in today’s marketplace and it is important to carefully review terms and conditions to make sure such a policy will do what you expect if and when, it is needed. Unless you’re making buggy whips on a cash only basis, you need some form of this coverage to protect your business. Covering these exposures is probably more affordable than you think and it’s certainly a lot cheaper than paying for damages out of pocket” Dvorchak adds.
Have a data security risk assessment performed by an IT professional who specializes in data security. This will help discover the strengths and weaknesses of your data handling processes and fix them before something bad happens. A thorough risk assessment along with adopting best practices demonstrates that you have exercised due diligence and when properly documented can serve as an “affirmative defense” when a cyber-threat impacts your employees or customers.
As the saying goes “an ounce of prevention is worth a pound of cure”, this especially applies to cyber-perils. Each of these pointers can be the difference between business continuity and business failure in the event of a cyber-related incident.
This article was originally published in the Insurance Journal Magazine March 5, 2012Share