Cyberliability grows as safety net against data breaches
Companies have always been repositories of massive amounts of information, about products, clients, customers, partners and more.
But in today's world, customer information faces the prospect of cyberattacks since so much of it is stored on servers in the office or in the "cloud," shared server space over secure Internet connections.
That's caused growth in what's known as cyberliability insurance, which protects companies in the event of data breaches from hackers, viruses or malware, as well as lost or stolen phones and laptops, insurance brokers said.
"A lot of companies are starting to buy it more and more because the cost of notification is so high," said Sheri Riley, vice president of business development at Lancaster-based Murray Securus.
Cyberliability coverage has become increasingly popular with companies in the health care and financial sectors, where large amounts of personal health information and financial data are stored, she said. Companies managing such data are required by federal and state laws to notify customers of breaches to sensitive data. Cyberliability covers those costs.
"The No. 1 risk is unauthorized access into your system," said Bill Young, an account executive focused on information technology risk with Murray Securus.
Young formerly was a risk manager for D&E Communications, the Ephrata telecommunications company acquired by Arkansas-based Windstream Corp. in 2009.
Cyberliability coverage has been around for nearly a decade, he said.
The largest issue is that companies with sensitive data might have customers in multiple states, all which have different laws about who has to be notified for which types of breaches. That gets expensive, so the insurance prevents that risk from stifling a company from continuing its business, he said.
"Over time, the coverage has evolved and become more affordable," Young said.
That's a good thing, because so many more companies have sensitive data stored on computers today, said Gary Harshbarger, senior vice president of Lemoyne-based insurance agency Gunn Mowery.
Small companies can buy minimal policies with $250 to $750 of coverage for anticipated costs of dealing with information security breaches, he said. Larger companies are taking on cyberinsurance that covers them up to $500,000. Coverage type depends on the industry, company and sensitivity of the digital data businesses maintain.
"That's what has come out, so now even small companies can have at least some kind of cyberinsurance," Harshbarger said.
Cyberliability also has generated a niche business for crisis communication firms specializing in state and federal notification laws, he said. If you're too big and you need to notify customers of a data breach, you might hire one of these firms to handle it for you.
That's better than getting something wrong and facing massive fines and penalties for breaking the law out of ignorance, he said.
The problem is that companies can't assume one cyberinsurance policy is the same as another, Harshbarger said. There are exclusions from policy to policy and from company to company.
There could be seven or eight different policies that cover the full range of risks associated with electronic data. However, most insurance firms offer bundled packages that cover the most common risks.
"You really have to get the policy form to understand all the nuances," Harshbarger said.
For example, most cyberliability policies doesn't cover a company's financial losses from having its digital data compromised, Young said. Business interruption coverage might better address that, he said.
Of course, having the right insurance coverage is the backup plan, he said. Companies and their IT staff need to work in advance of hackers, malware and other cyber risks to minimize the likelihood that sensitive data will be compromised in the first place.
That means adequate security measures for computers, servers and all other points of entry that could be exploited, Young said. It also means developing policies about how employees can use company laptops and cellphones when they're outside the office.
If companies don't take the right precautions and large-scale breaches compromise data, they could find themselves in lawsuits that are even more expensive than insurance and risk management, Harshbarger said.
Although awareness is increasing about cyber risks, many companies don't fully understand the issue, and that means cyberinsurance is not purchased as often as others, he said.
But the risks from cyberattacks are just as real as risks from fires or thefts, meaning all companies need to discuss that risk and the available options, agents said.
"It's a different world we're in today," Young said.