By Richard Clarke, Chief Insurance Officer, Colonial Surety Company
Despite the fact that marquee corporate names like Meta, T-Mobile, and Morgan Stanley have shelled out hundreds of millions of dollars in fines and settlements for data breach lawsuits in the last few years, cybersecurity victimization is no status symbol, nor is it confined to enterprise companies. In the endless battle of attrition against cyber criminals, CISOs and leaders deploy automated security software solution stacks, rigorous corporate policies and procedures, and education-awareness programs. Since cyberattacks succeed despite their best efforts, they are adding cybersecurity insurance to their cost of doing business.
The costs associated with a data breach have grown staggering, including costs of forensic investigations, legally mandated customer/employee notification costs, business interruption costs, expenses in identifying the cause of the breach, and non-compliance fines – and now there’s the cost of legal defense and settlements in fighting lawsuits. Attorneys and consumers have become increasingly aware they can sue the companies if data is compromised. The cyber insurance market is growing at a 20% clip every year, and the cyber liability insurance market increased 3.9% in 2022. Yet when examining cyber insurance proposals, executives may have difficulty in distinguishing individual insurance policy provisions, as well as pinpointing the exact differences between cyber liability insurance and data breach insurance, often unsure as to what these insurance policies may or may not cover.
Small businesses are not spared from data security lawsuits
According to the 2023 Data Security Incident Response Report, lawsuits being filed in response to breach incidents has grown rapidly since 2018, including a marked increase in lawsuits responding to incidents where fewer than 100,000 people were impacted and even four suits in which 1,000 people or less were impacted. For smaller organizations in particular, cybercrimes can be catastrophic. In a National Cybersecurity Alliance study, 25% of small businesses that experienced a data breach filed for bankruptcy and 10% went out of business. Yet, only about one quarter of small to medium-sized businesses carry cyber insurance. SMBs leaders are under particular pressure to acquire the best possible data breach and liability protection at the lowest possible premium, a difficult task given the rising premiums.
Certainly, not all cyber insurance products address the same exposures. Some policies may offer an enhanced approach to coverage that includes breach response services, mitigates damage, provides for business interruption loss, and insures the obligatory investigation and notification are included and properly addressed. Some offer defense for litigation expenses, as well as regulatory actions. To execute proper due diligence when selecting cyber insurance protection, buyers need to fully understand what their cyber exposures are, what comprehensive cyber liability insurance protection can provide as opposed to breach insurance, and its coverage approach.
Data breach insurance defined
Data breach insurance confers very specific protection in the event that the insured organization suffers a data security breach. Individual insurers may vary in the way they define a data breach, so it bears close attention when shopping. A breach might come in the form of anything from stolen customer/employee data to a dumpster diving situation in which a third party is able to commit identity theft by piecing together correlated customer/employee information after going through the organization’s discarded files. Many cyber insurance policies cover some variation of these exposures. Ideally, the insurance policy covers assistance at every stage of incident investigation and breach response, helping businesses navigate their legal obligations in the event of an attack.
However, data breach insurance does not necessarily require allegations of negligence, nor does it provide defense expense coverage, in many cases. Coverage either exists for the specific data breach situation or not, depending on the circumstances of the claim being made and coverage provided (or not) by the specific cyber insurance policy.
Cyber liability insurance defined
The term “cyber liability insurance” is not universal terminology, but generally refers to one or more insuring agreements in a cyber insurance policy, which would defend the insured organization/persons from covered allegations as well as pay settlements/judgments on behalf of the insured organization. The core insuring agreement in most cyber insurance policies usually involves insurance for allegations of “network security liability” or “breach of privacy liability”, or some combined version of both. Simply put, the coverage provides generally broad insurance protection primarily involving allegations of negligence, with a focus on defending the insured organization, including insured persons, and payment of settlements/judgments.
Data breach policy or cyber liability?
Organizations can pick and choose which coverages they wish to insure; although the majority almost always opt for both coverages. Most business insurers have similar policy forms for basic liability insurance, commercial general liability, and directors & officers liability insurance. But there are usually significant variations between one cyber insurer and another. Both buyers (and sellers) of cyber insurance should carefully review their coverage policies, and ideally have a basic understanding of their risk exposures to ensure that the coverage purchased is technically adequate in addition to being acceptably priced.
Depending on the individual policy, in some cases endorsements for data breach situations could be added to another type of commercial insurance policy such as property insurance. This is a less costly but much more limited approach to coverage than a specific cyber insurance policy, which almost always includes coverage for the cyber liability exposure. Not only are companies trying to adapt to the emerging cyber risk vectors, but insurance carriers are as well. Security leaders should seek out non-traditional providers or insurtechs that have online tools, flexible term and payment options, flexible coverage options, and customized value-added services instead of traditional policies that are inflexible and limiting, within a commoditized market.
Vigilance against cyber threats, diligence in mitigating cyber risk
How does the buyer know which cyber insurance is most appropriate for their exposures? It’s an answerable question that requires some due diligence. Business leaders can rely upon a trusted insurer or agent to provide acceptable coverage. If they have successfully assessed their cyber risk exposure, they can employ a basic coverage checklist cross-referenced against the policy proposal. Insurance buyers would be wise to do some easy research into whether the insurer tends to pay claims promptly and without friction, checking websites that track data breach situations, like www.privacyrights.org and www.idtheftcenter.org.
Cyberattacks are rising, despite numerous cybersecurity solutions and zero-trust approaches in the market, feasting on an ever-widening attack surface from the proliferations of hybrid work, enterprise cloud adoption, IoT, blockchain, and now generative AI tools. To mitigate the unwieldy risk environment and to stay competitive in recessionary times, it has become mission critical that organizations, especially small and medium-sized enterprises, find insurance solutions that insulate their businesses from destructive cyber threats and data breach lawsuits that hit the bottom line and the brand reputation.
About the Author
Richard Clarke, Chief Insurance Officer, Colonial Surety Company. As an insurance industry veteran with more than three decades of experience, Richard is a Chartered Property Casualty Underwriter (CPCU), Certified Insurance Counselor (CIC) and Registered Professional Liability Underwriter (RPLU). He leads insurance strategy and operations for the expansion of Colonial Surety’s SMB-focused product suite, building out the online platform into a one-stop-shop for America’s SMBs.
For more information about Colonial Surety Company visit our website: https://www.colonialsurety.com/.