Buying security

Valerie Corekin works with many business owners who don't consider the cyber insurance plan they're weighing for their companies as crucial to their risk management strategy as life insurance is for their personal lives.

But business owners "who think that they don't have to secure their data and IT technology'with the same level of due diligence they use to protect their physical assets, such as on a building, are not making good decisions," said Corekin, a senior risk advisor with PSA Insurance & Financial Services in the Washington, D.C., metro area.

Digital exposure is much greater than people realize. Instances of cyberattacks and breaches are growing, and so is the publicity surrounding them.

"There are costs associated with this," she said. "Those costs are pretty scary', too."

They also can be devastating, according to Meredith Schnur, senior vice president of professional risk practice at Wells Fargo Insurance. Schnur and her group place network security and privacy liability insurance on behalf of all size businesses. But settling lawsuits is just a glimpse of what an organization ends up paying after a cyber attack, Schnur said.

"Exposures to network risk and failure to protect computer systems from attack, which cause a leak of privacy, can result in individual or class action lawsuits," she said. "Or the exposure can delete, destroy or corrupt data, causing an organization to become inoperable. There are many ways a company could be financially injured by failure to protect computer systems and data."

The costs of recovering from a data breach begin to accrue before a breach is even declared. Schnur said that 90 percent of organizations that have an incident - meaning there has been unauthorized access of data or malware has been detected - have to hire outside investigators.

Many states have breach notification laws, which means that if the initial review reveals perpetrators were in a system that stores confidential customer or employee data, the company has to notify all customers and employees, Schnur said.

"That's the next step, and it can cost a lot of money," Schnur said. "You may have to open a call center to handle the communications and hire public relations experts to manage your brand's response."

Organizations also maybe required to notify the FBI, Secret Service and state and federal regulators.

While not all states require a company to pay for credit monitoring for all employees and customers potentially impacted by a breach, many organizations will foot the bill for a year as a show of goodwill.

"Before you've even been sued, you are already spending money," Schnur said. "Cyber liability helps to cover these first-party costs as well as any settlement costs that maybe incurred if an organization is sued."

Before you buy

But how do you choose a reasonable cyber insurance policy among the hundreds offered?

Evan Blair, co-founder and chief business officer with social media security and threat intelligence firm ZeroFoxin Baltimore, said every business should first conduct an audit and establish a written corporate security policy, wherein cyber insurance is included among various risk mitigation strategies as a sort of last line of defense. Make sure the policy looks to the potential impact - direct and indirect costs - a breach would have on business operations, as well as how customers could be affected, he said.

Also, understand the precise limits of these policies and what steps have to be taken to maintain coverage - reputational damage from a high-profile breach, for instance, could prove to be outside the scope of a recoverable loss, Blair said. "It's about trust and reputation at the end of the day with your customers."

PSA, Corekin's company, advises clients to ask themselves whether they can survive a temporary interruption or shutdown of operations or pay for the costs associated with, say, notifying exposed clients. There are at least 47 different sets of state laws that regulate cyber breaches, she said, so make sure you are knowledgeable about your company's potential responsibilities to secure its data. Some industries, such as health care, are highly regulated and face additional federal requirements.

Cyber-insurance policies, which have only been around for over a decade, have many coverage options, but generally offer three buckets of coverage, Corekin said: liability for security breaches when private information is released; costs for items such as regulatory compliance fees, legal issues or the expenses associated with unlocking the system after a hack; and business interruption expenses. Note that fallout from a cyber attack will likely no longer be cover by most standard insurance policies, including business liability insurance, business interruption insurance, or even computer fraud coverage, Corekin said.

Another point of potential confusion: Understanding the precise meaning of the terms associated with a breach of privacy. Buyers can quickly stray into the weeds when trying to figure out the precise meaning of policy terms like "glitch" or "wrongful act," but knowledgeable agents are good guides, she said.

Finally, if your firm operates around the clock and a breach could affect operations at any time, you'll need a provider that will pick up the phone on a Friday or Saturday evening, Corekin said. In some states, you may only have 72 hours to meet regulatory deadlines to respond to a breach.