by: Adam Terrell and Zach Kaiser; Strategic Risk Advisors
The news has been dominated by big name companies like Yahoo, Target and Home Depot experiencing data breaches and cyber incidents, but the reality is that a larger percentage of small to medium sized businesses (SMB) are being targeted on a regular basis. The costs associated with these attacks can be crippling for any business.
The numbers involved with determining the cost of a cyber incident vary wildly, and it is safe to say it significantly affects the bottom line. A large number of SMBs don’t have the resources, time or money to effectively manage these problems. To compound matters, cyber-attacks tend to be sticky, causing repeated issues and interruptions for years to come. Understanding the differences between data breaches and cyber liability is the first step in establishing a cyber risk strategy.
A data breach is when someone obtains proprietary or confidential information from your business without knowledge or permission by hacking into your computer system, stealing a device like a laptop or smartphone, or downloading information from your company server. The breach may be perpetuated by a hacker, an opportunistic thief or even an employee. It is important to remember that not all information is equal and different states have different laws regarding what is considered Personal Identifiable Information (PII) or Protected Health Information (PHI), and the cost of a breach changes dramatically for each type of data lost.
Cyber liability comes into play when your company is accused of causing damage to an outside party as a direct result of a cyber incident. A cyber incident can happen if one of your employees aids in the spread of an infected email, or if it is determined you are not doing enough to protect data in your possession, or even if there is a breach of your website content.
Simply put, data breach is about losing information and cyber liability is about causing damage to an outside party. Both can be costly and both are covered very differently. Some resources available to help prevent or mitigate a cyber incident include password security measures, social media policy, firewalls and proper insurance coverages that may be in addition to your standard policies.
One such coverage is data breach coverage. This is a first party coverage that usually covers notification costs, credit monitoring services for individuals whose records have been compromised, and other costs associated with the loss of the data.
Another type of coverage available is cyber liability insurance. This is a standalone insurance policy that is specifically designed to provide first and third party insurance coverage for computer and Internet-related exposures, and address exposures associated with a cyber incident.
When determining the best coverages to work with your cyber strategy, it is important to understand what is covered under the commercial general liability (CGL) policy as opposed to a cyber liability policy. Most CGL policies exclude cyber incidents, meaning things like business income insurance, and personal injury and advertising injury liability will not be covered.
Unfortunately, most cyber policies from standard carriers are covering data breach but NOT cyber liability and it is easy to think you are covered for all areas. Depending on the nature of your business many of these roll-on data breach coverages are ineffective against most costs associated with cyber incidents. The cyber world is complex and constantly evolving. It is imperative to be proactive in protecting your organization from these hidden risks.