Insurance plans that offer a fallback against cybercrime were considered a luxury only a few years ago. And a few years before that — they were nonexistent.
But, with the amount of companies that can attest today to the cost of defrosting data after hackers froze their systems, experts say those without these plans are skating on thin ice.
Maura C. Smith, a partner in Riker Danzig Scherer Hyland & Perretti LLP’s Insurance and Reinsurance Group, said that there are few skeptics remaining about the value of insurance that covers losses from cybersecurity threats.
“It’s really almost impossible to avoid today,” she said. “You need some protection. The only question is what sort of risk exposure your particular company has.”
Michael P. O’Mullan, another partner at Riker Danzig, said his firm and many others now work with a large profile of clients seeking coverage for liabilities related to these events. Law firms are also working directly with insurance companies in facilitating the legal aspects of those plans.
“It’s hard to throw a rock these days without hitting cybersecurity issues,” O’Mullan said. “It’s at the forefront of a lot of companies’ minds. … It wasn’t on anyone’s radar screen a few years ago, but it’s keeping people up at night now.”
Those in the insurance industry have scrambled over the past few years to develop coverage plans for cybersecurity issues as hackers have dealt blow after blow to businesses.
This new coverage option, which is sometimes just bolted onto traditional insurance packages for businesses, comes in a variety of forms.
“And the insurance industry has, over time, gotten a better sense of what exposures there are and how to cover it,” O’Mullan said. “So, they’re getting smarter about evaluating it. And, these days, most insurance companies want to be in this area.”
So, it has become lucrative for the insurance industry, especially as the newness of these issues confuses what companies should consider competitive costs and policy structures.
For some, the confusion has made for a less-than-compelling argument for purchasing protection plans that focus on cybersecurity issues. That hesitance is fading fast, however.
Cybercriminals are starting to target smaller and midsized businesses. Those companies need to start making this more of an important consideration.”
Andrew Gibbs, partner at Lindabury, McCormick, Estabrook & Cooper P.C.
Andrew Gibbs, a partner at Lindabury, McCormick, Estabrook & Cooper P.C., said that’s because the profile of a cybercriminal’s target has shifted over time from the now well-guarded treasures in the nation’s largest companies to the troves at more modest firms.
“Cybercriminals are starting to target smaller and midsized businesses,” he said. “Those companies need to start making this more of an important consideration.”
Cybersecurity insurance products come highly recommended by Gibbs. He said he often doesn’t think doubts about potential costs are justified.
“It’s true that a lot of companies might still be saying, ‘I’m not sure I need this — it’s too expensive,’ ” Gibbs said. “But the reality is, this insurance is not that expensive compared to the actual cost of a loss from a cyberattack.”
Estimates vary on the cost to organizations from the response costs, loss of reputation and everything else that comes out of one of these incidents. But Gibbs said it has been reported to exceed $1 million in some studies.
“And, for a small company, that could be fatal,” he said. “But a small company can get $1 million worth of coverage for less than $5,000 a year in premiums — even if the cost depends on the size of the company and their risks. It’s not prohibitively expensive. And it could end up being the difference between going out of business or not if something does happen.”
Max Schatzow, an attorney at Stark & Stark, represents investment advisers. In the financial service industry, this type of coverage is becoming less of an option and more of a necessity every day.
“Within the past three to five years, these attacks have gotten so prevalent in terms of the level of sophistication we face,” he said. “I don’t think a week passes without a client calling with a reportable event.”
The crown jewel of the industry Schatzow works with is sensitive financial information, the sort of data that hackers want to get their hands on — and the assets traditional insurance wasn’t designed to cover.
Depending on its industry, not every company has such valuable digital assets entrusted to them.
“Regardless, any executive would be crazy not to consider getting coverage,” Schatzow said. “The costs of these policies are so extremely cheap for what you’re protecting that it’s really a no-brainer to have this type of coverage. That said, I’m sure that’ll change once insurance carriers have a better chance to price out the costs, expenses and actual risk.”
Just as different businesses’ potential exposure to cybersecurity threats can run the gamut, so, too, can the types of insurance plans that are currently on offer.
“There are probably about 40 insurance companies offering some type of product in cyberinsurance, but nothing is uniform yet (among the available policies),” Gibbs said. “It varies a lot right now, but it’ll get there in terms of uniformity.”
Typically, the coverage is separated into two flavors: first- and third-party cyber liability coverage.
The former is what most companies would find adequate. It covers money companies directly spend dealing with an attack, including notifying customers or paying for credit monitoring services. It can even sometimes cover the expense of paying ransom to an extortionist who holds data hostage. If the attack brought the company to a grinding halt, it might help recover some of that lost income, too.
Third-party liability protection is for businesses that have themselves taken an action — or failed to act — leading to a data breach or attack. That sort of coverage pays an insured company’s legal expenses.
Smith said that it sometimes provides a bulwark for regulatory liabilities, which are increasingly costly as governments start to do more to hold the private sector accountable for endangering consumer data. Companies may be asked to bring in a forensic vendor for an investigation, which insurance can now cover. It could potentially protect companies from related fines as well.
“Some countries and states have said it’s against public policy to insure these fines,” she said. “There’s a question of whether the coverage will cover these fines because of that. That’s still a gray area.”
There’s a lot of evolution still to come from this new area of insurance, Smith added.
“But it’s clear that this should be something companies are assessing if they haven’t already,” she said.
Conversation Starter
Reach Maura C. Smith of Riker Danzig at: msmith@riker.com or 973-451-8481.