The federal Internet Crime Complaint Center received more than 330,000 complaints in a recent year, and more than a third of them were referred to law enforcement. Damages from those matters that reached authorities totaled more than a half billion dollars, and analysts estimate cyber crime costs organizations tens of billions of dollars annually.
With so much business conducted electronically, organizations of all types are vulnerable to theft and corruption of data. It is important to identify loss exposures, consider realistic loss scenarios, and prepare accordingly.
What types of property are vulnerable?
The organization should consider property it owns, leases, or property of others it has in its custody.
Examples
- Money, both the organization’s own funds and funds held as a fiduciary for someone else
- Customer or member lists containing personally identifiable information, account numbers, and other non-public data
- Personnel records
- Medical insurance records
- Bank account information
- Confidential memos and spreadsheets
- E-mail
- Software stored on web servers
Different types of property will be susceptible to various threats, such as embezzlement, extortion, viruses, and theft.
What loss scenarios could occur?
The organization needs to prepare for events such as the following.
- A fire destroys large portions of the computer network, including servers, and operations cease until systems can be replaced and data restored.
- A computer virus infects a workstation and spreads through a workgroup, crippling the department during a peak period.
- The accounting department discovers a pattern of irregular small transfers to an unknown account that, over time, total more than $10,000.
- An outside visitor learns an employee’s password from a note on a monitor; later an offsite computer accesses the human resources database and views Social Security numbers and other sensitive information.
In addition to prevention and response planning, the organization should consider buying a Cyber Liability Insurance policy. Several insurers now offer coverage; although policy language varies, common features include coverage for data damage or destruction, data protection and recovery, business interruption for suspended operations, extra expenses to maintain operations after a data event, data theft, and extortion.
Each company may define these coverages differently, so review terms and conditions carefully. Some carriers also offer specialty crime products such as Crime MountainGuard to address theft and employee dishonesty.
Choosing appropriate limits can be difficult because exposures are hard to measure in advance. Consultation with the organization’s technology staff, insurance agent, and insurer can help assess likely losses and appropriate limits. When comparing options, select a deductible the organization can afford that still provides a meaningful premium reduction, and be sure to compare coverages, exclusions, and sublimits before deciding.
Loss prevention and reduction techniques, together with sound insurance protection, will help an organization recover from a cyber loss event. For specific coverage quotes or to discuss options, consider talk to an agent.
Frequently Asked Questions
What does cyber insurance typically cover?
Policies commonly cover data restoration, business interruption, forensic and notification costs, extortion, and third-party liability for privacy breaches.
How do I choose the right amount of coverage?
Estimate potential costs from data recovery, downtime, legal and notification expenses, and consult technology and insurance professionals to tailor limits.
Will cyber insurance cover employee theft or fraud?
Some cyber policies include theft or fraud limits, but specialized crime policies may be required for employee dishonesty—review policy definitions and exclusions.
What role does the deductible play in cyber policies?
Deductibles reduce premium costs but should be set at a level the organization can afford to pay in the event of a loss.