With the increased number, variety, and intensity of cyberattacks around the world, businesses large and small are seeking protection with insurance to help mitigate the risks of doing business in the world of technology.  The discussion surrounding cyberinsurance often comes to the fore when large-scale security breaches happen like with Target in 2013, Sony in 2014, or Equifax in 2017, among many others.  Oftentimes, these breaches cost their respective companies millions of dollars in dealing with the aftermath.  In order to better protect your business, cyberinsurance may be a good option to consider.

According to a 2018 Symantec study on cyber-attacks, 528 organizations in the United States faced targeted cyberattacks in 2017.  Further, the study listed the United States as the top victim of targeted cyber-attacks.  Symantec also lists small businesses as one of the largest targets for malware within emails.  The study details that the majority of the hacking is for information gathering purposes, thus exposing a business’s customers and clients to risks if the business stores information in a way that makes it accessible to breach.  With threats growing, courts in Pennsylvania have begun to allocate the risks of breach to employers and businesses.

Specifically, Pennsylvania has begun to impose liability on businesses that do not adequately protect their customers’ and employees’ information.  Such information could include social security numbers, addresses, phone numbers, credit card numbers, and any other personal identifying information that a business may store.  Pennsylvania courts impose a duty of reasonable care on businesses, asking whether the means used to protect personal information were appropriate and reasonable under the circumstances.  As such, courts will likely need to undertake a fact-intensive review of a business’s overall risk-management plan.  The more detailed and well-tailored the plan to the business, the less likely liability will be imposed.  For more information on what Pennsylvania is doing to push companies to create and utilize cybersecurity measures to counteract cyberattacks, see What Businesses Need to Know about Protecting Employees’ Personal Information.

Cyberinsurance is a growing segment of the insurance market to help businesses defray the costs of the increasingly common cyber-attack.  It can be considered one important piece of an overall risk management strategy for dealing with cyberattacks.  Generally, there are two types of coverage available: first-party and third-party.  First-party coverage includes expenses specific to the business, like legal fees, system repairs, lost profits, and public relations after a breach.  Third-party coverage includes collateral damage arising from the breach affecting individuals outside of the business, such as clients or customers whose personal information may have been compromised.  It is typically recommended that businesses purchase both forms of coverage to ensure that all bases are covered in the event of a potential cyber-attack.  Policies can also cover things like forensic investigations after a breach or costs to provide requirednotifications to affected customers or clients.

There are a variety of policies, coverage levels, and rates available since many insurance companies have not created standard-form policies yet.  This is mostly because the risk-assessment is so specific to individual businesses based on the type of information being handled or stored.  Premiums are often determined after an evaluation of a business’s current cybersecurity systems, risk-management plan in the event of cyber-attacks, and the overall risk level involved with the business’s operation.  Many insurance companies expect that businesses and their employees understand the risks of a security breach and are able to recognize security threats, such as phishing emails, as they arise.  Similarly, it is often expected that employees will not contribute to a potential breach by inadvertently downloading a virus or introducing malware to the company’s systems.  An insurance policy may exempt coverage for these occurrences.

Much like a safe-driver discount for car insurance, some insurance providers will incentivize businesses that are well-versed in their cyber risk profile and have well-established cyber-security measures and training programs in place to prevent their employees from accidentally causing a breach.  Threat assessments or ethical hackers (individuals hired to hack a business’s information to expose weaknesses for the business) can help diagnose risks or flaws in current security systems, but these services are often cost-prohibitive for a small business.  Instead, small businesses can invest in threat assessment programs or perform an initial self-diagnosis by analyzing what kinds of data the business stores, the level of risk associated with where and how the information is stored, and what the potential consequences of a breach might be.  Getting the ball rolling by starting to think about these issues and implement plans can make a conversation with a cybersecurity provider more productive and might eventually save your business some money on insurance premiums as well.

Businesses, large and small, are encouraged to consider investing in cyberliability insurance to help protect themselves in the event of a large-scale breach that can end up being incredibly costly to the business and its clients and customers.  Businesses are cautioned to evaluate the various plans carefully to ensure the protections being offered match the risk assessed and that the plan will help if needed.  It is advised to consult an insurance agent to discuss the plans available and what will best suit your business.

With contribution from Sarah Rothermel, J.D. Widener Law Commonwealth.