Should I buy cyber insurance?

A friend of mine asked me if he should buy cyber insurance for his business. Whether your need is for a self-hosted/owned, cloud or hybrid infrastructure this is not an easy answer. As I thought about it, I decided this is probably a topic of interest to many financial managers at small to mid-size enterprises. How should you decide this question and who can you seek for legitimate counsel that is qualified to answer this question without having a conflict of interest? I decided I am possibly one of the most qualified people, more so than the insurance broker, and I have no direct interest in the purchase. So here goes….

First some background, my friend owns and operates one of the more notable civil engineering firms in southern California. It is not a huge firm, but it does have about 50 highly skilled and compensated engineering professionals. The firm is well established and I am sure it has a good valuation to protect. I know some of their clients and they are big important entities. If something happen that causes a loss for his clients the ramifications can be really big. This all sets the stage for a serious consideration of additional insurance for cyber losses. Let me point out I am not a lawyer and none of this is intended to be legal advice. This is my analysis based upon my anecdotal experiences of hacks and losses at dozens of other firms over the years. It is also based upon my cyber insurance decision.

First some other disclosures. I decided to make sure that Alvaka Networks has cyber insurance coverage as well as professional liability insurance. The decision to add cyber insurance has been relatively recent in the past few years. Why? Because of the environments we work within, the clients we have, and the highly regulated spaces that many of my clients operate within. We have also recently raised our Professional liability coverage level, but that was mainly driven by the requirements of a large client and over the past few years our clients seem to be getting larger and larger.

So why should my friend buy this additional cyber insurance?

1.       It is not all that expensive. His policy is only $3,350 for a million dollars in coverage.

2.       The deductible is fairly low at $5,000 per incident.

3.       It might make him sleep better at night

4.       It might make his clients sleep better

5.       It might provide some market differentiation from other firms

Why should he not buy cyber insurance?

1.       He is not in a highly regulated industry. We all have an obligation to protect PII, personally identifiable information, but he has less than 100 employees. Assuming he had to buy 50 credit monitoring services for about $100 per year through Costco (and I bet it can be had for much less), he is looking at about $5,000 per year for two years for a total of $10,000. Two years of cyber coverage is about $7,000. If he had many more employees, or handled PII information of his clients or operated within a highly regulated industry the risks would be much greater, but he does not.

2.       There is a form he must attest to as part of the insurance. They require Binding Subjectivities:

a.       Firm will have to sign an application stating the following:

  • Firm has anti-virus software installed and enabled on all desktops, laptops and servers (including database servers) and it is updated on a regular basis.
  • Firm has firewalls installed on all external gateways.
  • Firm regularly backs-up (at least weekly) all critical data and stores the same offsite or in a fire-proof safe or their outsourced service provider meets this requirement.
  • Firm is not aware of any:
    • circumstances, complaints, claims, loss or penalties/fines levied against them in the last five years in relation to the risks the application relates to
    • they are not aware of any circumstance or complaints against them in relation to data protection or security, or any actual security violations or security breaches either currently or in the past five years.

b.      Firm must sign a California Surplus Lines Disclosure Statement. The D-1 statement is a freestanding document notifying the applicant that the insurance he or she is applying to purchase is with an insurer not licensed by the state of California.  Refer to CIC Section 1764.1 for specific wording. 

If he is already doing all of these things, he has mitigated his risks substantially. If he is not doing these things does he not get coverage? If he claims to be doing all these things, but in fact the insurance company later shows that he is not in fact doing them all will they deny coverage? How persnickety they are on this probably hinges on the circumstances, the amount of the loss and how well you negotiate.

The single biggest threat most common to small to mid-size businesses right now is ransomware which is a form of phishing. The best recovery is universally touted as restoring from a good backup. But there is a tricky clause in the cyber insurance coverage limits feature set. It limits, “Telephone Hacking & Phishing Scams $50,000 Each Loss” and it has a $5,000 deductible. A good backup system for a company like his should be budgeted at about $24,000 per year. He has to have something good per the requirements of the insurance. If he has this system his losses per occurrence should be under the $5,000 deductible.

3.       There are some other high dollar limits for other incidents that might occur for him

a.       But it is unlikely he will ever come close to utilizing the upper limits of the policy, especially if he is doing all that the policy requires he should do to protect himself.

b.      As I said, the most likely threat is phishing these days and if he can’t recover it will likely cost multiple times more than the $50,000 limit.

c.       There is $125,000 per day business interruption coverage, but it is not clear from the sale literature if that is subject to the $50k limit… probably not, but if he can’t recover from back-up then I will bet money the business interruption will be much longer than what the coverage will pay for. It might still be a company ending event.

d.      Should the back-ups not be good, it will be cheaper to pay the prevailing ransomware demands, as unpalatable as that is, that range from $300 to a few thousand dollars. I should point out though that I have seen two occurrences of ransom at $17,000 and $50,000, but those are the outliers at this time.

4.        If he reads his current policies, some of the cyber losses are probably covered in small part

So there I present some information for you to consider in weighing your decision. You must consider your risk profile and your appetite to carry risk vs. unloading part of that burden. Please remember the insurance does not completely absolve you of your responsibility to mitigate risk yourself. It is advisable that you do a risk assessment. If you need help doing this I can be of assistance. Or you can go here to look at the NIST Guide for Conducting Risk Assessments if you want some guidance to do it yourself.

Let me know what you think about my arguments pro and con. Many of you have much experience comparing, understanding, buying and utilizing insurance benefits. I am sure you will have some great contributions in the discussion at the very bottom of this page.

 

Below is the anonymized cyber insurance offer letter.