In today’s connected world, standalone cyber liability insurance offers valuable protection to almost any client, regardless of their business. If your clients have a website, a corporate network, social media accounts and email, or if they store employee, vendor or customer Personally Identifiable Information (PII), they are open to cyber risk. Unfortunately, their traditional property and casualty insurance policies may not adequately protect them.
Let’s take a look at a few cyber loss scenarios that could potentially put one of your clients out of business.
Coverage for Incident Response Fees
When a healthcare organization attached the wrong file to an email, it inadvertently exposed the data of 43,000 former employees, including names, addresses, and national ID numbers. Fortunately, the company had cyber insurance and was able to quickly enlist an incident response coach and legal services to manage regulatory implications. The carrier eventually reimbursed that healthcare provider for nearly $250,000 in incident response fees, defense and settlement costs, notification expenses, and ID monitoring services.
Expanded Coverage for the Internet of Things (IoT)
As IoT devices increase the attack surface, threats like Distributed Denial of Services attacks are also growing more severe. In one case, a data center hosting an online retail company’s website was overwhelmed with network traffic from hacked, connected devices. The retailer’s website crashed, costing over $120,000 in lost sales alone.
Their insurance carrier not only reimbursed the business interruption costs, but also leveraged a panel of expert service providers to help the company subcontract with a new website host and restore full functionality in just six hours. These expenses, estimated at over $27,000, were also covered by the policy, along with incident response costs of more than $36,000.
Dealing With Ransomware
In another example, an employee of a car components manufacturer clicked on a malicious link in an email and downloaded malware to the corporate server, encrypting all information. The attacker demanded nearly $13,000 in Bitcoin. When the manufacturer contacted its insurance carrier, IT forensics teams were brought in to assess the validity of the threat and determine whether the company could avoid paying the ransom.
While the eventual costs to make such a determination overshadowed the actual ransom demand, the FBI, Europol and other government agencies discourage companies from making ransomware payments since it emboldens cybercriminals and may result in a company being repeatedly targeted. Although the insurance carrier was equipped with Bitcoin wallet capability in case paying a ransom becomes the last but best option, in this instance, the company instead paid over $75,000 to the insured to assess their backup capabilities, analyze and contain the malware, and replace lost or corrupted data.
However, if it is determined that paying a ransom is the only viable option, most cyber insurance carriers will cover the extortion demand. When a certain law firm’s network was hacked, sensitive data such as clients’ acquisition targets, prospective patent technology, draft prospectuses, and PII was put at risk. By enlisting their carrier’s incident response coach early in the process, the law firm received practical advice on how to mitigate the event – including determining the data would not be released even if the ransom was paid.
The insurer eventually reimbursed the company for more than $65,000 for crisis negotiation, legal and IT consultant fees, and actual ransom payments, as well as over $255,000 in defense and settlement costs, forensic investigation, call centers, public relations and more.
Media Liability Coverage
A lesser-known coverage is highlighted by a case in which an employee sent an internal email with negative comments about a service provider. The email was circulated externally as well as within the organization, and the provider eventually filed a defamation lawsuit against the company. Under the Media Liability insuring clause of its cyber policy, the company was able to recover over $190,000 in defense and settlement costs, as well as another $40,000 in crisis communication and public relations services.
Cyber Insurance – No Longer Just a “Nice-to-Have” Option
Cyber insurance policies today cover much more than just business interruption costs. As governments enact new privacy legislation, coverage for regulatory and legal fines or settlements, notification costs, public relations expenses, and more have evolved. New protections for media liability, system failure, and supply chain risk have also been introduced. In the modern economy, these are no longer just “nice-to-have” but rather critical business resiliency tools that MSPs can help provision for clients. By leveraging their own solutions to ensure continued compliance with policy conditions, MSPs can be the difference in surviving a cyberattack or data breach.
Ebook: For a deeper look into how you can offer cyber liability insurance services for your clients, download our e-book: The Next Big Growth Opportunity: Compliance for Cyber Liability Insurance.