Skip to main content

News & Insights

Adam Brouillet Offers Tips for Companies When Choosing the Right Cybersecurity Insurance with IT Business Net

June 24, 2019 by and

Adam Brouillet Headshot

IT Business Net published an article by Adam Brouillet on June 21, 2019 highlighting the value of cybersecurity insurance to mitigate costly risk from a data breach or other cybersecurity disaster and providing tips for businesses considering a cybersecurity policy. Whether it’s an email that tricks an employee into clicking a link that subsequently destroys the company’s files or a clever impersonator that manipulates an employee to divulge sensitive information, cybersecurity incidents can trigger a “weeks-long forensic investigation, legal fees, bad press, regulatory investigations and loss of business and goodwill,” Brouillet says. The total price tag? “Maybe $200,000 if you’re lucky, or much more if you’re not.”

Traditional commercial liability insurance policies can be ineffective in covering cybersecurity and data breach costs because their terms may not be specific enough to cyber concerns to constitute coverage of losses from a breach. “The best way to insure against a cybersecurity attack or data breach is to obtain a comprehensive cybersecurity insurance policy,” says Brouillet.

Ideal cybersecurity insurance will cover the common causes and costs of an incident. Costs can include legal counsel for breach notifications, forensic investigators and a host of other staffing needs to mitigate damages. “Without cybersecurity insurance,” Brouillet cautions, “the company must bear all of these costs itself.”

Choosing the right cybersecurity insurance can be done by purchasing an endorsement to an existing policy or obtaining a stand-alone policy. Regardless of how cybersecurity insurance is purchased, the policy should specify coverage of the common causes and costs of a breach, and businesses should consider third-party coverage for consequences following the breach.

Common causes to cover:

      • Denial-of-service attacks
      • Ransomware (extortion)
      • Data exfiltration or destruction
      • Vendor breach
      • Social engineering
      • Stolen devices
      • Phishing
      • Brute-force attacks
      • Malware
      • Business email compromise

Costs to cover:

      • Forensic investigation
      • Legal fees
      • Notifications to affected individuals, regulators, and others as may be required by law or contract
      • Call center to field inquiries from affected individuals
      • Mailing vendor to send notification letters
      • Credit monitoring for affected individuals
      • Public relations campaigns
      • Data repair or restoration
      • Ransom payments (extortion liability)
      • PCI-DSS fines
      • Loss of business / business interruption
      • Social engineering fraud loss (fraudulent wire instructions)
      • Administrative safeguards, such as employee training and creating security and incident response plans

Third-party coverages to cover:

      • Civil lawsuits
      • Regulatory actions and investigations (not every investigation leads to an action)
      • Media liability (e.g., unauthorized use of copyright or trademark, defamation, plagiarism)

Brouillet notes, “companies should closely scrutinize their cybersecurity risks, identify hypothetical breach scenarios, and evaluate whether the cybersecurity insurance policy would cover the resulting losses and costs. If not, negotiate with the insurer for a better policy or choose another insurance company.”

 

To read the full article, click here.