Prevent Your Cyber Insurance from Blindsiding You (Part 1: Limits and Sub-limits)


"I just can't get enough."                                                                                                 - Depeche Mode

Cyber security is without question one of the greatest threats facing businesses in the coming years. This is especially true for manufacturers in the Athletic & Outdoor and Consumer Product industries, who typically have troves of confidential records and information stored electronically. These risks are magnified given the industries’ increased focus on direct-to-consumer sales strategies, which necessarily involve taking and storing confidential customer data such as names, addresses, phone numbers, and bank/credit information.

In addition to practicing good cyber hygiene, it is important for your company to have adequate cyber insurance in the event of a cyberattack or data breach. First-party cyber insurance can help with costs incurred to recover lost or damaged data, notify customers of the breach, credit monitoring services, and public relations. Third-party cyber insurance covers legal defense costs in the event of lawsuits against your company for data breach, settlements and judgments, and regulatory fines and penalties.

Many companies are pretty good about making sure they have some level of cyber insurance in place, but it is astounding how many do not know exactly what specific coverage and exclusions exist in their policies. The increasing likelihood of harm to your company of an attack or breach (especially if you’re a small business), coupled with the catastrophic consequences of those attacks, means buying cyber insurance without fully understanding what you bought is putting a bandage on a bullet wound.

In this first installment, we’ll take a look at the importance of understanding the aggregate limit and sub-limits of your cyber insurance coverage. According to the 2017 Ponemon Institute Cost of Data Breach Study, the average cost of a data breach to a company is as follows: (1) $1.9 million if less than 10,000 records compromised; (2) $2.8 million if 10,000 to 25,000 records compromised; (3) $4.6 million if 25,001 to 50,000 records compromised; and (4) $6.3 million if more than 50,000 records compromised. In the United States, malicious data breaches cost companies an average of $244 per compromised record.

First and foremost, work with IT personnel to assess the size and scope of a potential data breach on your company. Get a handle on the number of research and development records, employee information, business-to-business and individual customer data, and other confidential records and information that could be damaged or stolen. Then go back to your cyber insurance policy and determine whether the aggregate policy limit protects you. If not, you may need to consider more coverage. Many insurance underwriters use benchmarking to determine appropriate limits, which includes cyber insurance. Such benchmarking may not apply to your particular situation and leave you vulnerable to damages well above your limit of coverage.

Next, look at your cyber insurance sub-limits, which are part of and not in addition to your aggregate limit. Your aggregate policy limit is the absolute most an insurance company will pay in the event of a breach, and these sub-limits can dramatically eat away at this overall limit. For example, you may have sub-limits in place for items such as: (1) costs related to computer forensics costs; (2) crisis management and PR costs; (3) customer notification costs; (4) reimbursement of regulatory violations; and (5) fines or assessments related to Payment Card Industry Data Security Standards (PCI DSS), which we will discuss more in the next installment. In the event of a data breach, each of these on its own could significantly erode your overall limit of coverage. If more than one is maxed out—and you then have stare down the barrel of numerous customer lawsuits arising from the data breach—the results could be catastrophic to your company.

In sum, make sure to understand the extent of your company’s exposure in the event of a cyberattack or data breach. Then make sure your cyber insurance aggregate limit and sub-limits are aligned with that exposure. Finally, make sure your employees are practicing good cyber hygiene to minimize the likelihood of an occurrence. As always, we’re here to help.

In Part 2 of this series, we’ll discuss the need to have (and understand) PCI DSS coverage as part of your cyber insurance program, especially if you conduct on-line business.