Cyber Liability Insurance and Common Misconceptions

You protect your physical assets from an unforeseen event by purchasing health, life, car, property, traveler’s, and even pet insurance. But what about protecting your digital assets? In today’s world, a cybersecurity breach can devastate your business and harm your reputation, so safeguarding your office from this type of attack is essential.

Many financial advisors have yet to purchase their own cyber liability insurance policy, perhaps believing they don’t need one because their RIA–broker/dealer firm will cover them in the event of a breach. But that may not always be the case. Let’s review some basics about this type of insurance so that you can determine whether you should purchase it for your office.

Cyber liability insurance helps mitigate risk exposure by offsetting the costs involved with recovering from a cyber-related security attack or breach. Such attacks or breaches might include ransomware, identity theft, or phishing e-mails that lure recipients to click on malicious links or reply to them with sensitive information.

Cyber liability coverage protects your business against third-party claims for the unintentional or unauthorized disclosure of clients’ private information resulting from an attack or a breach. You should consider purchasing this insurance if, among other things, you:

• Collect and retain personal information, such as names, addresses, dates of birth, social security numbers, or banking details
• Store your business’s data on a computer network
• Advertise your business via electronic media
• Have employees who could fall victim to phishing scams
• Communicate with clients via e-mail, text messages, or social media
• Send or receive documents electronically

Does your RIA–B/D firm have you covered? Maybe. Maybe not. Commonwealth has its own cyber liability insurance policy. If a cyber-related breach were to occur at Commonwealth that affected our advisors’ offices, Commonwealth’s policy would provide credit monitoring for the affected individuals, as well as cover the following for our advisors:

• Data forensic expenses to determine the root cause of a data breach
• Business interruption coverage costs for loss of income due to a temporary or long-term shutdown of their business after a data breach
• Payment to an extortionist who holds their data hostage or threatens an attack (e.g., in the event of a ransomware attack)
• Notification costs to inform clients that their information has been compromised or exposed
• A public relations campaign to restore their business’s reputation after a data breach
• Legal services, including attorney fees associated with state laws, notification procedures, and possible defense costs

Commonwealth’s policy would not, however, cover a breach of an advisor’s firm that was caused by his or her office. So, be sure you understand what coverage is and is not available through your RIA–B/D.

As I mentioned earlier, many advisors aren’t quite sure whether they need cyber liability coverage and whether their general liability policies cover cyber-related issues. Consequently, they don’t purchase the coverage they may need. Let’s debunk some commonly held misconceptions regarding insurance coverage so that you can assess your current liability.

“My business is too small to be hacked.” Have you ever said that to yourself? Well, cyber liability insurance doesn’t just provide coverage against hackers. What if you or a member of your staff clicks on a malicious link in a bogus e-mail? Your entire office could become vulnerable to ransomware or a phishing scam. A cyber liability insurance policy would cover your office for human error and for the losses inadvertently caused by you or an employee.

“I’m already covered for cyber risk exposures under my general liability policy.” Many small business owners believe this statement, but it’s not true. In fact:

• Data is not considered a tangible property and is therefore excluded from coverage under a property policy.
• A computer virus or malware attack that results in a loss of business income is not insurable under a business interruption policy because it does not qualify as a physical loss.
• Extortion, incident response, and regulatory expenses are not covered under a general liability or property policy.
• Damages stemming from the loss or corruption of electronic data are excluded from coverage under a general liability policy.

“I can cover the expense should a breach occur.” In some instances, perhaps you could. But do you really know how much a breach would cost you and your business? Consider this. To estimate the potential monetary impact of a cyberbreach, let’s take the average cost to compensate for or remedy a data breach—$225 per individual, according to the 2017 Cost of Data Breach Global Study—and multiply it by your number of clients. If you have only 10 clients, that equals just over $2,000. But what if you have 225 clients? That would equal about $50,000! No doubt, that is not an expense that you would want to incur.

Not all cyber liability insurance policies are created equal; they aren’t out-of-the-box policies like other types of insurance. You’ll want to contact an insurance agent to discuss coverage options, review deductibles, and determine policy limits. Today’s market is very diverse, so shop around to find the best policy for your business.

In tomorrow’s post, I’ll talk more about how to assess your risks, so you know what to look for in a policy.

What’s your strategy for protecting your digital assets? Do you have a policy in place to offset the costs of a cyber-related breach or attack? Please share your thoughts with us below.