Does My Business Need Cyber Insurance?
And what does cyber insurance cover?
on October 31, 2019
Updated on April 21, 2022
According to Shawn Tuma, a data privacy and cybersecurity attorney at Spencer Fane in Plano, Texas, more than 80 percent of his work involves responding to a data breach incident and then managing it.
“We meet a lot of clients through this process, and then after getting the incident behind them, they realize they don’t want to go through this again,” he says. “Usually, you have about three to six months to get something moving, or the feeling is going to wear off. You have a short window.”
Tuma and the firm, who work mostly with mid-size companies, implement a multi-step plan to help companies manage their cyber risk after a breach has happened, once the breach has been contained and managed. The first step involves a risk assessment, and the second a strategic planning phase, then execution of the plan, then regular reassessment of the risk, and then you start all over. It’s during the execution phase that Tuma will most likely introduce the idea of cyber insurance, a piece of the puzzle he believes every company needs. “Cyber insurance is a very, very important issue for companies to know about. We encourage all of our clients to have it,” he notes, adding that most business insurance coverage plans don’t cover cyber risk. “You need to have a specific policy to cover your cyber and privacy risk, and that needs to be part of your initial incident response planning.”
One of the most important reasons to have cyber insurance, according to Tuma, is that it allows a business access to the money they’ll need to quickly respond to an incident. “The key to avoiding catastrophic data breaches, many times, is responding in a prompt, timely and effective manner,” he says. “It’s not cheap. I don’t work for free, the cyber security forensics firms don’t work for free, the bitcoin people who help you get ransomware payments don’t work for free. Insurance will cover that.”
Among other expenses, cyber insurance could also cover costs for:
- Forensic investigations firms
- Ransomware payments
- Public relations vendors
- Credit monitoring for your customers
- Responding to governmental investigations
- Mailing breach notification letters
Cyber insurance is a growing part of insurance coverage, and Tuma states that, as of 2019, there are more than 100 different policies written by carriers. “There’s no one standard form,” he adds. “That’s why it’s important that you work with a good broker to get the right coverage for your particular business.” If your business is looking into cyber insurance, an experienced attorney can get you set up with an appropriate broker. They can also recommend tips, like: Carriers often have their own specific vendor panels set up, so if there are professionals a client wants to work with when a breach happens—a cybersecurity law firm, a public relations firm, etc.—they will need to make sure those groups or individuals are written into their plan.
“Before they write the check, they need to get those professionals written into their policy,” says Tuma. “When an incident occurs, you need to be executing your response plan immediately, and if you haven’t done this in advance as part of the planning, you’re going to spend the first couple days trying to figure out what the policy requires and who you can use to do the incident response. Sometimes, those vendors cannot be approved. The time you spend going through this process when you should be responding to the incident can be critical.”
“There’s a lot of people trying to sell it, but you’ve got to make sure you’ve got a good broker—who truly understands your business risk,” he continues. “At the end of the day, we’ve got to remember that we’re at war. Hackers are at war with companies, and we’ve got to be at war back with them. And that’s not easy.”