Does My Business Need Cyber Insurance?

Use these links to jump to different sections:

• 5 Steps to Managing Cyber Threats
• What is Cyber Security Insurance?
• There are Many Types of Cyber Insurance Policies
• Get Legal Help from an Attorney Who Understands the Issues

According to Shawn Tuma, a data privacy and cybersecurity attorney at Spencer Fane in Plano, Texas, more than 80 percent of his work involves responding to a data breach incident (cyberattack) and then managing it. 

“We meet a lot of clients through this process, and then after getting the incident behind them, they realize they don’t want to go through this again,” he says.

“Usually, you have about three to six months to get something moving, or the feeling is going to wear off. You have a short window.”

5 Steps to Managing Cyber Threats

Tuma and the firm, who work mostly with medium-sized businesses, implement a multi-step plan to help companies manage their cyber risk after a breach has occurred:

1. Risk assessment;
2. The strategic planning phase;
3. Execution of the plan;
4. Regular reassessment of the risk; and finally:
5. You start all over.

It’s during the execution phase that Tuma will most likely introduce the idea of a cyber insurance policy to a business owner, a piece of the puzzle he believes every company needs.

What is Cyber Security Insurance?

“Cyber insurance is a very, very important issue for companies to know about. We encourage all of our clients to have it,” he notes, adding that most business insurance coverage plans don’t cover cyber risk. “You need to have a specific policy to cover your cyber and privacy risk, and that needs to be part of your initial incident response planning.”

One of the most important reasons to have cyber liability insurance, according to Tuma, is that it allows a business to access the money they’ll need to quickly respond to an incident.

“Often, the key to avoiding catastrophic data breaches is responding in a prompt, timely, and effective manner,” he says. “It’s not cheap. Lawyers don’t work for free; the cyber security forensics firms don’t work for free; the Bitcoin people who help you get ransomware payments don’t work for free. Insurance will cover that.”

Among other expenses, a cyber liability insurance policy could also cover costs for:

• Litigation and legal fees;
• Forensic investigations firms;
• Ransomware attack payments;
• Public relations vendors;
• Credit monitoring for your customers;
• Mailing customer notification letters; and
• Responding to government investigations on customer data breaches and regulatory fines.

There are Many Types of Cyber Insurance Policies

Cyber insurance is a growing part of insurance coverage, and Tuma states that, as of 2019, there are more than 100 different policies written by insurance providers.

“There’s no one standard form,” he adds. “That’s why it’s important that you work with a good insurance agent to get the right coverage for your particular business.”

If your business is looking into cyber insurance, an experienced attorney can get you set up with an appropriate broker. They can also recommend tips. For example, insurance companies often have their own specific vendor panels set up, so if there are professionals a client wants to work with when a breach happens—a cybersecurity law firm, a public relations firm, etc.—they will need to make sure those groups or individuals are written into their plan.

“Before they write the check, they need to get those professionals written into their policy,” says Tuma. “When a cyber incident occurs, you need to be executing your response plan immediately, and if you haven’t done this in advance as part of the planning, you’re going to spend the first couple of days trying to figure out what the policy requires and who you can use to do the incident response.

“Sometimes, those vendors cannot be approved. The time you spend going through this process when you should be responding to the incident can be critical.”

Get Legal Help from an Attorney Who Understands the Issues

“There’s a lot of people trying to sell it, but you’ve got to make sure you’ve got a good broker—someone who truly understands your business risk,” he continues. “At the end of the day, we’ve got to remember that we’re at war. Hackers are at war with companies, and we’ve got to be at war back with them. And that’s not easy.”

Whether you’re the owner of a large or small business, you and your team need to respond quickly to cybercrime incidents. Time is of the essence—and so is having legal expertise. To ensure that your company is prepared and protected against cyber threats, consult with a cybersecurity lawyer about your existing vulnerabilities and strategies.

To learn more about this area of law, see our overview of technology transactions and related legal content.