Any small business owners or insurance gurus out there who can coach me on the shopping process for cyber insurance?
Our agent has suggested it, and from my googling, it looks like it's a prudent decision for our business. We're consulting with our IT guy, too, of course (who generally is very on top of security stuff). Anyway, there are so many choices as far as level of coverage . . . various companies, etc. First glance is a choice between a cheap ($250/yr) policy vs much more expensive ($2500/yr) (same company, different things included with differing limits as well.) I'm pretty convinced we need coverage, but unsure how to decide how much to invest in it and what exact details we should prioritize.
Can anyone offer any advice on what to look for, what to avoid, etc?
Background: our company has a couple/few thousand clients, annual revenues around 1.2M, we do take credit cards, but don't store cc info. We do maintain personally identifiable info, but not financial info or SS numbers, etc. We do the PCI compliance thing each year. We have an excellent IT guy and all our data is backed up at least hourly internally but also at least daily in the cloud somewhere. As long as we could still access our backed up data (which we're checking with our IT guy to ensure it is secure from these sorts of attacks), we could likely be up and running enough to operate in 24-48 hours in the worst case that all our computers were disabled, starting fresh with all new computers (run to Best Buy for 1 or 2 to function) and re-downloading our software and data from backups. We could still perform our essential functions even w/o computers for a day or two (have done it once a year or so for some hours at a time when power goes out. It's fine, we just send a bill once the computers are up.) We have full business policy coverage with all the important riders, etc, except this cyber addition that we're now considering details.
Any insights? Thanks!
cyber insurance (small business)
- quantAndHold
- Posts: 10141
- Joined: Thu Sep 17, 2015 10:39 pm
- Location: West Coast
Re: cyber insurance (small business)
This being a business question, it’s gonna get locked, but yes, you need cyber. Cyber is also very hard to get right now, at any price. I would contact an insurance broker, and let them do the shopping for you.
Re: cyber insurance (small business)
Business questions are off-topic for this forum. Topic is locked.
-
- Founder
- Posts: 11589
- Joined: Fri Feb 23, 2007 12:06 pm
- Location: Chicago
- Contact:
Re: cyber insurance (small business)
Unlocked. A misunderstanding of the forum policies appears to have arisen in the moderating staff. Questions here are on topic as long as they are "directly connected to your (or your friend's or family's) financial life." For small business owners, all of their business financial issues are directly connected to their financial life.
-
- Posts: 2351
- Joined: Tue Mar 05, 2019 9:29 pm
- Location: Colorado
Re: cyber insurance (small business)
I don't have an answer to your insurance question, but there is a big difference between "we have backups" and "we have backups and have practiced restoring from backups".
Work with your IT person to test your backups if you haven't already so you aren't scrambling when the SHTF. And enforce 2FA on all your internal accounts (corporate email, Slack, whatever you use).
Work with your IT person to test your backups if you haven't already so you aren't scrambling when the SHTF. And enforce 2FA on all your internal accounts (corporate email, Slack, whatever you use).
Re: cyber insurance (small business)
How affordable is the greater level of insurance for you? If it's affordable, get it. You mention that your systems contain personally identifiable information (PII). Even if this is not financial information or social security numbers, there are legal ramifications and obligations attendant to the unauthorized access or acquisition of such information. You may have backups, but ransomware has grown from a nuisance to a major calamity over the past few years. Ransomware affiliates now exfiltrate the PII you maintain before locking up your systems to engage in a double-extortion. Short answer, every cyber insurance policy is different, but this is not the place to skimp. Especially since it sounds like you deal with payment card information, you should shop around and get the most comprehensive policy that you can afford.
Re: cyber insurance (small business)
I've been pitched these as well. At a high level, the conclusion I came to, in consultation with IT people is, basically, if you're storing any sort of PII on your own servers (whether it's customers, employees, etc.) you need liability insurance to cover breaches.
Coverage like ransomware coverage often isn't absolutely necessary because there are ways you can significantly minimize risk that tend to not only save money over time, but are also good practices for other reasons, so you should implement them anyway.
Then there's another category that may cover lost profits to the company for stolen proprietary information. One company brought this up but it didn't really apply to us so we didn't really get into any details.
You may also want to make sure your other policies, like D&O policies cover cyber events (though when I asked about this, every company dismissed it immediately "yes, no issues on coverage for that").
Coverage like ransomware coverage often isn't absolutely necessary because there are ways you can significantly minimize risk that tend to not only save money over time, but are also good practices for other reasons, so you should implement them anyway.
Then there's another category that may cover lost profits to the company for stolen proprietary information. One company brought this up but it didn't really apply to us so we didn't really get into any details.
You may also want to make sure your other policies, like D&O policies cover cyber events (though when I asked about this, every company dismissed it immediately "yes, no issues on coverage for that").
Made money. Lost money. Learned to stop counting.
Re: cyber insurance (small business)
Speak with your local broker. Ask them to pursue quotes with both Lloyd's companies (which they will obtain by working with one of their wholesale broker partners) as well as with standard US companies (names you will be familiar with). Many brokers won't pursue Lloyd's options because they only earn 10% instead of 15% (the wholesale broker receives the other 5% or more). But many of the Lloyd's companies are offering the broadest terms in cyber. A good trusted local broker will not worry about the extra 5% and just focus on getting you set up well. Ransomware and the costs associated with it are where the bulk of claims $'s come from. Social engineering is another common claim category (ie - getting tricked into wiring money to the wrong place).