What is Cyber Insurance and Do I Need It? A Q&A with Marvin Bushey
By Kara Cook
We’ve talked before on our blog about wire fraud and, unfortunately, it is such a big issue that we are delving into it again this time how we can best protect our business through insurance. We know that creating an Internet Security Plan and getting the right tools in place to prevent cyber-attacks is an absolute must. Obtaining cyber insurance is a critical step to ensure comprehensive protection. We sat down with our resident insurance guru, Marvin Bushey, to get the inside track on this specialized type of insurance.
KC: Is cyber insurance something new?
MB*: Cyber insurance has been around for a while but is definitely becoming more prevalent as cyber- attacks increase at an alarming rate. Companies are becoming more and more aware of the growing threat and are proactively getting protection. Increasingly, clients now require proof of cyber insurance policies just like they would require general or professional liability before commencing a working relationship. Proof of insurance is typically required before transacting any business and renewals are requested annually.
KC: What exactly is cyber insurance?
MB: Cyber insurance is a type of policy that covers businesses and individuals against internet-based liability and risks. Basically, it protects you against fees and lawsuits and minimizes impact on business operations should a cyber-attack occur. There are two types of coverage: first-party and third-party. First-party covers direct losses to a business or individual; third-party coverage extends to claims by customers.
Depending on your insurance provider, coverage may differ, but some general coverage areas include data breaches, identity theft and personal data theft. Coverage may also extend to scenarios like business interruption, extortion, or forensic investigation to sleuth out an attack’s cause and impact. Policies also typically aid with public relations and crisis management fees that may be necessary to manage damage to the company’s reputation.
Traditional commercial general liability policies typically do not include cyber risks. So, even if you add an endorsement to the policy to cover cyber risks, it is usually not enough coverage as the allowed limits are very low. A separate cyber policy is highly recommended especially with hackers getting more and more adept at accessing information. In addition to cyber insurance, most businesses should also obtain a crime policy that covers some instances that may not be listed in the cyber policy.
KC: Who needs this type of insurance?
MB: Any company that handles any type of personally identifiable information (PII) should have cyber insurance. Social Security numbers, credit and debit card numbers, bank account information, and driver's license numbers are exactly what cyber criminals are seeking. The attacks to large companies are increasingly (and unfortunately) regular, but these criminals target small businesses too, however most small businesses are not typically in a position to handle the financial repercussions of a data breach and/or cyber-attack. This is where cyber insurance steps in to cover some of the biggest expenses.
KC: Wire fraud is one of the most common types of cyber-attacks in the real estate industry especially. Is wire fraud covered by cyber policies?
MB: Yes and no. Most policies I see do cover wire fraud, but the key is to determine whether the coverage applies to specific perpetrators of the crime. For example, most policies would cover wire fraud if it occurred due to employee negligence. If a disgruntled employee purposefully stole money via a wire transfer, this type of theft would more likely be covered under a crime policy. Wire fraud perpetrated via social engineering, one of the biggest issues today, is generally covered by both cyber and crime policies but typically only applies to first-party expenses.
KC: What is social engineering?
MB: When an attacker manipulates the victim into performing acts or divulging confidential information, that’s called social engineering. The most common types of attacks are baiting, phishing and pretexting scams. The best way to ensure coverage for a social engineering breach is to add an endorsement to a crime or cyber policy.
Unfortunately, coverage for social engineering is typically only triggered when financial loss is sustained by the party making the payment based on the fraudulent information. Since companies such as real estate brokerages are usually not the party transferring the funds (usually the buyer), the social engineering insurance currently available in the market will not offer protection if they are sued for a third-party loss.
KC: Can you give me an example?
MB: Sure, a common scenario involves a buyer wiring closing funds to the incorrect bank account after a hacker sends them fraudulent wiring instructions using a realtor or law firm’s hijacked email. In this example, the social engineering coverage of the realtor or law firm would not be triggered because it was a third-party loss (the buyer).
KC: Wow, this seems pretty grim. Any daylight at the end of the tunnel?
MB: Again, yes and no. While I do expect insurance coverage solutions to change and evolve to keep up with demand for these cyber fraud events, companies of all sizes are increasingly exposed. The best way to safeguard yourself is research the risks and match the types of insurance providers and plans that are a best fit. You should pay close attention to individual nuances and ensure the policy wording matches specific cyber exposure concerns.
And of course, discuss exact policy details and wording with your agent and ask as many questions as it takes to ensure you are comfortable you have minimized your business risk for specific cyber exposures.
Marvin is the owner of The Bushey Agency, a local independent insurance agency in Atlanta offering personal, commercial, life and health policies. If you would like additional information on cyber-insurance or have any other insurance-related questions, you can reach Marvin at Marvin@busheyagency.com.
*Comments in the Q&A are in no way, shape or form intended as insurance planning advice. Consult your agent for your own insurance planning needs.