When a data breach hits you or one of your clients, Cyber Liability Insurance is the policy most likely to come to the rescue. But Cyber Liability Insurance (also known as Cyber Risk Insurance and Data Breach Insurance) may be the most misunderstood insurance policy out there. And that kind of makes sense.
First of all, there’s lots of confusion about data security, which you know all too well if you’ve ever heard a news anchor try to explain what caused the latest mega breach. Secondly, Cyber Risk Insurance is one of the newest offerings in the insurance game, which means most business are unfamiliar with it.
In fact, before we can talk about this coverage, we need to take a step back to explain that there are actually two different Cyber Risk Insurance policies:
For most small IT businesses, third-party Cyber Liability Insurance is more important. The good news: most of the Professional Liability Insurance policies we sell have third-party Cyber baked in.
So: does your business have first-party or third-party cyber risks? Here’s a summary of what each looks like:
First-party: The risk that your own computers and systems will be compromised (or that your data will be breached). Anyone who stores a lot of customer data (credit card numbers, emails, phone numbers) is a potential target for a breach incident, whether it’s a hack, misplaced thumb drive, or unsecured email with a sensitive attachment.
Third-party: The risk that your clients’ systems will be compromised (or that their data will be breached). If your job description includes maintaining, hosting, or manipulating clients’ data, you have the potential to cause, enable, or fail to prevent a breach.
For the smaller IT businesses, freelancers, and independent contractors we most often work with, third-party risk is far more common. That is, it’s fairly common for our customers to work with lots of client data, but less common for them to have lots of data on their own clients. (The notable exceptions are data miners, business intelligence consultants, and database administrators.)
The good news, as we mentioned above, is that most Professional Liability Insurance policies we sell include coverage for third-party Cyber Liability. To be sure your exposures are covered, though, it’s always wise to double-check with your agent whether your policy offers this protection.
Because first-party Cyber Liability Insurance covers the cost of breaches to your own network (and the cost to clean them up), it may help pay for:
Let’s take a minute to break that down. Say you’re working on an in-house directory for a corporate client. You’ve got information for thousands of company employees and you’re excited about the wireframe you’ve developed. Unfortunately, biking home from the office, the flash drive you back everything up on falls out of a hole in your computer bag.
Even if nobody ever picks up the drive and plugs it in, this counts as a breach. You have to notify your client and they want you to pay for credit monitoring for every employee whose info was on the drive. A first-party Cyber policy could handle those costs.
In addition to unfortunate mishaps like this, hacks, insider data breaches, ransomware attacks, software malfunctions, and improper configurations can all leave your data exposed. They can also likely be covered under your first-party policy.
Time to switch gears: third-party Cyber Insurance. As we’ve pointed out, this is the coverage that protects you in the event your clients’ data is compromised, not your own. When that happens and a client sues you, third-party coverage can pay for…
Third-party Cyber Liability is typically included in an IT professional’s Professional Liability Insurance, which covers many other tech-related liabilities and lawsuits.
The way you’re exposed to cyber liability depends on work you do. For example:
Developers. Software developers can be liable for faulty code that is susceptible to cyber attacks, programs without proper security measures, and compromises that occur because of mistakes they make while working at a client’s office or on a client’s network.
Consultants. Unfortunately, consultants can be liable for security even if they didn’t create the IT solution that was compromised. Merely recommending an IT product can make you liable. So if you advise a client to switch to an SaaS solution and the cloud-based data is compromised, a client could blame you.
Project Managers. As a project manager, remember that “stuff” sometimes rolls uphill, too. If your subcontractor makes a mistake that leads to a data breach, the client could sue you. Mistakes by the people you manage can end up costing you.