(Remember when they ask if you wanted 'annuder budder cookie???) Each of the last two years I have taught Cyber Security at Scaling New Heights. Many in attendance reported in their participant surveys my class “scared the ‘you know what,’” out of them. Many people reported that it was scary because of the topics themselves, like the rise in the number of malware variants in just one year, or the significant increase in ‘Ransomware’ ware attacks in 2017 alone. Others were alarmed by the fact that more 'Mac' attacks were being reported than ever before or that more than 24-thousand malware attacks were occurring on a 'daily basis'.
Others in attendance indicated that their concerns arose out of statistics showing that even the best and most sophisticated of efforts to thwart cyber attacks had little if any real effect upon stopping major invasions like phishing, spear phishing, whaling, pharming, ransomware, viruses, worms, trojans, key-loggers, browser emulators, and such. They felt they had no defense at all.
Well, preparation again Cyber-attack can mean a lot more than anti-virus and cyber-security software, it can even mean more than a virtual private network and hardware firewall. In fact it goes well beyond local, external, off-premise and disaster recovery backups at your finger-tips.
I don't really care what your Cyber-security consultant has checked in the way of your system, what I want to know is what do you have in place in the way of Cyber Risk Coverage? You see Cyber-attack is a threat again not only your data, but your business as a whole, and without proper Cyber Risk Coverage you could easily find yourself not only out-of-business but 'in court'.
That's why a lot of people rushed from my Cyber Security presentations at Scaling New Heights to the only Cyber-crime Insurance Coverage Provider exhibiting at the conference, the Herbert H. Landy Insurance Agency to find out what coverage they offered.But this article isn't really an article about Landy Insurance, as most ProAdvisors know them. This article is about Cyber Risk Coverage, and giving you the gift of an 'an assessment tool' whereby you can determine if you are in fact covered in the event of a Cyber attack. In other words you can think of this article as unwrapping one of those 'stacked set of boxes' of different sizes each with something that makes the total package better as it goes along.
You see, like most small to medium businesses, you may think that your General Liability Insurance Policy will provide ample coverage in the event of a cyber attack, even in the event of ‘data compromise’, but chances are it doesn’t. Almost every business has something ‘within their data’ that is worth stealing by a cyber attacker. It maybe your employees’ social security numbers, or your vendor’s tax-ID numbers. It could be your bank accounts or your merchant services ID. Worst yet, it might be your customers' credit card numbers.
If you don’t have Cyber Risk Coverage in the form of either a separate insurance policy, or comprehensive ‘rider’ to your General Liability Policy, you need to get it as soon as possible because General Liability Coverage DOES NOT cover these risks. When looking for Cyber Risk Coverage, the following are the minimum protections your policy should provide. [Note: We have not attempted to include any reference to ‘coverage (dollar) limits’ because such limits should conform to your company’s exact needs based upon your financial exposures.]
What you want is to 'add up the little benefits inside each box' to make your overall cyber risk policy the best it can be to fit your specific needs in the amount that suits you best.
Business Interruption coverage – loss of profits and extra expenses incurred as a result of total or partial computer outage or disruption caused by a cyber incident resulting from an administrative, privacy or security error. When you can't do business because you loose your computer records, what are you going to do for income?, How are you going to service your clients? How are you going to pay your vendors and how are you going to handle your payroll?
Contingent Business Interruption coverage - loss of profits and extra expenses incurred as a result of total or partial interruption or degradation in service arising between your company and any outsourced service provider’s computer hardware, service, or software-as-a-service including any outage or disruption caused by a cyber incident resulting from an administrative, privacy or security error. This works hand-in-hand with Business Interruption coverage, especially when your services are contingent upon a 3rd-party who is the middle-man in providing your essential services to your customers, between you and your vendors, or even as part of a global supply-chain operation.
Cyber Extortion coverage – extortion payments (commonly known as ‘ransom’) as a result of any cyber extortion threat (commonly known as ‘ransomware’ attack) or any other extortion mechanism involving threat against your computer hardware, software, or data, including any hardware, service, or software-as-a-service operated by any outsourced serviced provider. In some cases paying the ransom is the cheap way out to get your data out, there is just one problem, you don't have the funds to make the extortion payment, the ransom is just too high. On the other hand you can't afford the data experts to attempt a recovery 'any other way', what will you do?
Data Restoration coverage – costs to repair or restore damaged or destroyed digital assets cause by any cyber incident resulting from administrative, privacy or security error. Data recovery and restoration can be (is most likely) some of the most costly form of data work there is...many data experts change tens-to-hundreds-of-thousands of dollars just to clean a disk and decrypt a drive. Almost no SMB can afford such technology without cyber risk coverage that includes this specific provision.
Incident Response coverage – costs incurred to manage any cyber incident resulting from administrative, privacy or security error, including IT forensics, legal guidance, resolution-mitigation, crisis communications, notification and monitoring. Do you even know what experts to call in the event of a cyber incident? Oh sure you think your local IT guy who works out of his garage is 'the expert', what the heck does he really know about 'forensics' and 'crisis mitigation'. Do you trust him to tell you the who to call and how to report the fact that 1000's of records have been breached containing customer information? A comprehensive cyber risk policy will offer a cyber response 'hotline' with incident response services.
As I said, this really is just the start of the services that should be included as part of a comprehensive cyber risk insurance policy. My suggestion is that you shop around for coverage, but I would start by contacting the Herbert H. Landy Insurance Agency and asking them about their Cybercrime Coverage options. Remember not only have they been a family owned and operated business for more than 68 years, but they are also a sponsor of our ProAdvisor of the Year and Top 100 ProAdvisor Awards.
Once you get 'on quote' then you really have something to compare as you continue to shop around...just don't shop around too long because the mean old 'Cyber Grinch' could be lurking at your door just waiting to steal your 'cookies' (and I don't mean the kind that have chocolate chips.)
Publishers disclosure: While this content is not a sponsored article or paid advertising, the URLs provided within this article may in fact be associated with paid promotional advertising displayed on this website, or linked therefrom. The Herbert H. Landy Insurance Agency has is also a contributing sponsor of Insightful Accountant's ProAdvisor of the Year and Top 100 ProAdvisor Awards for 2019.r