What is cybersecurity insurance?
As I’ve mentioned before, cyber, cybersecurity and similar terms are still unsettled in a number of industries including the legal industry. The insurance industry is also warming up to these types of items and ideas. In essence, cybersecurity insurance or cyber liability insurance is an insurance policy designed to help cover liability and losses that may result from data breaches, cyber attacks, and similar events.
Does my startup need cybersecurity insurance?
YES: if your company is sizable or handling data is a core business practice
NO: if your company just started and you have not established an MVP
Don’t panic about getting cybersecurity insurance on day one. Remember formational issues. This is all a process. Use the sidebar to help you go through the different phases of a business in a systematic way.
What is the difference between D&O, E&O, CGL, FLI insurance
Commercial General Liability Insurance (CGL): this is the basic type of insurance policy and most every business needs this. It’s the broad insurance policy that covers general business risks such as covering bodily injury or property damage on business premises or similar due to business operations, etc. Note that many CGL insurance policies do not cover cyber attacks.
Directors and Offers Liability Insurance (D&O): this is a type of insurance that indemnifies for losses for wrongful acts of directors and officers
Errors and Omissions Insurance (E&O): this is a type of insurance that protects in the service-providing industry—it’s about focusing on the failure to perform or financial loss caused in the service or product sold by the policyholder.
Fiduciary Liability Insurance (FLI): this is a type of insurance that is designed at protecting businesses’ and employers’ assets against fiduciary related claims of mismanagement of a company’s employee benefit plan. If administrators violate Employee Retirement Income Security Act (ERISA), FLI insurance may be involved.
There are a billion other types of insurance out there. These are just some of the bigger ones. Work with your insurance provider to see what exactly you need for the industry that your startup is in.
What is covered under a cybersecurity insurance policy?
Different items. Don’t think that just because you have “some type of cybersecurity insurance” that you’re totally set. You’ll need to do some research into what is appropriate for your type of business. Some types of cybersecurity insurance policies cover data breaches (covers your costs when information is attacked). Others, such as cybersecurity liability insurance, covers costs when the startup is accused of negligently allowing a cyber event for a third-party.
Additionally, what is covered will vary from policy to policy. One important item to consider is total coverage vs. coverage per incident. Just because you get a million dollar policy, that does not mean that if you suffer a breach you can recover $1 million. You have to look at timing issues and the amount per incident under a policy.
Additionally, you’ll also have to see what is covered vs. what’s not. There may be some types of data breaches or causes of data breaches that won’t be covered under a policy. See what’s excluded and what’s not under an insurance policy.
Who should I talk to and who should I get insurance from for my startup?
Talk to at least three insurance providers. There are lots of insurance companies out there such as Travelers, CNA, etc. Rates vary wildly—often for the same exact thing. It is a good idea to do some searching because of this issue. The other important item to remember is that you should get insurance from a reputable company. Don’t reach for the bottom of the barrel. The last thing you need is for some cyber event/data breach to happen and you have a lousy insurance company play games with you.
What is this about privileged communications?
Okay. This is something you may have heard rumblings about. Essentially it is this: your communications with your lawyer are privileged (this means something specific—but for now just think that the confidentiality of it is protected). However you can blow that privilege if there is a certain type of third-party present during that communication. So essentially, if you are talking to your lawyer about something very confidential about a particular data breach or other cyber event, the communication’s protections may be blown if there is a third-party present (in this case an insurance agent). Work with your lawyer to discuss what kinds of communications are appropriate with an insurance agent.
Can you list the steps to get insurance?
Yes:
talk to insurance providers;
understand how policies work;
decide how much coverage you need;
talk to insurance providers again with a better understanding of all of this;
fill out the application (which may be time consuming with a number of technical questions).
How much does coverage cost?
The annoying answer is that it depends. If you’re handling sensitive data and you’re in the health care industry, then it will likely be higher. If your company has high revenues and is in the data handling business, then you’ll likely be paying more for coverage because you need that coverage to be adequate.
If policies are too expensive, see what you can do about getting that rate down. Can you deal with having a higher deductible? How much coverage do you actually need? There are ways to play with the numbers to get something appropriate for your startup. And again, talk to more than one insurance provider.