After our blog post earlier in the month introducing cyber security insurance to our readers, we had quite a response—many readers reached out to us with questions or asked for next steps and to point them to some more resources on the topic.
So, we figured we’d call on a friend of MCG, and the most knowledgeable person we know when it comes to the world of cyber insurance, to answer your questions and get you on the path to protecting your business across the interwebs. That’s Brian Mahon, a certified insurance counselor (CIC) who holds a Cyber COPE Insurance Certification from Chubb and Carnegie Mellon University.
Who better to guide would-be insureds through the paperwork-laden seas of cyber security insurance? We asked him some questions, and as you’ll see, it’s not actually that complicated to get started—but you should know what you’re looking for when you embark.
Mission Cyber Group: Some people have asked if they really need cyber security insurance and if it would be redundant with the general business insurance policies they already have. What protections do businesses already have without a dedicated cyber insurance policy?
Brian Mahon: Honestly, not much. Most businesses have general liability insurance, but those policies are severely limited in what they cover when it comes to digital activity. These policies, what they cover and how they work, were standardized long before the world became largely digital.
Electronic data might be covered to a degree under these policies’ company property protections, but they likely only cover about $10,000 worth—inadequate for nearly every organization on this side of the new millennium. Those policies are designed to protect and replace physical property, and it’s hard for them to be useful when it comes to things like sensitive information and the ramifications of a breach. Cyber liability insurance is focused on the financial loss that can occur from digital events like a hack or a socially engineered attack, and can protect companies in that space better because it was designed with these concerns in mind—it’s not shoehorning new categories of coverage into centuries-old policy buckets.
MCG: So can people get their cyber insurance from the same companies that cover other business insurance policies of theirs—like the liability insurance you mentioned?
BM: They can, but again, I would caution against looking to unspecialized providers to cover what in reality needs to be extremely specialized services. Your local mom and pop-owned insurance agencies—you know, the kinds you see football players do commercials for—do a lot of underwriting, so there is some coverage out there to be had. But it won’t be as robust as a standalone cyber liability policy. They’ll likely just endorse your current program, maybe provide some coverage in the tens or a couple hundred thousands, and call it a day after some carvebacks and exclusions.
Watch out for that. I recommend businesses looking into cyber insurance avoid endorsements or add-ons to commercial packages. What you’re really looking for are standalone, built-for-the-digital-world policies. Cyber insurance has been around for only about 20 years, but property insurance has centuries behind it during which companies standardized what is covered, what goes into calculating a premium, and the exact language needed for different situations. Insurance carriers model their policies after ISO forms, but there’s no ISO standard available for them to do the same for cyber liability. In order to be properly covered for the specific cases you’d need cyber insurance for, you want a provider that builds policies specifically for the cyber world, one that understands the nuances of bespoke cyber insurance carrier policy forms and wording.
MCG: Got it. So how does someone know what kind of cyber insurance policy they need?
BM: There are three major coverage categories in a good cyber insurance policy: first-party, third-party, and cyber crime.
If you’re worried about a data breach wreaking havoc on your customers, third-party coverage coverages not policies is where you need to be strong. That provides security breach liability, multimedia and publishing liability (to beef up your copyright protections), and crucially, third party privacy liability. That last one comes into play in the event of that a company releases non-public information (whether they be names, emails, addresses, social security numbers, health records, or more).
If your company doesn’t store private client information, you’re probably looking for first-party coverage. This provides financial loss coverage in the event of a data breach and applies to items that directly affect your business. Cyber-crime coverages are the least common, and not many businesses have any coverage here. If they have a very large cyber policy, they might have an additional bit of coverage in the event of social-engineering and phishing attacks. Good policies out there should include this.
Most policies will come with pre-breach services in addition to post-breach. The former often comes in the form of tools to build a cyber breach response plan, a means of auditing and assessing a company’s cyber risk, and resources to train employees and departments on security best practices.
MCG: What about the post-breach services cyber insurance providers offer. What does that look like in practice?
BM: I’m glad you asked about that, because that’s an area that people often overlook when considering cyber insurance, and it’s huge. Most just think, “oh, if a breach hits me and it causes X dollars of damage, the insurance will cover that amount if it’s within my coverage limit.” But that’s a tiny part of the big picture; it’s not what the reality of a data breach feels like, and it’s not how it will play out.
When a breach happens, you can’t just file a claim and continue business as usual. You have to lock down what you can, notify parties that need to be notified, and start investigating right away. You need to find the vulnerability, and either close it or cut off access to actors that might already be behind your defenses. Do you have customers whose data might have been compromised? You probably have to let them know, too—even if there are thousands or millions of them.
This can take days, weeks, months—and throughout the whole time you’re probably unable to continue business.
A good cyber insurance policy will provide not just the pre-breach tools mentioned above, but an effective “panic button” that can mobilize a lot of responses and services provided by your insurance outfit. It’s essentially a direct emergency help line where your insurance provider will provide you with services like forensic investigators, messaging service providers, experts to help you understand what you are required by law to disclose, and when—and much more.
And very likely, your cyber insurance provider will cover most or all of these services (not to mention business interruption net income and continued expenses, aka NICE, while you’re unable to continue business as usual), as well as coach you through what to do in the aftermath of a breach. It’s an essential, crucial aspect of cyber insurance that people don’t realize they need until it’s too late and they’re scrambling to react.
MCG: Finally, what can businesses who want to apply for cyber insurance do today to make the process as quick and effective as possible?
BM: The application process used to be simple—they’d ask your industry and the size of your company, and then immediately spit out a quote in a few minutes. With claims increasing in both frequency and severity in the last year, it’s hard to find good coverage right now. Not undoable, by any means, but you have to prepare a little bit. Have relevant information ready before you even apply, and get all relevant departments and people on your team involved from the jump—IT, finance, security folks. The application they will send you today is far more in-depth and will look at everything from claim history to your current security controls and policies. If you’re looking for cyber insurance, make sure you have some baseline security protocols in place—most providers won’t want to take a risk on you if you don’t have things like firewalls and multi-factor authentication checks intact. The more you can show that you take cyber security seriously, the better it’ll end up for you and your policy.
MCG: Thank you for speaking with us and helping our readers learn more about cyber insurance!
BM: Thank you for having me! Stay safe out there.
About Brian Mahon
Originally from Wilmington, Delaware, Brian Mahon joined EHD Insurance in Lancaster, PA in 2020. After he graduated from the University of Delaware with a Bachelor’s of Science in Entrepreneurship and Technology, since then he has been helping entrepreneurs in the technology and life science industries with proactive risk management and business insurance broking services. Last year he spent over 100 hours obtaining his CCIC Cyber COPE Insurance Certification through Carnegie Mellon University and Chubb. He has outlined his time “insuring Innovation” at https://www.brianmmahon.com/