Cyber Security Insurance

A: That depends on the specific types and coverages a business owner contracts for. We can only give averages based on industry statistics, but insurance requires licensing, and as a Managed IT Services provider, IT Support LA cannot legally give anything that could be construed as a quote – except for items related to the IT support and services industry.

According to a recent report by AdvisorSmith, the average cost of basic cyber insurance in the state of California is $1,430.18 per year, but you need to talk to your Insurance agent, and it would be wise to consult with your IT services provider to sort through policy particulars in terms of types and levels of coverage based on their knowledge of cyber-attack statistics and your own specific vulnerabilities. And make no mistake – even the BEST Managed Services Provider cannot prevent every attack. An untrained employee can read an innocent-looking email and either click a link or open an attachment that unleashes an attack on your system.

A: No – it’s not like automobile insurance, but that does not mean it’s a choice that should be taken lightly. If your company handles client data, from payment/credit cards/banking to personal medical information, the liabilities – both from government penalties and fines and customer litigation - incurred by a Data Breach can put Small and Mid-sized Businesses (SMBs) into bankruptcy. Even if an SMB survives the suits and fines, once word is out that it mishandled and exposed client data, the ensuing damage to its reputation will, for some time at least, severely hinder the company’s growth and expansion goals.

If your company is a government contractor, there are stringent Cybersecurity measures that must be in place. The government requires its own agencies AND contractors to comply with the standards in the Cybersecurity Framework set forth by the National Institute of Standards and Technology (NIST), and strongly encourages its contractors to carry cyber insurance, but does not require it in writing. As to whether insurance could be a factor in the contract bidding processes, it may be – but that is also not in writing. It may be safe to presume that the government does not want its contractors to be sued out of business in the middle of a government funded project.

A: Certainly, and the insurance brokers and carries will be happy to take the money. It is necessary that businesses of almost any size carry it – although, for example, a gardener working out of his or her pickup truck may not need it as much as a sole-proprietor CPA working out of his or her home – the gardener does not deal with Personally Identifiable Information (PII), whereas the CPA most certainly does. Theoretically, no hacker is going to perform a data breach to find out a consumer’s lawn-watering schedule. There’s no call for that on the Dark Web, where valuable data is bought and sold.

A: A few cyber insurance providers will sell directly to the public while most require the purchase through a broker or agent – much the same way you don’t go to the nearest Ford plant for a car - you go to your local dealership. While this practice is not the same as ‘White Label Services’, where a third party sells the original provider’s service under their own ‘label’, using brokers relieves an insurer of the expense and infrastructure of maintaining a retail sales force.

Reinsurance News provides a list of the Top 20 insurance carriers who underwrite cyber risks – some will provide quotes online, but defer to a broker or agent for the purchase, while with some you must contact a broker just to get a quote.

A: There is no blanket answer to this. Just as there are different types of compliances, there are certainly varying levels and types of insurance coverage. In California, coverage of this type only has to do with noncompliance with regulations put forth in the California Consumer Privacy Act (CCPA), which affects general Cybersecurity, whereas different professions such as legal have compliances within their own industry that must be met.

Noncompliance penalties can be quite substantial, ranging from $100 to $750 PER INCIDENT – so if you have a data breach effecting 100 clients, you stand to be fined between $10,000 and $75,000, depending on the severity of the noncompliance, based on a range from an inadvertent error toa willful disregard for regulations.

The business suffering the breach is liable. Even if the breach were to be determined to be the fault of the IT support and services provider, the CCPA will not go after them, or even look at that situation – any remedies or legal action would be between the IT support firm and the business breached.

In the final analysis, go over your policy with your insurer to establish whether noncompliance is covered – and to what degree. This is similar to an automobile accident – insurers will look closely at who caused the accident, and the amount covered may depend on the percentage of culpability assigned to the insured.

A: Some policies may, but Computer Fraud Insurance is a separate category, which insures against losses of either monies or securities through the criminal use of a computer. This sub-category is not new – it has been available for many years under the umbrella of most standard Crime Insurance policies which, in the broadest sense, protects the policy holder from losses resulting from any type of crime committed against them.

If a cyber crook empties your bank account after stealing your legitimate account number and password, many banks will not reimburse you for your loss, and this type of theft is not within the purview of the FDIC. Your only recourse is a Crime or Computer Fraud policy.