Cyber Insurance and What You Need to Know

In this Tech Tuesday, Dave Hodgdon talks about cyber insurance, what these policies cover, and the key factors that affect the cost and type of cyber insurance policies businesses need.

Why Do Businesses Need Cyber Insurance?

John Maher: Welcome to Tech Tuesday brought to you by PCG, a managed services and security provider in Portsmouth. With me today from PCG is Dave Hodgdon. Welcome, Dave.

Dave Hodgdon: Good afternoon, John. How are you doing today?

John: Good, thanks. So, Dave, today, we’re talking about cyber insurance and what you need to know. So, why does your company and business need cyber insurance?

Dave: Well, John, cyber insurance seems to be the big buzz word over the last two or three years, and we’ve had ours for about five years, but in relation to what’s going on in the cyber world with all the breaches and ransomware, they’re going after your data.

The number one reason you need is to protect your data, because if you lose your data, most likely the percentage, say 85% of businesses, will go out. So, the number one thing is you’ve got to protect your data. You need to have a continuity plan in place knowing how you recover if there was a breach.

So, how are you going to communicate to the media? Do you have the FBI information? Do you have the police information? Is your insurance right? How are you going to let your staff know? Because if there is a breach, at that point, you guys could be just totally down the creek for 1, 3, 5, 10, 20 days. Have you set up a Bitcoin account?

Cyber activity and ransom attacks are doubling every three months. It’s staggering right now, John, and I heard a stat the other day, I was at a security workshop last week, that the cyber criminals with what they’re doing in ransomware is bigger than illegal gambling and all drug activity by 10 times the amount.

John: Wow.

Dave: That’s a staggering number.

How Many Companies Have Cyber Insurance?

John: Yeah, it sure is. Absolutely. So, given that and given how huge it’s growing, how many companies now actually have cyber insurance of some kind in place?

Dave: I’d say less than 25%, John. I would say every week I’m getting contacted by our clients and prospects about reviewing what their current policy is and they’re asking them all these questions that they don’t know how to answer. I’ve noticed a lot of companies, John, have a small rider with minimal coverage and you kind of know, you’ve seen your normal insurance.

We can add this or this to your house for $25, $50 more. You’re really not getting that much. Those riders are pretty minimal coverage. When I ask the question, “What are you paying?” I can tell right away if they’ve got the right coverage or not. It’s not cheap anymore to have cyber insurance. Unfortunately, it’s part of running your business and I see that just going up in price each year. And the problem with those riders, if an event were to happen, you’re pretty much almost going to get zero coverage of what you really want out of that.

How to Determine the Cyber Insurance Coverage a Business Needs

John: Okay. So, what should a business do first to really find out more about cyber insurance and find out what they need in terms of coverage?

Dave: I think every business is different, but I think it really pretty much comes down to doing a risk assessment. Get a baseline of what my business has for data, what I have for security in place. What things do I have in place now? Common things we’re all hearing about today is multi-factor authentication.

Do you have a business continuity plan with a backup? Do you do background checks with your employees? Do you have a secure system in your business for locks and activity? There’s many things you can have in place, but I kind of look at it, the old diagram of the house that when I want to secure my house, it’s just not a lock on the door. It could be a fence. It could be security cameras. It could be motion detectors. It could be putting stickers on my windows that it’s being monitored, but you got to have the baseline of where your gaps and vulnerabilities are.

From there, we’ll run an audit against your existing cyber policy, John, once we have a copy of that. We have an excellent service right now that will audit the current cyber insurance and it’ll actually give us a check-off of what you have or don’t have. Do you have the right coverage? Do you have the right language? Do you have the right services in place? Because ultimately your goal is, if something happened, am I properly protected?

So, to me, when you have insurance on your car or your home, you’re hoping if something happens, you’re covered. There’s nothing worse than the deductible or you think you have it. Oh, you opted not to have that service, John. So, our job is to make sure you’re confident with that. You have the right coverage, you’re paying the right amount and should something happen this is my expectations for potential payout or when I might be able to get back in business.

Types of Cyber Insurance Coverage

John: Are there different types of coverage? If it’s just a matter of these bad actors take down your network or something, and you’re not able to run your business for a certain amount of time? Or is it more like if they’re stealing your customer’s data, your customer’s credit card numbers or something like that? Are there different types of cyber insurance?

Dave: Yeah, that’s a good question. There’s many types of cyber insurance and each carrier kind of does it a little bit differently. Travelers is big. Chubb is big. So, I think a lot of it really depends on your industry, John, of what you’re really trying to protect.

Am I doing a lot of credit card processing? Do I have a lot of what they call P-2 information or personal information? Date of birth, social security numbers, banking, account information. So, your industry could dictate what you’re going to pay for fees, much like your driver’s insurance. Especially young boys and girls at age 16, the insurance is so much higher than a proven driver that doesn’t have much of a history of being a bad driver.

We’re in IT. We’re more expensive to insure. Financial, more expensive to insure. Medical, more expensive to insure. A body shop, not as expensive to insure because there’s not as much vital information in front of them right there. It depends on your revenues too.

What are you really trying to protect? How big of a company am I? What am I actually trying to protect? What’s your required uptime? If I can’t afford any downtime, that you have more stakes in the game. And just like with a managed service provider or anything, you want to get what’s right for you and your business, John. What is the right amount of coverage? And to check off every box in cyber insurance becomes very expensive, but if you do your due diligence and check off, you can do pretty well.

We’ve learned a lot over the years, John. We started, I believe… Yeah, it was a $1,000,000 policy five years ago. Then we converted to $3,000,000 this year for coverage. We’re anticipating it to go to five million because it’s just not us. It’s also our clients and data is the most important thing for us. We’re preaching security and risk assessments.

We’re doing the due diligence on ourselves and these policies have just tripled in cost in the last three years and it’s just amazing what we paid five years ago and what they’re charging today. We hear it in the news. Cyber breaches are very expensive for the insurance provider. They want to make sure that you, the end-user, are following the protocols. So, they’re getting a lot tougher on the questions they’re asking what they want you to sign off on, doing the check that you actually have it. In the past people would just say “Yes, yes, yes,” and sign it. They’re not doing that anymore.

PCG Helps Businesses Assess Their Cyber Insurance Needs

John: So, you said that in terms of the amount that you need to be covered for, it really goes by a lot of different factors. You said revenue and whether or not you have to have your servers be up 24 hours a day, or be up immediately after it goes down or that kind of thing. You help a client to sort of figure out how much it is that they should be covered for?

Dave: Absolutely. A lot of it comes down to your payroll, that if your data is locked, I mean, how much is your payroll going to be per week? Your loss of business. You got to start factoring all those things. So, if you’re shut down for a full week and just do simple math, your payroll is 50,000 a week. You’re shut down for a month. That’s a minimum of 200,000.

Then, the loss revenue could be three, four million during the course of that month. So, a million dollar policy and a three million dollar policy, yeah, it’s a little more money, but you need to think about the big picture. Should something happen, what am I going to have in place to keep me operational? Because without your data, you’re at risk of going out of business.

How PCG Helps Businesses Obtain Cyber Insurance

John: So, how does PCG help me to figure out what the next steps are and to help determine that?

Dave: Well, it’s similar to your home insurance. When you live near the ocean, you have flood insurance. You have that now in place. I think it’s important to look at the key factors. First of all, the type of industry that I’m in, all right? Then you got to kind of look at the revenues that you’re doing per month. Then you got to look at what it’s costing you to operate your business. Then do a check against what you think you’re paying on your cyber insurance.

And the last big step is really doing that risk assessment, John. That’s a detailed step of finding out everything that you have because the risk assessment kind of follows the NIST, which we’ve spoke of in the past. That’s going to give the check box for the cyber insurance that you’re meeting these criteria. And if you check off and you do the signature against that for the insurance company and something happens, you’ve met the criteria that you met the insurance policy.

Learn More

John: All right. Well, that’s really great information, Dave. Thanks again for speaking with me today.

Dave: You got it, John.

John: And for more information, you can call us at 603-431-4121.