Every company needs insurance — nothing new there. Liability and property coverage are just the costs of doing business.
But what if you get a ransomware threat? Would insurance pay out? Can you even insure against cyber risks? And do you need something called E&O coverage?
“The traditional commercial insurance like property, general liability, auto, umbrella and workers comp are still important,” says Kyle Drumwright, president of Starke Agency of Montgomery.
But cyber coverage is becoming critical in an era when the average ransom payment tops $600,000, according to law firm BakerHostetler’s 2023 Data Security Incident Response Report.
First, the basics.
“Almost every business at least needs general liability coverage,” says Brian Tanner, managing principal at Epic Brokers in Birmingham. And, if they have employees, they need worker’s compensation. If they have automobiles, they need liability and physical damage coverage. He recommends extra limits, also called umbrella policies, and something called executive risk. That covers directors and officers, employment practices and fiduciary coverage. Why? A common example is wrongful termination.
There are three ways to analyze coverage needs, Tanner says — contractual requirements, the company balance sheet and “enough limits so you sleep good at night.”
Two businesses may look very similar on paper, Tanner explains, but one is well managed with a strong balance sheet. The other isn’t.
“The guy whose balance sheet is strong needs to buy more limit than the guy whose balance sheet is weak,” he says. If a lawsuit goes over your insurance limit, someone with substantial assets has “a lot to lose.”
As for determining specifics, insurance brokers can help.
“We consider ourselves risk management consultants,” says Grantland Rice IV, chief administrative officer of Cobbs Allen of Birmingham. “In a lot of cases, we may be telling a client you’re buying too much insurance, or you need to restructure your insurance.”
All businesses need property and casualty/liability, he agrees. Cyber is high on the list. Marine policies can cover goods in transit.
“Sometimes you’re buying insurance the wrong way,” Rice says. “That’s just not something you can do online.”
Cobbs Allen has teams in specific areas like construction, education, real estate, natural resources, health care, manufacturing and distribution.
In incidents like workplace injuries or OSHA citations, Rice says, “We have some great consultants that can come in and navigate those things.”
Insurance professionals can help with general issues, too, like employee retention.
“In a lot of cases the business owner has a problem we can help with,” says Rice. A company might benefit from an improved safety manual or employee training. “How you structure your benefit plan could be driving your problem of keeping workers,” he suggests.
Once past these basics, brokers and agents agree the buzzword is cyber.
“The increase of crime and cyber policies have shown the demand and importance of protecting yourself as we are moving our businesses more digitally,” says Drumwright. “Those types of threats are impacting all businesses regardless of their online presences.”
Costs vary widely and are driven by industry type, he adds.
“If you are in the health care, education or financial services sector you will be paying more for these products,” Drumwright says.
Companies with good internal risk controls have an advantage. “If you are a best practices company, from a cyber security standpoint you can expect to pay in this range — small: $3,500; medium: $7,500; large: $15,000 or more annually.”
Cyber liability insurance can cover costs incurred “to recover from and remediate data breaches, ransomware, computer attacks as well as lost revenue resulting from these incidents,” explains Andy Lott, Birmingham regional president of the Insurance Office of America.
“In addition, cyber insurance covers financial fraud such as funds transfer fraud, and defense and liability related to claims alleging violations of privacy laws and statutes, the propagation of malware, infringement of intellectual property and regulatory proceedings,” he adds.
Cyber insurance is now “a fundamental requirement for businesses looking to protect themselves and their clients from financial losses and reputational damage,” Lott says.
“Nowadays all of my clients buy cyber insurance,” says Tanner. Ransomware is a big threat, even to smaller companies.
“They are easier targets,” he says. “Their systems are less sophisticated.”
In phishing cases, bad guys can hack in a system and just watch for a while, Tanner explains. If they see when a manager is going out of town, they might send the CFO a fake email asking for $5,000 to go to a specified person.
“It’s never a big number. It’s a small number,” he says. “Wire $5,000 bucks here, $10,000 bucks there. It’s amazing how many people fall for that.”
As if basic cyber coverage weren’t enough to worry about, technology providers should consider something called Technology Errors and Omissions insurance, or Tech E&O, Lott adds. That protects against claims of negligence or failure to perform professional duties due to errors, omissions, negligence or product failures within a company’s licensed, sold, manufactured and developed technical products and services, he explains.
Software developers are especially vulnerable to claims arising from customers “that are cyberattack victims due to the exploitation of vulnerabilities embedded in the source code of their technology products,” Lott says.
The bright spot is that cyber liability rates are moderating, Lott says, as carriers get a handle on the true cost of risks. Price increases for coverage seem to be slowing, he says, and better risk management may be reducing losses. But each business’ exposure is unique, so prices vary considerably.
Claims can be from thousands to hundreds of millions of dollars. Often there is no correlation between the records exposed in an incident and the ultimate cost, he says.
“What we can know is that the financial implications of a major cyber incident can be extremely high, especially considering direct costs (incident response, legal costs, notification costs and regulatory fines) and indirect costs (reputational harm and loss of business).”
The impact can be “catastrophic,” Lott says.
Gabe Clement, branch manager of the Byars|Wright Birmingham office, says remote work can add another layer of risk.
“An organization enabling its employees to work remotely may have a significantly higher risk if there aren’t cybersecurity controls in place, especially controls on home networks that leave businesses exposed,” Clements says.
Tanner points out that with cyber coverage, “what you’re really buying is the consultants who help you defend it when it occurs.”
One of his clients clicked on a bad link and was asked for $50,000. Because the right experts came in immediately and rebuilt the system, “they lost one day’s worth of work. That was it.”
“Not all cyber policies are created equal,” notes Rice. “Some don’t cover what people think they cover, which is another reason why people should talk to a person.” Some policies have “sublimits” for things like ransom attacks.
“Your social engineering limit could be significantly lower than your actual limit and people don’t realize it,” Rice says. “You thought you had a million dollars’ worth of coverage and you only had $25,000.”
But, he adds, “Even insurance won’t cover the reputational harm of it.”
Deborah Storey and Art Meripol are freelance contributors to Business Alabama. She is based in Huntsville and he in Birmingham.
This article appears in the September 2023 issue of Business Alabama.