Every week there’s a new headline describing a security breach resulting in the theft of personal information of hundreds, or thousands of victims. Security experts now say that there are only two types of companies left in the United States: those that have been hacked and those that do not yet know they have been hacked.
Cyber-attacks occur much more frequently than fires, natural disasters, lawsuits or other risks where insurance is considered indispensable. And the potential loss in dollars is just as great. While very few community associations or small businesses carry Cyber Liability insurance, this is changing. “People are recognizing that existing technologies aren’t working”, said Richard A. Clarke, the first cybersecurity czar at the White House, in a New York Times interview. “It’s almost impossible to think of a company that hasn’t been hacked – the Pentagon’s secret network, the White House, JP Morgan – it is pretty obvious that prevention and detection technologies are broken.”
So what’s the potential damage to your organization if your system is breached? First of all there is a great deal of forensic work required to identify the source and manner of the breach, and the identity of potential victims. For a community association, the victims could include owners, board members, employees and vendors. After victims are identified, your organization is required by law to notify them of the breach. All but three states have enacted laws covering the timing and manner of these notifications along with other requirements. Response requirements differ among states so if your owner base is spread out, the effort and cost of notification will be substantial. Since few associations have the knowledge or expertise to deal with this type of crisis, you’ll need to engage the services of one or more professional firms. They’ll be needed to prevent further breaches, assist in structuring the notification language, provide a media response and purchase credit reporting services for potential victims (required by most states).
So far we’ve only discussed the first party expenses. In addition to those expenses you’ll face potential fines and lawsuits from the various state authorities, in addition to lawsuits from individual victims. Defense costs and potential damages, along with the first party expenses required by state law, can reach a staggering number in a short amount of time. Very few small or medium sized organizations could survive such a loss without adequate insurance coverage.
It’s not all doom and gloom, however. Preventative measures and education can be very effective in preventing breaches caused by hackers, disgruntled employees, careless employees victimized by scamming or phishing , or a lost or stolen laptop or other device. Those are the primary causes of a breach, and most of them are preventable.
And of course a Cyber Insurance policy should be part of every organization’s insurance program. This coverage has evolved dramatically over the last few years. It is now widely available and surprisingly affordable, and can be structured to cover all of the expenses discussed in this article. Here are some of the coverage categories you’ll see in a typical Cyber policy:
• Crisis Management Expenses
• Security Breach Remediation
• Notification Expenses
• Computer Restoration Expenses
• Third Party Liability for Security Breaches
• Defense for Suits from Regulatory Agencies
• Communication and Media Liability
• Funds Transfer Fraud
• Business Interruption and Extra Expense
The process of purchasing Cyber insurance can also help eliminate future claims. The coverage application can be somewhat burdensome but it will help identify weaknesses in your cyber security. Insurance experts will provide advice on procedures and practices and assist your organization in developing a comprehensive Cyber Security program. Education is an important component of Cyber Insurance because the carrier would rather help you avoid a claim than pay one on your behalf.
Community associations and small or medium sized companies are at greater risk of a Cyber-attack because they don’t have the resources or expertise to secure their information and prevent access from unwanted sources. You can level that playing field, however, through the purchase of a Cyber Insurance policy from a reputable carrier. Your organization will not only have insurance protection from Cyber-attacks, but will have access to their insurance carrier’s resources to help prevent a breach from ever occurring.