By now you've probably heard that Cyber Liability Insurance is the only small business insurance policy designed to address data breach losses. (Did you miss the memo? Check out "Why Your General Liability Insurance Doesn't Cover Data Breaches" and "Once More, with Feeling: Commercial General Liability Insurance Won't Cover Data Breach Liability.")
And because you don't want to be one of the 98 percent of small-business owners who don't have Cyber Insurance, perhaps you're looking into buying your very own policy.
Excellent. There's just one teeny tiny thing you should know: if you provide inaccurate information about your cyber security practices on your insurance application, the mistake could come back to haunt you. Let's take a look at an instance where application inconsistencies resulted in insurers denying Cyber Risk coverage to a nonprofit organization.
Reminder: Cyber Insurance Isn't a Substitute for Cyber Security Practices
According to Business Insurance, a major insurer hopes a judge will agree that it is not required to pay a $4.1 million settlement for Cottage Health Systems' data breach. On paper, it would seem the nonprofit hospital system did everything right:
- The hospital system had the appropriate insurance policy in place (Cyber Liability Insurance).
- The policy has a $10 million limit – more than enough to cover the $4.1 million settlement.
But it appears the organization may have made a mistake long ago when it first applied for the coverage. The report states the nonprofit apparently didn't follow the minimum required security practices it claimed it did on its insurance application. Namely, the organization and its third-party vendors allegedly failed to encrypt patient information, which made the breach possible.
It's doubtful that the Cottage Health Systems intentionally fudged the facts on its insurance application. Often, folks who aren't sure about the business's security measures fill out these applications, and they may simply check all the security boxes without much thought.
On the other hand, some organizations may mistakenly think that cyber security practices aren't necessary so long as they have Cyber Insurance. Not true, friends. A Cyber Insurance policy is a last line of defense when your security measures fail.
Another way to think about it: you wouldn't assume your Property Insurance would be sufficient enough to keep thieves away, would you? And chances are you wouldn't leave your doors unlocked because your policy can cover stolen property. Instead, you would take the necessary precautions to try to limit claims whenever possible.
Insurers expect you to have a similar attitude when it comes to protecting your digital assets.
Avoid Claim Snafus by Talking to Your Tech Team
As the case above exemplifies, oversights on your insurance application can void your coverage. But how do you avoid making assumptions about your security measures on your application?
Chat with your IT team. If you don't have one, you may want to consider hiring an IT professional to:
- Determine what security measures are currently in place.
- Recommend measures that ensure compliance and meet minimum security standards.
As the saying goes, an ounce of prevention is worth a pound of cure. And in this case, your preventive strategies may ensure your coverage applies when you do need to file a claim.
For some starter cyber security tips, read "The #1 Reason to Update Your Software Today."