Start-ups can mitigate cyber crime risks with insurance
Cyber-liability insurance policies can compensate an entrepreneur for the losses caused to him directly and also for liability arising due to a suit filed by a third party
Businesses, both small and big, are increasingly shifting their processes and transactions online. The heavy dependence on the internet, however, comes with its own risks in the form of cyber crimes. Besides taking cyber security measures, fledgling entrepreneurs, start-ups and small businesses in particular need to purchase cyber-liability insurance to mitigate the risk from cyber crimes. The threat: Today, both individuals and businesses live in perpetual fear that whatever they have kept online could be stolen, hacked, damaged or wiped off. Besides damaging a web site or stealing data, hackers can also lock down your system and demand a ransom for allowing you access to it. Sometimes they also sell the hacked data to other members of their network.
Organisations in the Banking and Financial Services Industry (BFSI) should be especially wary of this threat. Cyber criminals tend to target this sector because it manages billions of financial records and transactions that are stored in computer servers across the globe. Financial details stored in these servers include credit and debit card information, date of birth, permanent account number (frequently used for the purpose of verification), bank account numbers, bank transactions, investment-related information, and other sensitive data such as court records and tax returns.
Besides financial losses, cyber breaches can also result in legal cases and damages to the brand equity of the organisations affected. What is covered: Businesses, especially the smaller ones that are still in the process of finding their feet, can mitigate the risks arising from such crimes by opting for cyber-liability insurance. This policy covers firstparty costs arising directly out of a data breach and theft (like rebuilding the lost database), dealing with the demand for ransom, costs related to handling the breach including data monitoring and notification, and business interruption due to network disruption.
This insurance also covers the insured organisation for legal liability against a civil suit filed by a third party claiming damages arising out of the loss of data or information (where the insured party has an obligation to preserve and maintain the safety of the data). Remember that the third party may file a suit for any amount that it deems appropriate. The policy will compensate the third party for its loss of data or compromise of information assets at the hands of the insured organisation.
Businesses, both small and big, belonging to sectors such as hospitality, health care, information technology (IT) and allied services, and pharma research are all buying this insurance cover these days. Buy add-on covers, if need be: The policy comes with a variety of add-on covers and extensions. These include brand value impairment cost, cover for the damage caused to reputation due to data theft or breach incidents, multimedia liability, hiring of specialist agencies to negotiate for ransom demands, cyber forensic investigations, costs incurred on defence against regulatory investigation, costs incurred during the first 48 hours of a breach of data security without prior consent of the insurer, punitive or exemplary damages (where insurable by law), and cyber terrorism.
The above list of extensions is only indicative and not exhaustive. The client’s broker usually negotiates with the insurer, depending on the client’s risk profile, attitude towards risk mitigation, and the premium rates he can afford. Determining the premium: The premium is not dependent on the number of servers or computers. A number of risk factors and underwriting considerations are taken into account for developing the terms for a client.
For instance, the sector in which the business operates is vital. Sectors like software, IT, banking, financial institutions, insurance, health care, hospitality, pharma, etc, are regarded as sensitive by underwriters. The territory of operation also matters. If coverage is limited to India, the premium rate is cheaper, while if it is worldwide, including the US and Canada, it is higher.
If the company already has certain risk mitigation mechanisms in place, that will help reduce the premium. IT security standards or certifications of the customer (such as ISO 27,000) are also taken into consideration. Insurers also take into account past incidents where losses were inccurred, and whether they were insured. Based on the above risk parameters and underwriting considerations, the premium rates are quoted and then negotiated by the client or their broker.
Depending on the factors mentioned above, the premium can range from 0.50 per cent to 1.50 per cent of the sum assured. The terms of the policy are customised and the premium rates quoted are also unique for each customer.
The premium level also varies depending on the sum insured. It will also depend on the amount of deductible that the insured opts for. Deductible is the portion of any claim that the insured has to bear. If the deductible is low, the premium is higher. If a customer opts for a higher deductible, his premium rate gets reduced.
In the past, databases of Target and Sony Playstation in the US, and Talktalk in the UK have been breached, while only a few months ago we had the massive debit cardrelated breach in India. Thus, the risk of cyber security is a real danger. By investing in the insurance, entrepreneurs, start-ups and small businesses can purchase a measure of protection against this risk.