A growing number of companies ask vendors to buy cyber-liability insurance—and for a tech startup or an independent IT consultant, that cost can put a real dent in the bottom line.
Cyber-liability insurance might include coverage for losses related to denial-of-service attacks, threats to intellectual property, business interruption, cyber extortion, and a variety of security breaches. An advisor such as an attorney or insurance agent can help firms properly assess the type and amount of cyber-liability insurance they might need, according to Veronica Somarriba, senior vice president and worldwide technology manager at the Chubb Group of Insurance Companies in Whitehouse Station, N.J.
“Small tech firms need to know their cyber risk profile,” Somarriba said in an interview with Dice. “Today, it’s not a matter of when a breach will occur, but how do you protect your data when it does.” In other words, this isn’t an issue that smaller tech companies can simply ignore.
Some startups or consultants might opt for passing along those costs to clients, always a problematic proposition when you consider how larger tech companies will often eat such costs in order to keep prices low. “A year ago we might have been able to negotiate it out, but not today,” said Kevin Barnicle, founder and CEO of Controle, an information governance consulting and software company in Oak Brook, Ill. “Many of our larger customers are requiring we have cyber liability insurance… we’re large enough to buy it, but if you’re just starting up, it can be hard to bear.”
Breaking the Bank
For one-person shops, cyber-liability insurance costs are a growing problem. “I could see people having to pass on a project [because of those costs],” Barnicle said.
A tech business or consultant already needs errors and omissions (E&O) and general liability insurance coverage; on top of that, companies must obtain worker’s compensation and healthcare coverage, in addition to other types of business insurance. Adding cyber-liability insurance to that list can prove too much to afford, but the risks of leaving it out of the equation are enormous.
“The problem is most of the breaches are happening at companies with 100 or less employees,” said Dan Weedin, insurance and risk management consultant at Toro Consulting in Seattle. Indeed, despite the press given to the mega-breaches in Corporate America, the majority of cybercrimes take place at smaller companies.
And don’t expect your standard insurance coverage to pick up a cybercrime loss. There are exclusions in general liability policies for cybercrimes and related liability. “It’s still a bit of the Wild West out there, and the cyber world changes dramatically and insurance companies like to err on the side of caution until they can get a handle on the risk,” Weedin said. “The insurance companies are just trying to keep up.” Not paying for cyber-liability coverage, in the meantime, means a startup can lose out on potentially lucrative projects, as many clients won’t contract with a vendor that isn’t adequately covered.
Skimping on Coverage
“The minimum premium for a 5M limit is generally $10,000 or more, depending on the insurance carrier and services provided,” Michael Cavanaugh, assistant vice president and new business team leader at Wayne, Pa.-based Apogee Insurance Group, said in an interview.
For tech professionals, the most cost-effective way to purchase coverage might involve combining “cyber” in the same package as other lines of insurance coverage. Similar to the marketplace for standalone cyber-liability coverage, some carriers offer general liability and business owners’ policies (BOP) that include endorsements for cyber liability. “In the majority of cases these endorsements or add-on coverages are providing minimal coverage,” Cavanaugh said. “As an insurance professional, I would recommend against the limited endorsements, but I also understand that a standalone policy can be expensive.” And such an endorsement might not satisfy a client company, anyway.
What’s Your Cyber-Risk Profile?
The premium for a cyber-liability insurance policy is calculated using a combination of the revenues and services offered; the premiums increase or decrease depending on the limits, breadth of coverage, and carrier chosen. The cyber risk also determines the premium: the more sensitive the data, the more costly the insurance. If security at the tech company is lax, the number goes up, too.
- IT Security Pros: Are You Worth a Million Dollars a Month?
- Internet of Things Increases Need for Security Pros
- Cyberattacks Focus Employers on Security Certifications