Written by Heather Cole on April 15th, 2021
Last week we discussed how the world is changing and as a result the CFO’s office needs to get more active and increase their knowledge of cybersecurity. Here’s the link to last week’s blog. We learned that Cybersecurity is the protection of internet-connected systems such as hardware, software, and data from cyberthreats and that this can take many forms. We challenged you to meet with your CISO and CIO and have a risk assessment evaluation. Today we will discuss what CFO’s need to know about cybersecurity insurance.
It is important to know that we believe prevention is the best medicine when it comes to cybersecurity threats, but insurance is your backup plan.
Two Forms of Cybersecurity Insurance
1. First-Party Cyber Liability Insurance
The first and most common policy every CFO must be familiar with is the First-Party Cyber liability insurance policy. First-Party Cyber liability insurance protects against data breaches at your company on your own systems. This will protect you if someone hacks into your network or you are a victim of ransomware. It typically pays for the costs of:
- Investigating the breach
- Notifying customers and regulators
- Managing the ensuing crisis
- Providing credit monitoring to affected individuals
- Public relations and reputational costs
Cyber liability insurance also can pay for customer claims resulting from the theft or breach of customer data on your network. So, you should see if you can add a First-Party Cyber liability insurance to your general liability insurance or business owner's policy.
2. 3rd Party Cyber Insurance is in addition to E&O
At Lodestar Solutions we recommend all clients take their cyber insurance requirements a step further. We believe you should ensure that your 3rd party technology consultants also carry Cyber Insurance! Yes, you should put the requirement for cyber insurance in your agreements with your consultants.
Make your consultants carry Cyber Insurance!
I am always shocked when clients provide Lodestar Solutions with their standard services contract before an engagement, and it has insurance requirements for general liability but nothing requiring their consultant’s firm carry cyber security insurance.
Errors & Omissions Insurance
It is important to know that Errors and Omission (E&O) is different than a Cyber Liability policy. Typically, a technology E&O protects the consulting firm when their client is harmed. For example, if the consultant makes a mistake or forgets to do a critical task that hurts a client financially. These mistakes can range from recommending inappropriate technology to failing to meet project deadlines. When a client sues to recover losses, technology E&O insurance will pay for a firm’s legal expenses, including:
- Attorney's fees
- Court costs
- Money paid to settle a lawsuit
- Legal judgments (what a judge or jury orders you to pay)
- Related costs, such as court and expert witness fees
3rd Party Cyber Insurance
It is important to know that an additional 3rd party cyber insurance policy may be needed by the consulting firm to provide protection when the client is harmed by a cyber breach of their system which originated from the negligence of the consultant.
Imagine hiring an independent consultant, a one-person shop at a discount rate. You give them access to your system to upgrade your Cognos software. But when they are accessing your system, they are not careful, and they use the WI-FI at Starbucks. While sipping their latte, a hacker can obtain the information needed to access your network. A month later you discover your system is compromised, and secure personal information of your clients has been downloaded. When your IT team discovers the breach, they tie it back to the consultant that you hired at a discounted rate. Unfortunately, the consultant does not carry E&O or Cyber Insurance….
The moral of the story, you should require your consultants to carry additional Third-Party Cyber liability insurance in addition to their errors and omissions insurance. You should educate your procurement department and update standard service contracts to require specific levels of insurance should be specified in your contract.
You can’t stop now! You must continue learning about cybersecurity. For more information on Cybersecurity insurance, I recommend:
- Dan Burke’s blogs:
- What is cyber insurance? Everything you need to know about what it covers and how it works.
- Link to our discussion on Cybersecurity with two Security experts: What Every CFO Needs to Know About Security.
I hope you learned a little bit about what CFO’s need to know about cybersecurity insurance today and how important Cybersecurity is to the longevity of your organization. But knowing the risks are not enough! You must make sure you take the first step and set up a call with your insurance agents to discuss your Cybersecurity insurance needs. If your agent appears to not really understand cybersecurity insurance, find a new agent! If you have questions, I am happy to connect you with the insurance agents I work with. Just email me at Services@lodestarsolutions.com.