You may be wondering, "Do I need cyber liability insurance? What does (and doesn’t) it cover? What are the two types? What cyber liability insurance is right for me?"
Cyber liability insurance is something I do recommend that everybody at least asks their insurance agent about. Before we go any further, understand that I'm not an insurance professional, but I do think that you should continue reading because I still am able to provide valuable insight on this important topic. Cyber liability insurance is one of four policies that I advise companies to get, the others being general malpractice, telemedicine, and general liability insurance.
I’ve mentioned that I think cyber liability insurance is critical, but what is it really? Cyber liability insurance protects small businesses from the high costs of a data breach or a malicious software attack. What it covers in the event of a breach is it mostly notifies the people whose data was stolen, alongside other expenses that arose as a result of the breach. Notifying the victims is extremely important because if you don’t, you risk massive fines and other consequences from HIPAA violations.
You might be thinking, “Why do I need insurance for this? Can’t I just self-insure?” And while you can self-insure, studies have shown that more than 60% of businesses that get attacked go out of business within six months, so it’s definitely worth getting. If your company handles sensitive data, which healthcare providers do, you probably want to ask your insurance provider about cyber liability insurance, because hackers often target retailers, healthcare organizations, and financial service providers like banks and credit card processors.
There are two types of cyber liability insurance. One is first-party coverage, and most of you will fall into this category. The other is third-party coverage. What first-party coverage does is it helps cover expenses when your systems or your network are breached or data is stolen. Third-party insurance offers protection when a client sues your company for failing to prevent a breach at their business. To give a concrete example of this, a third-party coverage business might be one like your EMR. It’s their job to store your records and make sure they’re secure, so if something happened to your data through their servers, you could then turn around and sue their company for all the fines that you've had to pay out as a result of the breach. First-party coverage is more concerned about what happens on your own network to your clients’ information. The main difference is who is at fault for the breach.
For the sake of this blog, we’re going to be focusing on first-party insurance because it is much more relevant in the day-to-day running of a practice. It involves costs that directly impact your business, like covering expenses when your network is hacked and your data is breached. It can also cover things like cyber extortion payments, like ransom attacks or ransomware attacks, where they freeze all your assets on your computer and demand you pay a ransom in order to get it all back. It can also include hiring an expert to investigate the breach and ensure you’re complying with all the regulations. Depending on the plan, it may also cover fraud-monitoring services or crisis management costs for your PR team, if you have one. Some plans even cover the lost revenue from days you were prevented from working by a data breach or ransom attack.
The median cost for small businesses is about $140 a month, or almost $1,700 a year. This depends on various different components though, because having more devices or a more expansive policy coverage can drive the price up as well. It all depends on what you want for your practice.
How do cyber attacks happen? Usually, they come from outsiders. Sometimes it's a phishing scam with an email link, and it’s usually fairly easy to see that these are scams because the English is pretty bad. I also have a dedicated DMCA takedown notice in my terms and conditions on my website, and that has helped a great deal with this. Go ahead and check it out, because it might help you out. If you don't know what I'm talking about, go and watch my terms and conditions video. Those sorts of things are what lead to cyber-attacks. It’s 2022, and everyone is online a great deal, so it’s really just a matter of time until there’s a cyber attack. Just to clarify, something is considered a breach whether or not the records are actually accessed. If someone has the ability to access the records, then it counts as a breach. This includes things like a stolen laptop or ransomware. Keep in mind that fines for breaches can range from $500 to $5000 per record breached, and that can add up extremely quickly. I’m not trying to scare you on this, but it is something that you should be aware of.
Hopefully, now you understand the value of cyber liability insurance. I don’t get paid if you go out and buy liability insurance, it’s just something that I think can be very valuable. I think that you all should go ahead and check to see if cyber liability insurance is covered in your insurance plan, and if not, consider getting some.
If you have any questions, you can find us at functionallawyer.com and originsincubator.com.
Thanks for reading!
The purpose of this call is to collect a "Patient History" and assessment in order to provide a 360-degree snapshot of the current legal health of your business.