From the Summer 2021 issue of New Jersey CPA magazine (njcpa.org/newjerseycpa)
By Dr. Joseph Howe, CPA
You walk into work in the morning and boot up your computer to find a message that your network has been taken hostage. The captors say you need to pay them bitcoin within the next 24 hours or else. When the operation and finance of your business hangs in the balance, this can be a nerve-racking experience, especially if you have never faced it before.
You followed the advice on what to do to secure your network, but the worst has still happened — so what now? Hopefully, as part of your technology risk management plan, you have purchased cyber liability insurance.
Benefits of cyber liability coverage
You probably already have property and casualty insurance to cover against theft, but it likely excludes incidence of cyber-attack. Cyber liability is a highly specialized area of insurance that has grown substantially over the years along with the rise in incidence of cyber-crime. When you’ve secured this specialized coverage, your first step when faced with a breach is to contact the carrier and activate their response services. When purchasing a policy, it should clearly delineate what this response will be including the timing, nature and extent of services provided. A policy should include, at a minimum, a 24-hour response by forensic computer specialists 365 days a year.
Do you have experience negotiating with terrorists? I didn’t think so. But these response firms do. Surprisingly, the first approach may be to evaluate the threat and then negotiate with the attacker and facilitate payment of the ransom. Your policy may even cover paying the ransom up to a certain amount.
As you can imagine, cyberattack response experts do not come cheap; some of their rates would make law firm partners blush. Here again, your policy will cover up to a certain amount of services. Most importantly you want your business up and running normally again.
Shopping for a policy
When shopping for a cyber insurance policy, you should evaluate the following features and costs:
- System restoration and data recovery. Evaluate the amount of coverage provided for system restoration and data recovery and compare it to the norm for your industry. If a server needs to be taken down because of the incident, the policy may include “bricking” coverage to pay for the replacement cost.
- Dependent systems coverage. While a cyber liability policy can cover business interruption losses because of the incident, a notable variant of this is dependent systems coverage. Your business likely relies on other businesses for software as a service and/or cloud storage. Dependent systems coverage covers business interruption that results from a breach or failure of these third-party systems.
- Breach notification. When your systems have been breached, you may a duty to inform certain people whose personally identifiable information has been compromised. Aside from covering legal fees, policies commonly cover costs associated with making the notification including mailing, setting up a toll-free number for information services and providing credit monitoring services to those affected.
- Public relations. Depending on the publicity that may result from the incident, retaining a public relations firm to help manage the crisis may also be covered.
- Legal defense. More robust coverage will also cover defense of legal claims arising from the data breach.
By and large, when buying insurance, you are buying peace of mind. Even the most advanced technology systems are susceptible to attack, so don’t be disillusioned that your own systems are somehow impenetrable. Most good insurance companies will provide you with an evaluation of the resiliency of your technology infrastructure and guidance on steps you can take to prevent cyberattacks.
Dr. Joseph Howe, CPA, CFE, CGFM, is the chief financial officer of a government entity in New Jersey. He is a member of the NJCPA Governmental Accounting & Auditing Interest Group and can be reached at jhowecpa@gmail.com.