Why you need Cyber Liability Insurance.

Security threats are becoming more and more prevalent" becomes "Cybersecurity threats are on the rise, making it essential for businesses to take action.  An alarming percentage of all consumers (greater than 50%) have experienced a cybercrime, with 186% surge in breached personal information, a 466% increase in phishing reports as of Q1 for 2025¹.  In 2024, the FBI received on average about 2,354 internet crime complaints per day², and total losses were about 16.6 billion dollars.  The need to protect yourself and your customers from the threat of cyber criminals has never been greater; One accidental click can make all the difference" becomes "A single careless click can have devastating consequences. Businesses must prioritize cyber security to protect themselves and their customers.

A major push from consumer advocacy groups and law makers is forcing businesses to provide retribution to customers whose data is in their care.  From simple phone numbers to detailed medical records, any identifying information that has been breached is now subject to civil lawsuits.  California and New York have changed their laws in favor of the consumer, making it customary to provide two years of credit monitoring for any person impacted by a data breach.  Let’s face it, most of us have already experienced some form of data breach.  I have.

I am not a lawyer, but I am aware of some of the regulations relating to cyber security and data management.  For example, the New York State SHIELD Act reads: “Disclosure of the breach must be made in the most expedient time possible.”  The law requires businesses to inform multiple agencies, including the Attorney General’s office, New York Department of State, and the New York State Police.  Furthermore, if 5,000 or more New York customers are affected, the three nationwide credit bureaus must also be notified.  “Under the SHIELD Act, the Attorney General may seek injunctive relief, restitution, and penalties against any business entity for violating the law.”  At the time of writing this article, failure to provide timely notification may result in New York court imposing civil penalties of up to $20 per instance of failed notification (not to exceed $250,000)³.  If the affected business fails to maintain reasonable safeguards of customer data, the court may impose a civil penalty of up to $5,000 per violation.  Consult an attorney and/or a knowledgeable broker familiar with the rules, penalties and requirements for coverage in your business’ operating area.

Currently the North Carolina State Department of Justice currently requires that a business or agency that owns or licenses records maintains data with personal information that has been subject to a breach must notify the owner or licensee of the information that has been compromised.  Additionally, the notification must contain the following items.

1.      General description of the security breach incident.

2.      The type of personal information breached.

3.      General description of your efforts to avoid further unauthorized access to personal information.

4.      The Telephone number where people can call for more information and assistance, if one exists.

5.      Advice for people who are affected; and

6.      Contact information for the major consumer reporting agencies, the Federal Trade Commission and the North Carolina Attorney General’s office.

There are several steps you can take to reduce the threat from a cyber-attack and data breaches.  Usually, the insurance company will provide a questionnaire to understand your data protection practices and associated risks.  Using these questions as a guide, you can act (if necessary) to fortify your physical and digital protection systems and procedures.   This will make your data environment more secure and may even lower your insurance costs.  Below are some areas that insurance companies may inquire about:

1.      Enforce password management practices (i.e. change passwords every 90 days, minimum lengths, etc....)

2.      Enable and enforce multi-factor authentication (MFA/2FA)

3.      Utilize anti-virus/anti-malware software

4.      Implement a patch management process

5.      Train employees on phishing and social engineering detection

6.      Use a well-defined backup procedure and protect backups with MFA and encryption

7.      Encrypt data during storage and transit

8.      Have a formal business continuity plan and/or disaster recovery plan

9.      Use of a formal incident response plan for any type of intrusion or breach

10.   Enable a SPAM filter for email

11.   Ensure access is limited to critical data (both physical and digital forms)

12.   Document a formal privacy policy and review it yearly (at a minimum)

When working on your data security and procedures, it helps to adhere to some well-accepted guidelines and practices.  Depending on the industry and market you operate in, this will determine the regulations to be followed.  Below is a short list of some of the regulatory groups and standards they require members to implement:

It is important to consider the extent of coverage when purchasing cyber liability insurance, including outages or unauthorized use of corporate services and systems.  For example, a customer had their phone system hacked, resulting in over $6,000 in long distance calls over one weekend.  Although this qualified as a breach of the company’s internal phone system, the insurance carrier did not cover this event and the customer was left to pay for the thief’s charges.

If you need a review of your security procedures or wish to discuss any of these topics in more detail, please do not hesitate to contact CMC Dataworks.

 Originally published Jun 30, 2022

1.       Taken from Q1 Gen Press Release (https://newsroom.gendigital.com/2025-05-28-Q1-2025-Gen-Threat-Report-Reveals-AI-Driven-Scams-Redefining-Cybercrime)

2.       2024 FBI Internet Crime Report (https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf)

3.       NY State Shield Act (https://ag.ny.gov/resources/organizations/data-breach-reporting/shield-act)