There are several regulations regarding cyber security for companies in the US, depending on the type, size, and sector of the business. Some of the most common and relevant ones are:
- The Federal Information Security Modernization Act (FISMA) of 2014, which requires federal agencies and contractors to implement security controls to protect their information systems and data1.
- The Cybersecurity Information Sharing Act (CISA) of 2015, which encourages voluntary sharing of cyber threat information between the private sector and the government, and provides liability protection and antitrust exemptions for participants2.
- The Gramm-Leach-Bliley Act (GLBA) of 1999, which applies to financial institutions and requires them to safeguard the privacy and security of customer information.
- The Health Insurance Portability and Accountability Act (HIPAA) of 1996, which applies to health care providers, insurers, and other entities that handle protected health information, and requires them to implement administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of such information.
- The Payment Card Industry Data Security Standard (PCI DSS), which is a set of industry-mandated requirements for any organization that processes, stores, or transmits credit card information, and aims to prevent fraud and data breaches3.
- The California Consumer Privacy Act (CCPA) of 2018, which is a state law that grants California residents the right to access, delete, and opt out of the sale of their personal information by businesses that operate in California or serve California consumers4.
There are penalties for non-compliance with these regulations, depending on the type and severity of the violation, the authority that enforces the regulation, and the remedy that is sought. Some of the possible penalties are:
- Administrative remedies/civil penalties imposed by regulators and law enforcement. For example, the Department of Health and Human Services (HHS) may impose a civil money penalty on any person who violates the HIPAA Privacy Standards in the range from USD 100 to USD 50,000 per violation, with a total of USD 25,000 to USD 1.5 million for all violations of a single requirement in a calendar year. The Federal Trade Commission (FTC) may bring civil actions for civil monetary penalties of up to USD 40,000 per violation of the FTC Act or the Children’s Online Privacy Protection Act (COPPA)1. The California Consumer Privacy Act (CCPA) provides for fines of up to USD 2,500 per violation or USD 7,500 per intentional violation, but notably does not place a cap on the total amount of fines2. The Colorado Privacy Act (CPA) provides for civil penalties of up to USD 20,000 per violation and injunctive relief3.
- Criminal penalties from regulators and law enforcement. Violations of HIPAA can include criminal penalties, including up to ten years imprisonment in certain cases. The Computer Fraud and Abuse Act (CFAA) provides for both criminal and civil penalties for various cybercrimes, such as hacking, denial-of-service attacks, phishing, and cyber-extortion, and the criminal penalties can range from one to 20 years imprisonment for some aggravated offences4.
- Private remedies. The CCPA provides for a private right of action for certain data breaches, including potential statutory damages of up to USD 750 per consumer per incident2. Some other state laws, such as the Illinois Biometric Information Privacy Act (BIPA), also allow individuals to sue for violations of their privacy rights and seek damages, attorneys’ fees, and injunctive relief.
What is Cyber Insurance?
Cyber Liability insurance, also known as cyber insurance or cyber risk insurance, is a service that provides coverage for both small and large businesses against potential cyber threats and liabilities. This type of insurance is designed to protect businesses from financial losses resulting from data breaches, network security failures, and other cyber incidents.
Why is Cyber Insurance Important?
Cyber insurance is vital for businesses because it provides an extra layer of financial protection in the event of a cyber incident. As cyber threats continue to evolve and increase in frequency, organizations are more likely to face a cyber-attack or data breach, which could lead to significant financial losses and reputational damage. Cyber insurance can help businesses recover from these incidents, cover the costs of legal fees, public relations efforts, and other expenses related to managing and resolving the issue.
- ML and AI systems can introduce new risks and vulnerabilities that may lead to data breaches, property damage, business interruption, or bodily harm.
- ML and AI systems can be tricked, evaded, or misled by malicious actors who may try to steal, corrupt, or manipulate them for their own purposes.
- ML and AI systems can fail unintentionally due to faulty assumptions, design flaws, or unexpected situations that may produce unsafe or undesirable outcomes.
- Cyber insurance can help cover the costs and liabilities associated with these potential failures and provide guidance and support for mitigating and preventing them.
The growing number of insurance companies offering cyber insurance reflects the increasing demand for coverage due to the rising threat of cyber incidents. When selecting a cyber insurance company and policy, it’s essential to work with experienced insurance professionals who understand the unique risks and exposures faced by your business.
How Does Cyber Insurance Work?
Cyber insurance policies generally cover a range of cyber incidents, including data breaches, network security failures, ransomware attacks, and social engineering fraud. The coverage provided by a policy can vary depending on the insurer and the specific needs of the business.
Risk Management for Career Professionals
Career professionals need to be aware of the potential risks associated with their job responsibilities and take steps to mitigate those risks. This includes implementing strong security policies and procedures, investing in cybersecurity training, and staying informed about the latest cyber threats and trends. Additionally, career professionals should consider obtaining cyber insurance to protect themselves from potential financial losses resulting from a cyber incident.
Who Needs Cyber Insurance?
Any business that relies on technology and handles sensitive data, such as customer information, financial records, or intellectual property, should consider obtaining cyber insurance. This includes small businesses, which are often targeted by cybercriminals due to their limited resources and security measures.
What is Covered and Not Covered by Cyber Insurance?
It’s also vital to know what is and isn’t covered by cyber liability insurance. Typically, policies cover expenses related to managing and resolving a cyber incident, including legal fees, public relations efforts, and forensic investigation costs. However, there may be exclusions or limitations in the coverage, such as losses due to unencrypted devices, inadequate security measures, employee misconduct, or insider threats. Cyber insurance typically covers expenses related to managing and resolving a cyber incident, including:
- Legal fees and regulatory fines.
- Public relations efforts to manage reputational damage.
- Notification and credit monitoring services for affected individuals.
- Forensic investigation and data restoration costs.
- Extortion payments, such as ransomware demands.
However, there may be exclusions or limitations in the coverage, such as:
- Losses due to unencrypted devices or inadequate security measures.
- Losses resulting from employee misconduct or insider threats.
- Losses from intellectual property theft or trade secret infringement.
Once you understand the coverage limitations, businesses should be aware of the different types of cyber insurance available. The two main types of cyber insurance are first-party coverage, which covers the policyholder’s direct losses resulting from a cyber incident, and third-party coverage, which covers the policyholder’s liability for damages caused to others as a result of a cyber incident.
How to Choose a Cybersecurity Insurance Policy and How Much Does Cyber Insurance Cost?
Choosing the right cybersecurity insurance policy depends on various factors, including the size and nature of the business, the type and amount of sensitive data handled, and the organization’s risk profile. It is essential to work with a reputable insurance broker or agent who understands the unique risks and exposures faced by the business.
The cost of cyber insurance varies depending on the level of coverage, the size and industry of the business, and its risk profile. Premiums can range from a few hundred dollars per year for small businesses to several thousand dollars or more for larger organizations with more significant risks.
Cyber Insurance is Getting Harder to Obtain
As cyber threats become more complex and pervasive, some insurance companies are becoming more selective in offering cyber insurance coverage, requiring businesses to demonstrate robust security practices before providing a policy.
Let Inszone Insurance Services help you protect your company and yourself from potential financial and reputational damage. Request a free quote.