Both my colleagues and I have posted on topics related to cyber insurance coverage issues from both a franchisor and franchisee perspective. This post, derived from information garnered during the ABA webinar “Practical Insurance Guidance for Franchisors,” focuses on setting appropriate franchisee requirements for cyber coverage.
Step One. Assess what coverage is critical by evaluating the likely threats. Cyber coverage typically covers:
- Information security and privacy (standard coverage for damages resulting from the unauthorized disclosure or theft of confidential information)
- Breach response services (forensic computer experts, customer notification of breaches, attorneys retained to determine compliance with breach notice laws, public relations, and costs for credit monitoring)
- Regulatory Defense and Penalties for violations of privacy laws
- Business Interruption
- Data Protection
- Cyber Extortion
- Breach Preparedness
Do your franchisees collect a good deal of credit card data? If so, then coverage for PCI fines and penalties is critical. Is data collected by franchisees backed-up and held by the franchisor? If so, then significant data restoration coverage may not be necessary. Consider the cost of including cyber extortion. More and smaller companies are experiencing cyber extortion events where information is held hostage but the information is typically released upon the payment of small ransoms – $2,500 to $5,000. Calculate the risk exposure against the additional premium costs.
The Webinar also provided a list of other resources that provide estimates of potential ranges for certain types of losses like eRisk Hub Data Breach Cost Calculator which will provide a franchisee estimates based on the number of potential affected records and Symantec’s and Privacy Advisors’ Data Breach Calculators.
Step two. Be mindful of all sub-limits and policy exclusions. Make attempts to claw-back and/or narrow exclusions when possible. Cyber coverage typically places sub-limits on things like breach response services. Make sure those sub-limits are high enough to cover likely needed costs. For example, a cyber policy may provide an overall aggregate limit of $1 million but limit crisis management and public relations expenses to $50,000. That amount of PR services could get used up quickly in a crisis. Scrutinize broad exclusions for failing to follow minimum required practices and try to carve-out cyber-terrorism from the typical blanket exclusion for war, invasion or insurrection.
Step three. Work with your insurance professionals to determine the appropriate overall limits based on the size and type of franchised business and other factors. Remember that defense costs and expenses are included – and are not in addition to – the policy limit. These costs can erode the policy limit very quickly.
Step Four. Finally, understand the conditions of coverage. Some policies require an insured to utilize service providers from its own pre-approved list of vendors. This typically includes legal counsel and public relations firms.
Insurance counsel, together with a knowledgeable cyber insurance broker, can work with your franchise system to evaluate what coverage is most important for a franchisee.