My E&O carrier is pushing cyber liability coverage as an add-on to my professional liability policy. They're saying with all the utility bill data we handle, there's risk of data breaches or cyber attacks. Premium would add about $800/year to my existing policy. Anyone added cyber coverage and is it worth it? Most of my Southern California Edison audits involve handling sensitive customer data and usage patterns.
Cyber liability coverage - worth adding to E&O policy?
Gordon, I added cyber liability two years ago and it's been peace of mind. We're handling customer account numbers, usage data, sometimes even social security numbers for business owners. If that data gets compromised, the notification requirements alone can cost thousands. MLGW has started requiring cyber coverage for some of their larger commercial audit contracts.
Randy makes a good point about notification costs. I haven't added it yet but starting to think I should. Working with a lot of Texas industrial clients where Oncor and CenterPoint data could be valuable to competitors. What kind of coverage limits are you seeing? My broker mentioned $1M cyber vs $2M E&O but I'm not sure how to evaluate what's adequate.
Howard, I went with $1M cyber and $2M E&O. Figure the cyber claims are likely to be smaller than professional liability claims. The coverage includes forensic investigation, customer notification, credit monitoring, legal defense, and regulatory fines. PSE up here in Washington has been pushing all their contractors to get cyber coverage after some high-profile utility data breaches.
I'm still on the fence about this. Most of my Idaho Power audits are done on-site with paper records or the client's own computers. I don't store much customer data electronically. But then again, $800/year isn't huge compared to the potential costs if something did happen. Anyone know if cyber coverage includes social engineering scams?
Pete, most cyber policies do include social engineering but read the fine print. Some exclude it or have sub-limits. The scariest scenario for me is someone hacking my email and sending fake invoices to clients or getting access to their utility account portals through saved passwords. SDG&E and SCE both have pretty strict data security requirements now.
Gordon's email scenario is exactly why I added the coverage. Had a close call last year where someone tried to phish one of my client's utility passwords through a fake email that looked like it came from me. Fortunately the client called to verify but it made me realize how vulnerable we are. The coverage also includes business interruption if you can't work due to a cyber event.
Business interruption coverage is a good point Randy. If ransomware locks up your systems for a week, that's lost revenue on top of the recovery costs. I'm doing more remote audits now where clients email me their Avista bills instead of on-site reviews. More convenient but definitely increases the cyber risk exposure.
Thanks everyone, this thread convinced me to add cyber coverage. The horror stories about ransomware attacks on small businesses are enough to justify the cost. Better to have it and not need it than need it and not have it. Going to call my broker tomorrow and add it to my existing E&O policy.