Cyber insurance is a growing segment of the insurance market. It helps companies avoid incurring huge losses from database security breaches. With so much money and personal information exchanged through and stored on the internet every day, cyber crime cannot be ignored. Many organized criminal groups consider small businesses especially easy targets with low risk and high payoffs.
Cyber insurance can include first-party and third-party coverage. The first-party coverage mitigates the expenses your company incurs, which can include legal fees, system repairs, lost income, and public relations. Third-party coverage involves claims against your company from outside parties, such as your clients who were affected by the breach.
What is cyber insurance?
A cyber insurance policy, also referred to as cyber risk insurance or cyber liability insurance coverage (CLIC), is designed to help an organization mitigate risk exposure by offsetting costs involved with recovery after a cyber-related security breach or similar event. With its roots in errors and omissions (E&O) insurance, cyber insurance began catching on in 2005, with the total value of premiums forecasted to reach $7.5 billion by 2020. According to PwC, about one-third of U.S. companies currently purchase some type of cyber insurance.
The numbers indicate that organizations are seeing a need for cyber insurance, but what does it cover? Cyber insurance typically covers expenses related to first parties as well as claims by third parties. Although there is no standard for underwriting these policies, the following are common reimbursable expenses:
- Investigation: A forensics investigation is necessary to determine what occurred, how to repair damage and how to prevent the same type of breach from occurring in the future. Investigations may involve the services of a third-party security firm, as well as coordination with law enforcement and the FBI.
- Business losses: A cyber insurance policy may include similar items that are covered by an errors & omissions policy (errors due to negligence and other reasons), as well as monetary losses experienced by network downtime, business interruption, data loss recovery and costs involved in managing a crisis, which may involve repairing reputation damage.
- Privacy and notification: This includes required data breach notifications to customers and other affected parties, which are mandated by law in many jurisdictions, and credit monitoring for customers whose information was or may have been breached.
- Lawsuits and extortion: This includes legal expenses associated with the release of confidential information and intellectual property, legal settlements and regulatory fines. This may also include the costs of cyber extortion, such as from ransomware.
Keep in mind that cyber insurance is still evolving. Cyber risks change frequently, and organizations tend not to report the full impact of breaches in order to avoid negative publicity and damage the trust of customers. Thus, underwriters have limited data on which to determine the financial impact of attacks. Essentially, the true risk of cyberattacks is not completely understood.
What to look for as a cyber insurance buyer
Lots of well-known insurance companies offer cyber insurance policies. Insurance industry watchers believe that clients will soon expect cyber insurance to part of every business insurer's product line. However, like any business insurance, cyber insurance coverage varies by insurer and policy.
When comparing policies among insurers, find out if they cover all of the items listed in the previous section and inquire about the following special circumstances and limits:
- Does the insurance company offer one or more types of cyber insurance policies or is the coverage simply an extension to an existing policy? In most cases, a stand-alone policy is best and more comprehensive. Also find out if the policy is customizable to an organization.
- What are the deductibles? Be sure to compare deductibles closely among insurers, just like you do with health, facility and vehicle policies.
- How does coverage and limits apply to both first and third parties? For example, does the policy cover third-party service providers? On that note, find out if your service providers have cyber insurance and how it affects your agreement.
- Does the policy cover any attack to which an organization falls victim or only targeted attacks against that organization in particular?
- Does the policy cover non-malicious actions taken by an employee? This is part of the E&O coverage that applies to cyber insurance as well.
- Does the policy cover social engineering as well as network attacks? Social engineering plays a role in all kinds of attacks, including phishing, spear phishing and advanced persistent threats (APTs).
- Because APTs take place over time, which can be months to years, does the policy include time frames within which coverage applies?
What do insurance companies look for when deciding coverage?
An insurance company wants to see that an organization has assessed its vulnerability to cyberattacks (created a cyber risk profile) and follows best practices by enabling defenses and controls to protect against attacks as much as possible. Employee education in the form of security awareness, especially for phishing and social engineering, should be part of a protection plan. A boost to best practices may include organizations that have had threat assessments performed (even if not required by regulations). It’s wise to use threat intelligence services for the latest information on zero-day and targeted attacks, and to engage the services of ethical hackers to reveal security weaknesses.
Note: Threat intelligence and ethical hacking services are difficult at best or financially impossible for many small businesses. But investing in some type of vulnerability assessment tool or engaging the services of a penetration tester to probe external network defenses one time can go a long way toward improving security while negotiating cyber insurance.
As cyber insurance coverage becomes more standardized, an insurer might request an audit of an organization's processes and governance as a condition of coverage. And don't be surprised if an insurer agrees to provide coverage but at a level below (sometimes far below) what you feel you need. If so, keep interviewing insurers to find the best deal.
Making the business case for cyber insurance
Any organization that stores and maintains customer information or collects online payment information, or uses the cloud, should consider adding cyber insurance to its budget. Also consider the proliferation of devices that now connect to business networks -- there are simply more opportunities for malicious folks to access an organization's assets.
Need Cyber Insurance for you business? Contact us for a quote today!