Technology, social media, and transactions over the internet play key roles in how most organizations conduct business and reach out to prospective customers today. These modes of business also serve as gateways to cyberattacks. Irrespective of what or who initiates the hacking, cyberattacks are likely to occur and can cause moderate to severe losses for organizations both large and small. As part of good risk management, organizations must decide which risks to avoid, accept, control, or transfer. Transferring risks is where cyber insurance comes into play.
A cyber insurance policy, also referred to as cyber risk insurance or cyber liability insurance coverage (CLIC), is designed to help an organization mitigate risk exposure by offsetting costs involved with data-related recovery after a cyber-related security breach or similar event has occurred. With its roots in errors and omissions (E&O) insurance, cyber insurance began growing in popularity around 2005, with the total value of premiums projected to have reached $8-9 billion by 2020. According to PricewaterhouseCoopers (PwC), about one-third of U.S. companies have purchased some type of cyber insurance.1
Cyber insurance typically covers expenses related to first parties as well as claims by third parties. Although there is no standard that is followed in these policies, the following are common reimbursable expenses:
Investigation: A forensics investigation is necessary to determine what occurred during the data breach, how to repair damage, and how to prevent the same type of breach from occurring in the future. Investigations may involve the services of a third-party security firm, as well as coordination with law enforcement and the FBI.
Business Losses: A cyber insurance policy may include similar items that are covered by an errors & omissions policy (errors due to negligence and other reasons), as well as monetary losses experienced by network downtime, business interruption, data loss recovery, and costs involved in managing a crisis, which may involve repairing reputation damage.
Privacy and Notification: This includes required data breach notifications to customers and other affected parties, which are mandated by law in many jurisdictions, as well as credit monitoring for customers whose information was or may have been breached.
Lawsuits and Extortion: This includes legal expenses associated with the release of confidential information and intellectual property, as well as legal settlements and regulatory fines. This may also include the costs of cyber extortion, such as from ransomware.
Cyber insurance coverage varies by insurer and policy.
Therefore, the following points should be considered before purchasing an insurance:
- Does the insurance company offer one or more types of cyber insurance policies, or is the coverage simply an extension to an existing policy? In most cases, a stand-alone policy is best and more comprehensive;
- Is the policy customizable as per the organization?
- Evaluate the deductibles and compare it among insurers, as in the case of health, vehicle and facility policies;
- How does coverage and limits apply to both first and third parties? For example, does the policy cover third-party service providers? Research if service providers have cyber insurance and how will it affect the agreement;
- Does the policy cover all the attacks to which an organization is vulnerable, or only limited attacks in particular?
- Does the policy cover non-malicious actions taken by an employee? This is part of the E&O coverage that applies to cyber insurance as well;
- Does the policy cover social engineering as well as network attacks? Social engineering plays a role in all kinds of attacks, including phishing, spear phishing, and advanced persistent threats (APTs);
- Does the policy include strict time frames in which the coverage applies? Unfortunately, a cyberattack can continue for months or even years.
- Many insurers also offer a checklist of coverage items to compare against their competitors; consider these checklists when deciding on an insurer.
Points to Consider when Deciding Coverage:
- Your desired cyber insurance company will check if your organization has assessed its vulnerability to cyberattacks (i.e. created a cyber-risk profile) and follows safe data practices, and then decide whether or not they’d like to insure you;
- As a part of a protection plan, business employees should be trained for security awareness for phishing and social engineering;
- An insurer might request an audit of an organization’s processes and governance as a condition of coverage.
Any organization that stores and maintains customer information, or collects online payment information, or uses cloud storage services, should consider adding cyber insurance to its budget. Be warned: most cyber insurance covers first-party losses and third-party claims, but general liability insurance covers only property damage. Sony was unfortunately left high and dry after their 2011 PlayStation hacker breach, and suffered an estimated $171 million in damages. During a court case, Zurich American Insurance Company (Sony’s cyber insurance insurer) said that Sony’s cyber insurance policy only covered physical property damage, not cyber damages.2
Cyber insurance coverage and premiums are usually based on an organization’s industry, type of services provided, data risks and exposures, security posture, policies, and annual gross revenue. For example, premiums may range from $800 to $1,200 for consultants, tax preparers, and small organizations with revenues of $100,000 to $500,000. It can range from $10,000 to over $100,000 for those with revenues in the millions.
Despite today’s advanced, digital world, cyber insurance is still evolving. Cyber risks change frequently, and organizations tend not to report the full impact of data breaches in order to avoid negative publicity and not risk losing the public’s trust. Even today, the true risk of cyberattacks is still not completely known.
1. “New Opportunities in the Cyber Nation of Israel: Munich Re Topics Online.” Munichre.com, 4 July 2019, www.munichre.com/topics-online/en/digitalisation/cyber/new-opportunities-in-the-cyber-nation-of-israel.html.
2. Tittel, Kim Lindros and Ed. “What Is Cyber Insurance and Why You Need It.” CSO Online, CIO, 4 May 2016, www.csoonline.com/article/3065474/what-is-cyber-insurance-and-why-you-need-it.html.