Cyber insurance is one of the most important types of coverage for today's businesses to carry. Unfortunately, it is also one of the most misunderstood types of insurance on the market. As a result, a lot of companies forego necessary protections and leave themselves open to common and consequential types of risk. This guide will introduce you to everything you want and need to know about types of cyber insurance and how they protect yourself and your business.
What is Cyber Risk?
All business regardless of their size or the industry they operate in rely on complex technology. That technology is vulnerable to a wide range of attacks, and when systems are compromised companies are forced to operate abnormally. Whatever financial consequences result from this abnormality are known as cyber risk.
An example helps to illustrate the issue. Imagine that your company was hit by a ransomware attack and denied access to important or sensitive information. The company must either pay the ransom or accept the consequences of operating without essential data. In either case, the company is negatively affected, and both cases represent forms of cyber risk.
Cyber risk is currently greater than ever as hackers become more sophisticated and more tenacious. Estimates suggest that cybercrime will cost global industries $6 trillion annually by 2021. In 2017 alone the cost of just ransomware attacks topped $5 billion internationally. Perhaps most alarmingly, 43 percent of attacks are targeted at small business, and 60 percent of those businesses close within six months of the attack. Cyber risk is real, likely, and highly disruptive.
What is Cyber Insurance?
Cyber insurance exists to protect companies from cyber risk. Various types of coverage guard against various types of risk. To learn a lot more about the specifics of cyber insurance, be sure to read our comprehensive overview.
What are the Aspects of Coverage?
The particular of coverage vary depending on the details of the policy and the company that offers the insurance. Determining what kind of risks you face, what kind of protections you need, and what sorts of policies offer exactly that essential when purchasing cyber insurance. Typically, policies include some or all of these aspects of coverage:
Event Response Coverage
Recovering from a data breach or other attacks is a lengthy and costly process. May require hiring forensic investigators to determine the cause of the attack, working with breach notification services to contact victims, and hiring public relations firms to help rehabilitate a public image. Event response coverage exists to cover costs directly related to recovering from an attack.
Regulatory Response Coverage
Various local, state, and federal regulations mandate that companies follow certain cybersecurity protocols and maintain certain levels of protection. If an attack occurs and a company is found to be in breach of regulations the penalties range from hefty fines to punitive restrictions. Regulatory response coverage provides financial support to companies in breach of expansive and growing cybersecurity rules.
Victims of cyber attacks have an understandable incentive to sue the company that exposed them to attack. Liability coverage helps companies pay to defend against lawsuits or helps to pay the judgment from lawsuits. Often liability coverage is divided into three categories – failure to protect privacy, failure to maintain security, or failure to secure media like intellectual property.
Cyber Extortion Coverage
When data or applications fall under the control of hackers they often demand a hefty ransom in order to restore access. Cyber extortion coverage will pay the ransom and pay for the costs of consultants or other professional brought in to address the problem.
Institutional Loss Coverage
Cyber attacks have a direct impact on the bottom line by making it impossible to operate normally, jeopardizing relationships with third parties, destroying systems or data, or initiating phony wire transfers. Institutional loss coverage helps to minimize the negative financial consequences of an attack.
What Data is Covered?
Cyber insurance is available to cover almost every type of data. What is important to realize, however, is that individual policies do not necessarily protect all the data your company relies on. Again, understanding what you need to protect and what kinds of coverage you are actually getting is the only way to eliminate coverage gaps and cracks in your policy. Coverage typically applies to the following categories of data:
Personal Health Information (PHI)
Any information that identifies an individual according to features of their health is considered PHI. This includes any part of an individual's electronic medical records. All PHI is protected under the Health Information Privacy and Portability Act (HIPPA).
Personally Identifiable Information (PII)
Any information that reveals the identity of a specific individual falls under this umbrella. This could include a name, social security number, address, password, or account number. This information is subjected to a number of regulations, including the Family Education Right and Privacy Act (FERPA).
Payment Card Information (PCI)
Any information related to an individuals payment card accounts. This could be credit or debit card numbers, account or routing numbers, or security codes. This information is very broadly protected under the Payment Card Industry Data Security Standards (PCI-DDS).
Any information that is not explicitly regulated but has a high value to one or more parties. Examples include trade secrets, intellectual property, formulas, internal records, or sensitive communications. Exposure of this data may not trigger fines/fees but does create costs that put companies on unstable financial footing.
Many companies rely on third parties like cloud hosting providers or co-location centers to handle aspects of data management. If data is put at risk because of the negligence of a third-party is covered under certain types of cyber insurance policies.
What Losses are Not Covered?
As stated earlier, most policies do not cover all types of data or protect against every instance of cyber risk. Cyber insurance providers are only willing to underwrite the types of risk they feel comfortable with, and some of those risks are so out-sized that it does not make fiscal sense to offer coverage. In other instances, it's actually illegal to offer coverage.
Most policies include a section that explicitly outlines the type of data that are exempt or excluded from coverage. However, additional exemptions may exist due to the specific terms and definitions included in the policy. Understanding if and when subtle exemptions exist is an important part of vetting a policy. In general, these types of losses are not covered:
- Losses caused by acts of war
- Losses related to the operation of a nuclear facility
- Losses linked to dishonest or illegal acts
- Losses involving a breach of contract
- Losses that cause the theft of trade secrets
- Losses attributed to unfair trade practices
- Losses in violation of established employment practices
Will Other Types of Insurance Cover Risk?
Other types of coverage may cover risk, but only on a limited basis. That coverage may exist though general policies, officers and directors policies, or property damage policies. If and when other types of coverage do apply to cyber risk, the overlap is almost always accidental rather than intentional. As a result, coverage coming from anything other than a cyber insurance policy often fails to provide the compensation and confidence that companies are looking. It is worth it to investigate whether existing policies provide any applicable coverage, but it is highly risky to rely on this coverage alone.
What is the Buying Process?
As important as it is to have cyber insurance, having the wrong policy is almost as bad as having no policy at all. Companies run the risk of relying on protections that have significant gaps in coverage, or of paying exorbitantly for policies that provide too extensive and expensive protections. There is no one-size-fits-all approach that guarantees you find the right policy, but there are strategies to be a more informed buyer:
Seek Out Quality Resources
For reasons that are hopefully apparent buy now, you want to have complete confidence in your cyber insurance policy. In order to do that you must have access to resources that answer your questions, introduce you to important issues, and call your attention to important features of policies and protections. This site provides all the information and assistance you need to select a quality policy. Spend some time exploring the information available before looking at specific policies.
Understand Your Risk
You won't know what kinds of protection and coverage limits you need until you very clearly understand what kind of risks you face. The first step is to study the threat landscape and identify the particular types of attacks or accidents your company is particularly vulnerable to. The second step is to calculate the cost of those attacks in the broadest and deepest terms possible. It helps to identify both worst-case scenarios and likely scenarios. After this exercise, it should be clear which kind of policy your business needs to focus on.
Upgrade Your Security
Remember that even with cyber insurance in place the soundest strategy is to avoid attacks rather than recover from them. Cyber insurance does not pay to upgrade your security, but it often mandates that you have certain protections in place. Practicing good governance, putting new technologies and policies in place, and responding to new threats like mobile and connected devices go a long way towards boosting cybersecurity. With the right approach, it may even be possible to lower your premium.
What if an Event Occurs that Might Be Covered by Cyber Insurance?
The insurance provider should be notified as quickly as possible in the wake of an event. Reporting events sooner has many benefits, and there is no incentive to wait. Companies should make contact even if they are unsure that an event is covered by a cyber insurance policy.
Acting quickly is important because cyber insurance provides resources that are most valuable immediately after an event. Insurers often have relationships with security firms, legal teams, and other professionals who help recover from a breach. Ideally, your company has relationships with these vendors in advance to help expedite the recovery effort. It may also be possible to work with vendors of your own choosing, but you must get this approved by your insurer.
What is the Claims Process Like?
The claims process is largely a cooperative effort between your company's legal team and the insurance provider. There may be some temptation to avoid contact with the insurer following a breach out of fear that the policy will be ruled invalid. This is always a mistake because cyber insurance companies provide expertise and resources that help mitigate the damage.
Once the recovery process is underway both parties work to determine the cause of the breach and devise defense strategies for the future. Insurers may make future coverage contingent on your company putting new protections in place, but generally, the insurer can't mandate your company to invest specific amounts in specific protections.
Will My Premium Rise After I Make a Claim?
As with most types of insurance, premiums are likely to rise after making a claim. The amount your premium rises depends on market conditions and the specific terms of the policy. The benefit of the coverage outweighs the increase in the premium, and companies can avoid that worst instances by prioritizing cybersecurity generally. A cyber insurance policy is an important piece of the puzzle, but comprehensive protections are the only way to insulate an organization from the worst of todays and tomorrows threats.
Should I Work With a Cyber Insurance Broker?
If you are new to cyber insurance or unfamiliar with cybersecurity it may be tempting to work through a cyber insurance broker. As long as you do your research and compare/contrast multiple offers, however, there is no need to work with a professional. Plus, by eliminating the middleman the overall cost of insurance goes down as well. Rely on the resources available throughout this site to find a policy that is protective and cost-effective.