The world of cyber security can be confusing to navigate. The realm of cyber insurance is no different. Let's say you want to invest in a cyber insurance policy for your business. You might feel overwhelmed by all the terms and types of insurance outlined by various insurance providers. Some of the verbiage can certainly feel overwhelming. But, there is no need to let this concern you. The list below explains 20 of the most confusing terms from cyber insurance policies.
This will usually be required after a cyberattack has occurred. It could also occur after you believe a cyberattack may have occurred. A forensic investigation will usually be performed by an outside organization. This organization should specialize in cyber security forensics. The forensic investigation will seek to tell you whether or not an attack has occurred. It also determines how much infrastructure was affected, what records were lost, and whether or not they can be recovered. Let's say your organization realizes that a data breach is ongoing. A forensic investigation can normally provide information on how to stop the attack. Most cyber insurance policies include coverage for the cost of a forensic investigation during or after an attack.
First-party cyberattack coverage insures your business against the event itself. It also covers the direct fallout to your business and profitability that might occur as a result. First party insurance coverage might include several components. These could include loss of income due to an interruption in business service. It may cover the cost of restoring lost data or damaged or lost equipment. It may cover loss of communication between your employees and your customers. A loss of your internal communication systems may occur as well. It may also cover the cost of determining whether or not a cyber event has occurred. What the damage was (via a forensic investigation) from extortion or ransomware may also be determined.
Third-party cyberattack coverage protects your business from the chain reaction of events that may be triggered by a cyberattack. These are costly expenses that can put your business in grave danger. But, they may not be directly related to a cyber security event itself. Types of coverage that fall under the "third-party umbrella" are things like the cost of hiring a public relations firm to manage your business's reputation. Credit monitoring for customers whose information may have been compromised in an attack may be included. Litigation coverage in case a customer or partner files a lawsuit against your business could also be included. Transmission of a virus or malware to others as well as media coverage may be as well. Coverage against government penalties and regulatory fines may also be included.
Many cyber insurance companies will require that your business has completed a risk analysis before they extend insurance coverage. A risk analysis is usually done by a third-party vendor. It involves an assessment of your organization's current IT infrastructure and systems. A risk analysis will point out potential "weak links" in your technology that could make for easy attack points. It will help you know how to close the gaps that make you vulnerable to cyber crime. Insurance companies may ask to see a risk analysis for several reasons. A risk analysis helps them underwrite the policy and assures them that you have your eye on your business's security. It can guide your purchase of insurance and inform a cyberattackresponse plan. Industry experts recommend conducting a risk analysis once a year.
Failure to Put Right
The phrase "put right" is often used in the context of things that are not included in a cyber insurance policy. Failure to put right describes negligence on the part of an IT manager or business owner to correct known vulnerabilities that could lead to a cyberattack. Most cyber insurance policies will have a clause explaining that "failure to put right" is not covered. This assumes that you knew that there was a problem in your infrastructure and failed to fix it. If a cyberattack or data breach occurred as a result, it will not be paid for by your insurance company.
Errors and Omissions (E&O)
Some cyber insurance policies may include an errors and omissions clause. Most likely will not. "Errors and omissions" is most commonly used in business liability insurance policies. It protects the policyholder against the cost of a negligence claim filed against them. It is part of professional liability insurance. This type of coverage is usually necessary for professional services firms. Businesses that provide advice also use it. In the world of cyber insurance, errors and omissions coverage protects your business. It works against losses sustained by third parties (such as customers or partners) when your IT systems fail.
Ransomware is a form of malware that locks access to a computer or system (typically using encryption) until a ransom is paid. Once the ransom is paid, the user's data is released. One of the biggest ransomware attacks occurred in May of 2017. Around 200,000 computers in over 150 countries were attacked by a ransomware crypto-worm called WannaCry. The program demanded payment in bitcoin of $300 within three days or $600 within seven days. Parts of the United Kingdom's national healthcare system were forced to run on an emergency-only basis during the attack since many of their computers were inaccessible. Most cyber insurance policies include protection against ransomware.
DDoS stands for Distributed Denial of Service. A DDoS attack leverages multiple jeopardized computers to attack a website, server, or network to bring it down. Usually, what happens in a DDoS attack is that the hacked computers submit a flood of requests to the system or server being attacked. The overwhelming number of incoming messages causes it to crash. DDoS attacks have been carried out by individual cyber criminals, organized hacker crime rings, and governments. DDoS attacks can also occur accidentally when poor coding renders a website or server unprepared to handle legitimate requests. Most cyber insurance policies include protection against DDoS attacks.
Encryption is a commonly-used method of keeping sensitive information private. The encrypted information is scrambled into another form so that only authorized parties can access (or decrypt) it. Unencrypted data is called plaintext. Encrypted data is commonly referred to as ciphertext. Encryption is currently one of the best available methods to secure data. If your business's sensitive information is not encrypted, your insurance company may refuse to grant claims payouts after a harmful cyber security event.
Vendors & Off Site Computers
Many cyber insurance policies have specific language regarding vendors and offsite computers. This refers to any hardware, software, or data storage that occurs outside of your regular place of business. If your business outsources IT security or technological support, you should not assume that a loss of data that might occur as a result of an external vendor will be covered. That should likely be covered under your organization's cyber insurance policy.
D&O stands for directors and officers. In short, D&O insurance protects executives and board members from legal cases that could be levied against them as a result of poor business decisions. It is important to know that most cyber insurance policies do not include D&O insurance but may make mention of it. Your organization's leadership should consider whether D&O insurance needs to be purchased along with cyber insurance to protect board members and executives from the fallout of decisions that could result in cyberattack exposure.
Social Engineering Insurance
Similar to D&O insurance, most cyber insurance policies exclude social engineering coverage. Social engineering fraud occurs when a cyber criminal impersonates a manager or executive online (usually via email). They then ask an employee to transfer funds to an external account. A social engineering insurance policy protects against social engineering fraud and other phishing schemes. This may not be included in every cyber insurance policy, so it is important to check your policy if you believe your business should have social engineering coverage.
A third party provider is any person or institution outside your organization who comes into contact with, or manages, your company's data. If you pay for cloud-based storage of information, the company holding your information on their server is a third-party provider. A 2013 Target data breach occurred because hackers accessed sensitive information through the company's air conditioning contractor. It is important to pay attention to the language in your cyber insurance policy surrounding third-party providers. Does your coverage change if the data breached is hosted by a third party?
Admitted vs Non-Admitted Insurance Markets
Insurance providers that operate in an admitted market are required to be licensed in the state where they operate. They must file their policies with state insurance departments and must comply with all state regulations. Insurance providers in a non-admitted market may still sell insurance in a given state but are not required to comply with state regulation. Purchasing insurance from an admitted market provider might provide certain regulatory protection to your business. But, that does not mean that providers in non-admitted markets are nefarious or selling scam insurance policies. A [draft paper published by the RAND Corporation](http://weis2017.econinfosec.org/wp-content/uploads/sites/3/2017/06/WEIS_2017_paper_28.pdf), a public policy research organization, suggests that as much as 90% of the cyber insurance market could be operating in non-admitted markets.
Intellectual Property (Ip)
IP is a frequently-used abbreviation for Intellectual property. Intellectual property is a thought or creation that belongs to you or your business. Intellectual property can be protected by copyrights, trademarks, or patents in the United States. A trading algorithm created by an investment firm is an example of intellectual property. So would be a certain method of underwriting developed by a small business lender. The protection of intellectual property is an important topic in cyber security since the leak or theft of intellectual property can severely damage a business's competitive advantage. Read your cyber insurance policy to see whether or not it includes protection of intellectual property.
Incident Loss History
Your organization's incident loss history describes any cyber security events or losses that have previously occurred. Most cyber insurance underwriters will ask whether you have had any network or computer security incidents in the last several years. They use this as a means to gauge the risk associated with insuring your company. An incident loss history might describe past data breaches and loss of information that warranted customer notification. It could also include lawsuits filed against your business and investigations by the government or other regulatory bodies. Instances of extortion or insurance claims previously made to another insurance provider may be covered as well.
It is possible that your cyber insurance provider might mention your business's "hazard class," which is essentially a risk assignment based on the industry you work in or the type of information you handle. At this time, the cyber insurance industry does not have generally agreed upon hazard classes. Hazard classes can vary from one organization to another. However, it is safe to assume that storing financial records or account numbers will bump you up a hazard class. So will storing social security numbers. Business in the retail, healthcare, accounting, and financial industries are commonly flagged as belonging to a higher hazard class.
Employee Data Breach
This refers to a leak of sensitive information that occurred because of an internal party's mistake or purposeful release of data. Cyber crime stereotypes can often lead people to believe that most cyberattacks are the result of a nefarious cyber genius in a dark room. But, cyber losses are very often the result of accidents or mistakes from employees or contractors. Be sure to understand how your coverage might change based on which party compromised your company's data.
An endorsement is an attachment, or rider, that adds to your business's cyber insurance policy. Let's say your business receives a quote from a cyber insurance carrier that does not include a vital type of coverage you think you need. Ask if you can add it as an endorsement and how much doing so might add to your premium. It's a little-known secret that many cyber insurance companies are willing to negotiate on price and coverage. The industry is relatively young and unregulated. So, do not be afraid to ask for the coverage and endorsements that suit your business--or to haggle a bit on the price.
Waiver of Subrogation
Waivers of subrogation are common in various types of business insurance policies. There is a chance you might see this pop up as you search for cyber insurance coverage. A waiver of subrogation states that if both you and one of your customers are sued, and the insurance provider pays a judgment as a result, the insurance company cannot seek to recover part of the judgment from your customer. Clients may ask you for a waiver of subrogation before doing business with you.
Although sifting through cyber insurance policies can feel overwhelming and confusing, this guide should make it more approachable. With an understanding of the basic terms and what to look out for, you are much more likely to feel confident about the policy you choose. Remember that each business is different. The cyber risks associated with your organization will be unique to you. Do not be afraid to ask insurance providers to help you understand terms that are still confusing to you. Know that you might be able to ask them to add coverage that would not typically be included. Entering the cyber insurance purchasing process with an understanding of the basic vocabulary in a policy will also help you look much more informed to insurance carriers. It may increase their confidence in insuring your firm.