Cyber Insurance Checklist

If there is any doubt that cyber insurance is essential, just consider the size of the threat that hackers present:

  • The cost of cybercrime is projected to reach $21 trillion by 2021.
  • The cost of ransomware exceeded $5 billion in 2017
  • The cost of ransomware exceeded $5 billion in 2017

At this point, cybercrime represents an existential threat for companies regardless of their size or the industry they operate in. Plus, cybercrime has become so ubiquitous that no company can consider itself immune to attack.

Adopting a comprehensive cyber security strategy is an essential first step. The second step is acknowledging that no strategy is ironclad, and hackers are incredibly good at exploiting weaknesses and vulnerabilities. As important as protection is, it's never guaranteed.

Cyber insurance exists to protect enterprises from the unexpected, unwanted, unavoidable. If and when a company falls victims to a hacker, cyber insurance kicks in to cover the cost. Only around 50 percent of companies currently carry cyber insurance, which is surprising considering that 100 percent of them are threatened by an attack.

It is now time for enterprises large and small to give cyber insurance serious consideration. This checklist will help you focus in on the most important issues, ask the most important questions, and ultimately make the best decision about your cyber insurance.

Step One – Evaluate Your Level of Risk

Every company should assume that they are being actively targeted by hackers. But there are some companies that are at a higher-level of risk because they handle a sensitive type of data, are dependent on complex or outdated technologies, have limited resources for cyber security, or simply have a history of being breached.

Understanding the size of the threat is essential. Just as essential is understanding the scope and scale of the consequences if you did fall victim to hackers. Estimating the damage done to your bottom line, to the stability of your business operations, and to your public reputation are all important. Those estimates help you later determine what coverage levels you need to pursue.

Last but not least, consider that a cyber event can result from an outright attack or from an unexpected accident. Imagine the damage if your office was flooded, exposed to a fire, or simply facing a power outage. You may find yourself in the midst of a digital emergency but be without assistance because your policy only covers attacks.

Step Two – Evaluate Your Level of Need

Cyber insurance policies, like most insurance policies, get a lot more opaque and obscure once you begin diving into the details. Before exploring the fine print, take a careful look at the technologies you rely on and how vulnerable they are to attack. Some companies need to secure mazes of technologies and entry points. Others need to focus their efforts in one place. Companies must understand when, where, and why they need coverage in order to avoid gaps that could cost millions. Here are some of the areas where you might need coverage:

  • Network security, including hardware and software
  • Incident response in the wake of a data breach
  • Insurance for lost or stolen laptops and mobile devices
  • Business interruption as a result of a cyber event
  • Coverage for types of cyber extortion like ransomware
  • Crisis management and public relations
  • Losses in 3rd party systems
  • Forensic investigations

Once you have a better idea of what strengths and weaknesses exist within you IT infrastructure you can pursue cyber insurance policies that protect what you need and exclude what you don't

Step Three – Learn About the Types of Cyber Insurance

The cyber insurance marketplace has become a lot more diverse now that cyber security is a mission-critical priority for responsible companies. However, most cyber insurance still falls into one of two distinct types of coverage:

First Party Coverage

This type of coverage is designed to cover costs associated with the direct response to a cyber event. If and when an attack or accident occurs, first-part coverage provides funds to help immediately resolve and mitigate the issue. Here are some examples:

  1. The cost of calculating the size or cost of an event
  2. The cost of credit monitoring and crisis management
  3. The cost of legal advice related to an event
  4. The cost of hardware replacement or data restoration
  5. The cost of business interruptions or diminished operations
  6. The cost of notifying affected parties

Third-Party Liability

This type of coverage is designed to cover associated or delayed costs that arise from a cyber event. Ultimately, those costs are often far greater that what is immediately spent to resolve an event. Here are some examples:

  1. The cost of privacy liability lawsuits brought by employees or customers affected by a data breach.
  2. The cost of copyright lawsuits filed after intellectual property is exposed.
  3. The cost of breach of contract or negligence lawsuits.
  4. The cost of investigations, fines, and penalties levied by regulators.

Step Four – Estimate Your Budget

This is where the evaluation process starts to get tricky. Unlike other types of insurance, cyber insurance suffers from a lack of standardization. The details of one policy may vary wildly from the details of another even if they are similarly priced and titled.

Returning to steps one and two, companies must acutely understand how much risk they face. Then they must determine how much they can spend on monthly premiums and insurance deductibles. Cyber insurance is only an asset if the value of the protection exceeds the cost of the coverage.

Step Five – Focus in on the Details

The cost of cyber insurance can vary widely. Calculating how much it is possible to spend on cyber insurance compared to how much it is possible to lose is imperative. Consider that Target carried over $100 million in cyber insurance but suffered losses in excess of $300 million as a result of its massive 2014 data breach.

The first thing to focus on is exactly what sorts of cyber events the coverage applies to. Policies often focus in on specific types of attacks or accidents rather than offering blanket coverage. The details really matter here, because companies may assume they are covered for one type of incident only to discover a gap or hole in the policy.

The next thing to focus on is how the policy kicks in. Again, the details of this process are vastly different across policies. Some provide immediate provide provisions while others require claimants to meet a burden of proof or navigate through complicated procedures and practices. The exact terms, conditions, and exclusions require close scrutiny to avoid relying on inadequate or incomplete levels of coverage.

To help you focus your evaluation efforts, focus on these types of details:

Exclusions in the policy that pertain to your business practices.

Whether the policy contains broad or specific triggers for coverage.

Whether the policy contains broad or specific triggers for coverage.

If a policy covers mistakes made by third parties like vendors and suppliers.

What territory the policy covers, eg. region, nation, or globe.

Step Six – Look for the Best Policy and Price

The previous steps are where the bulk of your efforts will occur. Understanding the scope and limitations of cyber insurance is essential before you actually commit to a policy. Once your understanding is up to par, take these steps to identify the best policy and price for your needs:

  • 1

    Don't Go Overboard

    Since the size of the threat landscape is so vast it's possible to purchase an incredibly extensive cyber insurance policy. These may be necessary for some companies, but most can forego coverage for risks that are particularly rare or unlikely. The right coverage is not necessarily the most expensive coverage.

  • 2

    Adjust Your Liability Limits

    The amount of coverage you need can change quickly. For instance, picking up a big new client or implementing a new enterprise technology may multiply your risk. The amount of coverage you need today may not match the amount of coverage you need tomorrow.

  • 3

    Ask for Retroactive Coverage

    Most policies dictate that coverage goes into effect the day the policy is signed. The problem is that data breaches often take months or years to detect. If the incident occurred before the policy activated, damage is not covered even if it occurs after the policy is activated. Retroactive coverage kicks in before the inception date.

  • 4

    Beware of Broad Exclusions

    The fine print of cyber insurance policies may include language that appears innocuous but in fact excludes you from coverage for a wide range of incidents and attacks. The purpose is to guard against more threats, not less.

  • 5

    Beware of Panel or Consent Provisions

    Some policies may require you to work with lawyers or consultants who are pre-approved by the insurer. If you prefer to work with counsel that has an established relationship with your company, make sure this is authorized during the underwriting process.

  • 6

    Cover Your Vendors

    The interconnected nature of today's business IT means that one company is exposed to threats that originate in another. Committing to a policy that excludes broad coverage for third parties represents a serious gap in coverage and a potentially serious vulnerability.

Step Seven – Reconsider Your Cyber Security Strategy

Identifying the right kind of cyber insurance requires time and commitment. But once you have a policy in place it should provide enough peace of mind to allow you to focus your efforts elsewhere. Cyber insurance is a passive measure, but cyber security must be an active measure.

The single best way to manage the cost of a cyber event it to avoid a cyber event entirely. As expensive and complex as cyber security may be, the effort pales in comparison to what it takes to resolve an attack, breach, or mistake.

Your insurer may also mandate that you implement certain levels of protection in order for coverage to apply. In the same way that homeowners are expected to perform certain types of repairs and upkeep in order for their insurance policies to remain valid, companies must maintain certain levels of cyber security in order to be eligible for coverage. Be sure to factor in the cost of these requirements when calculating the relative value of a policy.

Remember, also, that user training and education are the least expensive and most effective forms of cyber protection. The vast majority of threats are either invited or enabled by a user within your organization. Making it a priority to alert users to threats, demonstrate best practices, and reward caution and care are more valuable than any other type of protection.

Step Eight – Evaluate and Update

At several points in the this checklist we have touched on the importance of evaluating and updating your cyber insurance policy. You may suddenly have a larger liability than you used to, leaving a percentage of your data uncovered. More alarmingly, new types of threats and attacks that hackers are currently developing may fall outside the limits of your existing coverage. Hackers are an extremely tenacious and creative group, and the coverage of today may be irrelevant to the threats of tomorrow.

As part of a broader cyber security strategy, companies must regularly review the details of their cyber insurance policy, the extent of their IT infrastructure, and nature of the present threat landscape. If and when it's apparent that more coverage is necessary, immediate action must be taken. Conversely, if a company is paying for coverage that applies to outdated or irrelevant risks, it may be possible to abandon that coverage without creating a liability.

Cyber Insurance – A Primary Piece of Protection

Insurance is a major cost for companies, and in the best cases it's an irrelevant one too. Most people would rather pay their premiums than have to file a claim for something. In that context, cyber insurance may seem like an irrelevant or unnecessary expense.

But for a potent reminder of just how important it is, simply consider the types of insurance coverage you already carry. You are likely protected against obscure and unlikely threats, whether they be a tornado, burglar, or unprofessional employee. Now compare those threats to the clear and present danger of a cyber event. Hopefully it's clear that cyber insurance is not optional, it's essential.