Cybercriminals constantly find new ways to circumvent corporate defenses, and just about every business falls victim to an attack sooner or later. Hence cyber insurance has become a lucrative product for insurance companies to offer — and a must-have for businesses to offset the costs of attack-inflicted damage.
What Is Cyber Insurance and Why Do You Need It?
Cyber insurance is insurance specifically designed to cover expenses or losses that might result from a data breach. This could include the cost of legal fees or data recovery, reputational damage, or loss of income due to business disruptions. Extortion via ransomware attacks is also often covered under such policies. Most standard business insurance policies don’t cover cyber risks, so adding cyber insurance is an increasingly attractive option for many companies.
The cost of cyber insurance can vary depending upon several factors, such as the size of your company, the amount of data you transmit or store, and whether you’ve experienced a breach in the past. Although the price can be steep, the cost of a data breach is usually even higher, making cyber insurance a worthwhile consideration for your business.
What You Need To Know About Cyber Insurance
All companies have digital transactions, which means that all companies are potentially at risk for a breach. A cyber insurance policy can provide peace of mind for your investors, customers, and staff. Here are five things you need to know to choose a viable cyber insurance policy.
1. There are seven types of liability coverage
To make the right decision about coverage, your company needs to focus on its most significant risks. The Center for Insurance and Policy Research lists seven types of cyber liability coverage:
- Liability costs for security or privacy breaches, which would include losing customer information by allowing unauthorized access to computer systems.
- Costs associated with cleaning up after a cyber incident, including consumer notification, customer support, and the fees of providing credit monitoring services to affected consumers.
- Costs associated with restoring, updating, or replacing business assets stored electronically.
- Business interruption costs and extra expenses related to a security or privacy breach.
- Liability costs associated with libel, slander, copyright infringement, product disparagement, or reputational damage to others when the allegations involve a business website, social media, or print media.
- Expenses related to cyber extortion (that is, ransomware payments).
- Coverage for expenses related to regulatory compliance for billing errors, physician self-referral proceedings, and Emergency Medical Treatment and Active Labor Act proceedings.
Such policies can help protect the company from the costs associated with a security breach, but first an organization should first look at its IT compliance program and controls to understand the types of disruption it might face. Understanding the potential liabilities in the event of a breach can help determine the best return on investment for cyber insurance coverage.
2. Cyber insurance does not cover all events
Cyber insurance is an evolving field of coverage. Insurance companies still need to determine how to best design their policies to protect themselves from unintended payouts. Emergent risks are often unquantifiable, so those purchasing cyber insurance must review their policies carefully.
Your organization needs to understand not just what is covered, but also what is excluded. For example, cyberterrorism is one common exclusion. It’s important to note that while cyber extortion and malware are common coverages, these definitions may evolve or overlap in the years to come. Also, expect litigation and court rulings to clarify this currently murky landscape.
For organizations trying to maximize their investment in cyber insurance, understanding the specific risks associated with the business becomes more important. Cyber attacks not only cause damage to the infiltrated business; they also often affect the organization’s customers thanks to the interconnectedness of modern business. So when deciding on an insurance provider, your company should confirm that all third-party liability issues are covered.
3. The internet of things and cyber insurance
Businesses increasingly depend on smart devices and other technology connected to the internet, collectively known as the “Internet of Things” (IoT). The sheer volume of potential entry points incorporated into most businesses via IoT can also affect your insurance needs. IoT cyber threats could result in more than just traditional data loss. For example, bodily damage is a part of most traditional property insurance policies. While you may not expect it, an IoT vulnerability can contribute to this harm.
For example, a healthcare facility with an IoT device breach could seriously harm patients. Your cyber risk insurance, however, might not cover this kind of damage. You can negotiate limitations on the coverage, but first your company needs to understand what your insurance profile looks like across coverage lines.
Your organization must also determine whether coverage incorporates an appropriate loss scenario. This means that before negotiating and purchasing a policy, you should model the potential losses an IoT attack might cause. This ensures that deductibles and self-insured expenses make sense for your risk profile.
4. Cyber insurance does not absolve a company of its responsibilities
The most significant issues in cybersecurity remain those resulting from human error. Criminals often prey upon a company’s employees, tricking them into sharing data. These can be links, videos, or pictures shared in emails or social media. In addition, phishing scams can trick employees by looking like a trusted resource while infecting workstations with malware or ransomware.
Cyber insurance coverage can help protect against monetary losses from data breaches, against libel arising out of a breach, and against business interruption — but insurance can’t protect against employee mistakes; prevention is still an essential step in minimizing risk.
5. Information security compliance can help cyber insurance outcomes
As the cyber insurance market matures, underwriters are getting better at pricing potential losses. If your organization wants to obtain the best premiums for a cyber insurance policy, having robust cyber compliance and third-party risk management programs is one step you can take to reduce your insurance costs.
Also remember that strong controls can help support a filed claim. Insurance companies will first investigate whether the organization was negligent, which would cancel coverage. Since negligence in these areas is currently ambiguous, your company’s compliance stance will help prove your cybersecurity efforts, so you can obtain better claims outcomes if you ever need to file.
What Does a Cyber Insurance Policy Cover?
Typically, cyber insurance includes five categories of protection to safeguard your business from these key risks.
1. Network protection
Network security coverage is crucial for most businesses, especially those with information and privacy risks. This coverage protects your company in case of a breakdown in network security, such as a data breach, malware infection, cyber-extortion demand, ransomware, or compromised corporate emails.
First-party expenditures (that is, those you directly incur due to the cyber event) are covered under network security coverage. These costs include:
- Law-related costs
- Forensic IT
- Negotiation of a ransomware demand and its payment
- Data recovery
- Consumer breach notification
- Establishing a call center
- Knowing public relations
- Identity restoration and credit monitoring
2. Data breach liability
Breach liability coverage (sometimes known as privacy liability coverage) is also crucial for most businesses, particularly those with information or privacy risk. Sensitive information about customers and leaks or violations that reveal such data jeopardize the security of the people affected and put your company at risk of a lawsuit.
Privacy liability coverage shields your business from liabilities if a cyber incident or privacy law violation occurs. These expenses may result from weaknesses necessary to fulfill a contractual commitment or governmental and law enforcement regulatory inquiries.
3. Business interruption on the network
How much of your business’s operations depend on technology? Network business interruption coverage offers a solution for companies exposed to operational cyber risks.
You can recover lost earnings, fixed expenditures, and additional costs spent during the period your business was disrupted when your network or the network of your service provider goes down due to an event.
This involves damage due to flaws in security, such as a third-party hack, or system failures, including unsuccessful software patches and human error.
4. Media responsibility
This offers protection against intellectual property infringement caused by the promotion of your services, except patent infringement. It frequently applies to printed and internet advertising, including social media posts.
5. Errors and omissions (E&O)
E&O coverage protects against lawsuits brought about by mistakes made while delivering your services or by their non-performance.
This can include professional services usually delivered by attorneys, surgeons, architects, and engineers and technology-related services such as software and consultancy.
Should this happen, E&O coverage covers claims of carelessness or contract violation. It may also cover the expense of indemnification or legal defense in case of a lawsuit or customer disagreement.
Key Components of Cyber Insurance Coverage
Any cyber insurance policy has two components:
- First-party cyber liability insurance. This covers the expenses of investigating and responding to a cyber event, along with the financial repercussions on the organization’s business operations.
- Third-party cyber liability insurance. This component provides indemnity to the organization for claims others might file against you for the breach you suffered. (For example, customers suing you for losing their data in a breach.)
First-party coverage
Let’s explore the key components that make first-party insurance important.
- Forensic investigations. After a cyber onslaught, reputable cybersecurity vendors lead the charge with thorough forensic investigations. Identifying and categorizing the attack, they assess the damage, cleanse affected systems, and restore endpoints. These critical support services contain the attack, minimize damage, and facilitate a comprehensive recovery plan.
- Legal counsel. The aftermath of a breach triggers complex legal requirements that may vary across borders, so first-party policies often provide access to experienced legal counsel. These legal stalwarts outline the precise steps organizations must take to meet their legal obligations following a cyber incident, assuring compliance.
- Notifications. Organizations shoulder the burden of identifying and notifying affected parties about potential risks to personal information. From customer Social Security numbers to employee data such as addresses, bank details, credit card numbers, driver’s license information, and health records; all must be safeguarded. Swift notification to relevant authorities and government agencies, with the necessary documentation, is essential.
- Victim credit monitoring. Certain states require organizations to cover the costs of credit monitoring or provide assistance in restoring identities for affected individuals. A lifeline for victims, this aspect of a cyber insurance policy eases the distress caused by data breaches.
- Cyber extortion. To combat the threat of ransomware attacks, robust cyber insurance policies include protection against ransomware attacks. Equipped with support services and dedicated funds, policyholders can mount a defense and regain control over their networks, data, and other valuable assets.
- Data recovery, business interruption, and loss of revenue. Following major cyberattacks, businesses often grapple with severe disruptions to critical operations, customer services, and data loss. Consequently, revenue takes a substantial hit. Cyber policies provide organizations with tools to calculate lost revenues and offset financial blows during the affected period. The policies also support data recovery and asset restoration costs, paving a smoother path to normalcy.
- Reputational harm. When a breach tarnishes an organization’s reputation, many organizations must engage in extensive marketing and public relations efforts to rebuild that reputation. A robust cyber insurance policy covering the costs of these reputation-building activities and aiding in the arduous journey toward restoration.
Third-party coverage
Third-party cyber insurance encompasses several vital areas of protection:
- Network security and privacy liability. Covers losses incurred by clients, customers, partners, or vendors due to errors, omissions, or negligence by the insured during a cyber event.
- Regulatory liability. Provides coverage for legal expenses to defend against enforcement actions from privacy regulators.
- PCI fines. Protects against fines and penalties issued by the Payment Card Industry Data Security Standard (PCI DSS).
- Media liability. Offers coverage against defamation, libel, slander, intellectual property theft, and copyright infringement.
What Are the Requirements for Cyber Insurance?
Most insurance carriers do a cyber risk assessment as part of their underwriting to determine your premium, policy limitations, and whether you even qualify for cyber insurance in the first place. Depending on the size of your business, this procedure might range from a questionnaire to a thorough investigation performed for several weeks by a cybersecurity firm. Insurance carriers might also perform new risk assessments over time to ensure their pricing is accurate.
Policyholders must adhere to fundamental IT security requirements to be eligible for cyber insurance. At the least, the following security measures must be in place for a business interested in purchasing cyber insurance:
- Antivirus software is installed on every PC and kept up to date.
- A firewall secures the enterprise network.
- Regular company data backups are performed on secure cloud services or external media.
- A secure provisioning method must be followed when granting user access rights and permissions.
Use ZenGRC to Enhance Your Cybersecurity
If you’re unsure whether insurance is the right choice for your business, there are other unified risk management measures you can explore.
ZenGRC is a unified software platform that provides your company with continuous monitoring and precise management of your entire risk management landscape. By centralizing and streamlining your risk management and mitigation, ZenGRC can help you identify data breaches before they can harm your company and your clients. Armed with these insights, you can inform your decisions about cyber insurance.
Schedule a demo today to learn more about how ZenGRC can help you save money by creating a risk management program that works for you.