Cyber Insurance Policy: Why You Need One and How to Choose
What Is a Cyber Insurance Policy?
Businesses buy insurance to manage a variety of risks. Cyber insurance, also known as cybersecurity liability insurance, allows businesses to manage the potential impact and cost of cyberattacks. By purchasing cybersecurity insurance and paying premiums, organizations transfer some of the risks associated with cyberattacks to the insurance company.
A cyber insurance policy specifies what types of risk are covered by the insurance provider. Typically, the policy includes both first-party risk (covering direct damage to the business) and third-party insurance (covering costs to external parties as a result of a cyber attack on the business).
Cybersecurity insurance is similar to other types of commercial insurance, and is offered by many of the same providers. Businesses can purchase cyber insurance from the same providers that offer them business liability, commercial property, and other types of insurance.
How Cyber Insurance Policies Protect Your Business
Like all forms of insurance, cyber insurance allows businesses and individuals to offload a financial risk – in this case the damage caused by a hack or data breach – onto their insurance provider. The size of the risk depends on many factors: the size of the company, the line of business, and how extensively the company relies on web- or cloud-based tools and services.
There is no perfect protection against cyberattacks, so insurance should be considered a financial safety net. The policies that best address cyberattacks are cyber liability insurance and data breach insurance.
Cyber insurance covers cybersecurity failures due to hacking, data breaches, or social engineering attacks. Damages covered by the insurance could include data recovery and reconstruction costs, business disruption, cyber extortion, funds stolen as a result of an attack, and public relations costs.
In some cases, Insurers might hire cybersecurity experts to investigate incidents and strengthen existing security systems, to prevent future risks.
What Do You Need to Acquire a Cyber Insurance Policy?
Before obtaining cyber insurance, it is a good idea to audit your infrastructure and document your cyber security policies and systems. To determine coverage and cost, cyber insurers will want to know what cyber defenses are in place. Like other insurers, cyber insurers do not protect organizations without a cybersecurity strategy and infrastructure in place.
After auditing your cybersecurity infrastructure, contact multiple insurance companies to purchase a policy. Each company has its own policy criteria, exceptions, and costs. Therefore, be sure to read the terms of the policy. Insurers review existing cybersecurity strategies to determine their level of risk and willingness to insure an organization.
To keep risk at an acceptable level, policyholders must meet basic IT security standards to qualify for cyber insurance. At a minimum, businesses interested in purchasing cyber insurance should take the following security measures:
- All PCs should have antivirus software installed and kept up to date.
Networks should be protected by a firewall.
Business data should be regularly backed up using external media or secure cloud services.
User access and privileges must follow a secure process.
Types of Cyber Insurance Policies
Cyber insurance policies contain different types of coverage covering first-party losses, first-party costs, and third-party liability, each with specific parameters such as sublimits and retention.
- First-party losses might include loss of revenue due to business disruption, as well as any resources needed to recover from an attack, such as forensics, data restoration, and system rebuilding services.
- Third-party liability might include costs and legal fees related to damages to third parties, such as partners, customers or employees whose confidential information has been compromised.
What to Look For in a Cyber Insurance Policy
Event management costs
Identify what first party costs are included in the policy. Your organization’s actual costs in case of a breach could include forensic investigations, public relations, customer notifications, and credit checks. These are normal costs of most data breaches, whether there are subsequent legal claims or not.
Cyber extortion and reward payments
Cyber extortion is a very real threat facing organizations of all sizes. Extortion expenses are incurred directly as a result of a cyber attack, such as a ransomware attack. The company might need to pay money to attackers to regain access to data or services, and the policy should reimburse these extortion expenses. Another type of direct financial payout is a bounty provided by the company to those who lead to the arrest of an attacker.
A policy should cover various types of cyber crime, including theft of company funds, identity theft, smartphone compromises, and phishing scams. Sophisticated scams such as spear phishing or whaling involve the attackers impersonating senior officials, which can result in major damage. However, insurers are now commonly requesting a tested security process before offering this coverage.
Security and privacy liability coverage
A policy should include defense and settlement costs, including litigation for breach of confidential personal data. This can sometimes be a collective action against a company, if multiple customers or third parties are impacted by a breach.
In some cases, the victim of a cyberattack might itself sue to recover breach-related costs. Another type of cost that should be covered by the policy is failure to notify customers, which can carry legal penalties.
Internet media liability
A policy should cover damages and defense costs faced by policyholders who post content on electronic or print media that infringes the intellectual property rights of third parties. It might also cover actual or alleged defamation, slander, or slander against individuals or organizations.