What is Cyber Insurance and why you need it
While it won’t protect your company against cyber crime, cyber insurance will definitely protect you in the event you suffer a breach that leads to the loss of important data, including important files, etc.
Defining cyber insurance
CLIC or cyber liability insurance coverage is a special type of insurance that helps protect your organization against cyber attacks by offsetting the (usually large) costs involved with such attacks. CLI or cyber liability insurance is rooted in error and omissions insurance and while it wasn’t that popular when it was first introduced, it seems that its popularity has been steadily increasing in the last years. In fact, by 2020 the value of CLI premiums is going to reach about seven point five billion dollars. Based on information from PwC, approximately 1/3 of companies buy some type of cyber insurance.
Many companies buy CLI, but what does it actually cover? Well, CL covers claims by 3rd parties and expenses related to first parties. Even though there are no standards in place when it comes to underwriting such policies, the following can be easily reimbursed:
In order to learn what happened, the best way to repair potential damages and prevent similar breaches from happening again, a forensics investigation needs to be considered. When an investigation is considered, they can involve coordination with the Federal Bureau of Investigation, law enforcement and they can also include using the services of a third party security company.
Extortion and lawsuits
This type of loss includes any type of expenses that is associated with the release of intellectual property and confidential data, but also regulatory fines and legal settlements. Depending on your case, it can also include ransomware expenses.
It’s very important to be aware of the fact that cyber insurance is always changing. This means that some companies that have suffered a cyber attack may not report the full list of damages suffered in order to avoid bad publicity. Because of this, there is limited data available that could help underwriters assess the full impact of cyber attacks.
Privacy and notification
This includes necessary data breach notifications to clients, but also any other affected party. There are many jurisdictions where privacy and notifications are mandated by law, including credit monitoring for clients whose personal and private info has been breached.
Depending on where you buy it from, a CLI may cover the same items that an E&O policy covers, but also financial losses caused by data loss recovery, business interruption, network downtime, and money required to manage a crisis that may be necessary for fixing reputation damage.
Buying a cyber insurance policy
There are many popular companies selling CLI policies, including Travelers, Chubb Philadelphia, and Allianz. According to information from internet security watchers, it is expected that more businesses will buy cyber insurance in the future. While that is true, if you want to buy cyber insurance you need to be aware of the fact that coverage can differ based on the insurer you consider.
Compare policies and make sure they cover all the items we previously mentioned. You should also ask the insurer about the following limits and special circumstances:
Can the insurer provide more types of CLI or is their coverage simply an extension to an existing policy? In general, it’s best to buy a separate policy, since it covers more times. You should also ask if you can customize the policy to meet your company’s needs.
Can you tell more about the deductibles? As you know it’s important that you carefully compare deductibles before buying.
How do limits and coverage apply to third and first parties? For instance, are third party service providers covered by the policy? Make sure to ask your service providers whether they have CLI or not and how it impacts your agreement.
Will the policy cover only specific attacks or any attack aimed at the company?
Will the policy cover actions taken by employees (non-malicious)? This is actually a part of the Errors and Omissions coverage which seems to apply to CLI, too.
Will the policy cover network attacks and social engineering (SE)? It seems that SE plays a major role in all types of attacks, such as advanced persistent threats, spear fishing and phishing.
Given the fact that advanced persistent threats take place over a long period of time, will the policy include time frames within which you are covered in the event of an attack?
You should know that a wide range of insurance offer a list of coverage items that you can compare with that of their competitors. Use it wisely in order to eventually get the best CLI for your needs.
Things insurers consider when deciding coverage
Before offering its services to companies, insurer will want to know that the buyer has taken all precautions to limit the risks of falling victim to a cyber attack. The company should also train their employees so that they improve awareness about social engineering and phishing. It’s also recommended to use threat intelligence services in order to reduce the risk of becoming a cyber attack victim.
Many small businesses cannot afford such services, since they’re very expensive. However, they can use penetration testers in order to test their external network defenses and patch any security vulnerabilities.
Since cyber insurance is becoming more standardized, insurers may also request company audits before they decide to extend their services to a buyer.
Deciding on the right CLI
If your company use the cloud, collects internet payment info or maintains customer data, then you should buy CLI. You should also keep in mind that there are many devices now that can easily be used to connect to business networks. As a result, the chances of cyber attacks are higher.
More and more businesses experience cyber attacks. While small businesses may think they’re not targeted as often, according to Symantec it seems that last year alone thirty percent of cyber attacks were aimed at small businesses with less than two hundred and fifty employees. In 2016 that number grew to forty three percent.
On a global scale, the losses of cyber attacks range between three hundred and seventy five billion to five hundred and seventy five billion dollars. While the sources differ, it seems that the average cost of data breaches caused companies to suffer losses of approximately three million dollars. If you’re a company that could never afford paying that much money, then it’s best to get CLI as soon as possible.
Keep in mind that CLI covers not only third party claims, but also first party losses. On the other hand, general liability insurance only covers property damage. Sony fell prey to this situation 5 years ago with the PlayStation breach fiasco. At that time, Sony lost about one hundred and seventy one million dollars which could’ve easily been offset by carrying CLI.
In terms of costs, you should know that the cyber insurance premiums and coverage depend on the company’s yearly gross income, security policies, security posture, data exposures and risks, but also the kind of services they provide and the industry it serves. In terms of premiums, they can range anywhere from eight hundred dollars to twelve hundred dollars for consultants, tax preparers and small companies with revenues of $100K to $500K, to $10K to over $100K for those with revenues of more than a million dollars a year.