Cyber Insurance: What it is, What it Covers, and Whether (or Not) You Need it

As any CIO in the industry today knows, cybersecurity is no joke. With the frequency of cyberattacks on the rise, questions are raised as to whom risk and liability are and should be relegated to, especially when attacks common and preventable. Nevertheless, no matter how well a business defends against it, a breach of some kind is all but guaranteed to occur during the lifetime of the average organization. As part of a comprehensive risk management plan, large and small businesses alike are eyeing cyber insurance to see if it might transfer and mitigate some of that risk.

Cyber insurance policies, also known as cyber liability insurance coverage (CLIC), are now being offered by a number of companies to help mitigate risk exposure via offset costs for recovery-related issues after a cyberattack or breach of some kind. PwC estimates that the $2.5 billion market for cyber insurance will reach $7.5 billion by 2020, and that one-third of U.S. businesses may already have some kind of cyber insurance coverage.

What Does CLIC Cover?

Cyber insurance generally covers both first and third party claims, though it’s important to remember that there’s no underwriting standard for CLIC. Nevertheless, reimbursable expenses will commonly include:

Forensic Investigations: Whenever a breach occurs, an investigation must ensue to determine the who, what, when, where, and how. The full scope of damage may not be immediately visible, and measures will need to be constructed to prevent the same types of attacks from happening again.

Data and Privacy Customer Notification: Whenever a data breach occurs, federal mandate requires companies to inform their customers and affected parties within a specific amount of time what happened and who is at risk. Your insurance agency is going to be the first to determine all of that information via forensics, and this can expedite the information’s time to reach affected parties.

Cyber E&O: Errors and omissions policies generally protect against negligence, and cyber E&O is no different. Coverage may include financial loss due to network failure, interruption of normal business services, loss of customer data and information, and possibly even reparation of damaged reputation.

Other Expenses: Other lawsuits may arise outside of the E&O scope from cyber breaches including compromised protection of confidential secrets or IP. Fines arising from non-compliance are coverable, as are the costs of a CryptoLocker extortion attack.

Once again, there is no set standard for CLIC yet. Part of this is due to the fluid nature of cybersecurity itself, an evolving industry that can change to an extreme degree in a short amount of time. Most importantly as you begin to explore coverage for you and your business—assume nothing is covered when shopping and ask all necessary questions of every provider. I’ve covered the questions you should ask in this post: Questions to Ask Your Cyber Liability Insurance Provider

Do I Really Need Cyber Insurance?

Large businesses have no reason not to select good CLIC. Any organization that is collecting or storing customer data should consider whether or not they can add insurance to their budget, because potential losses far outweigh costs. Ponemon Institute’s Cost of Data Breach 2015 Report shows that the average cost for each lost or stolen record containing sensitive or confidential information rose to $217 this year, up from $201 in 2015. The total average cost paid by organizations rose to $6.5 million this year, up from $5.9 million from 2015.

Small businesses might think that they don’t need to worry, but reports are showing that attacks against all businesses are increasing, not just large ones. Symantec’s Intelligence Report 2015 and their 2016 Internet Security Threat Report showed that over 30 percent of phishing attacks targeted businesses with less than 250 employees, and that 43 percent of all attacks in 2015 were deployed against small businesses.

When you look at the numbers, the choice to purchase CLIC looks even better. However, identifying whether or not you need cyber insurance is only half of the battle—the other half is actually getting it. Make sure that your provider is putting forth due diligence, doing a manual inspection of your facilities, for example, instead of just sending you a checklist with “yes” or “no” options. Shawn Wiora, CIO and CISO at Creative Solutions in Healthcare recounts such an experience, where once a potential insurer asked: “Do you ensure that all wireless networks have protected access?” A simple “yes” didn’t account for how many locations he had or ask for any additional information, which could have lead to potential disputes.

Companies still wondering whether or not to invest in CLIC should create a cyber risk profile for the organization, and from there you can begin estimating how much expenses are going to be across the spectrum. Do your research, be choosy, and know your policy. Nothing is worse than thinking you’re covered for something only to find out when you need it that you the coverage purchased didn’t protect you where and when you needed it most.

Photo Credit: cameronjames6 via Compfight cc