Cyber criminals are constantly finding new ways to circumvent corporate defenses, and just about every business falls victim to an attack sooner or later. Hence cyber insurance has become a lucrative product for insurance companies, and a must-have for businesses that want to offset the costs of attack-inflicted damage.

What Is Cyber Insurance and Why Do You Need It?

Cybersecurity insurance is insurance specifically designed to cover expenses or losses that might arise from a data breach. This could include the cost of legal fees or data recovery, reputational damage, or loss of income as a result of business disruptions. Extortion via ransomware attack is also often covered under such policies. Most standard business insurance policies don’t cover cyber risk, which is why the addition of cyber insurance is an increasingly attractive option for many companies.

Cyber insurance costs can vary due to a number of factors. The size of your company, the amount of data you transmit or store, and whether or not you’ve experienced a breach in the past can all affect the premiums you might pay for your cyber policy. Although the price can be steep, the cost of a data breach is usually higher, making cyber insurance a worthwhile consideration for your business.

What You Need to Know About Cyber Insurance

All companies deal in some kind of digital transaction, which means that all companies are potentially at risk for a breach. Having a cyber insurance policy in place can go a long way towards providing peace of mind for your investors, your customers, and your staff. Here are five things you need to know to choose a viable cyber insurance policy.

1) There Are Seven Types of Liability Coverage

To make the right decision about coverage, your company needs to focus on its biggest risks. The Center for Insurance and Policy Research addresses seven types of cyber liability insurance:

  • Liability for security or privacy breaches. This would include the loss of customer information by allowing unauthorized access to computer systems.
  • The costs associated with a cyber incident, such as consumer notification, customer support and costs of providing credit monitoring services to affected consumers.
  • The costs associated with restoring, updating, or replacing business assets stored electronically.
  • Business interruption costs and extra expenses related to a security or privacy breach.
  • Liability associated with libel, slander, copyright infringement, product disparagement, or reputational damage to others when the allegations involve a business website, social media or print media.
  • Expenses related to cyber extortion (that is, ransomware payments).
  • Coverage for expenses related to regulatory compliance for billing errors, physician self-referral proceedings and Emergency Medical Treatment and Active Labor Act proceedings.

These coverages can help to protect the company from the costs associated with a security breach. To purchase the best coverage, an organization needs to look at its IT compliance program and controls. Comparing those to the potential liabilities in the event of a breach can help to determine the best return on investment for cyber insurance coverage.

2) Cyber Insurance Does Not Cover All Events

Cyber insurance is an evolving field of coverage. This means that insurance companies have not yet determined how to word their policies to best protect themselves from unintended payouts. The emergent risks are currently unquantifiable, meaning that those purchasing cyber insurance need to review their policies carefully.

Your organization needs to understand not just what is covered, but also what is excluded. For example, cyber terrorism is a common exclusion. It’s important to note that while cyber extortion and malware are common coverages, these definitions may evolve or overlap in the years to come. Also expect litigation and court rulings to clarify this currently murky landscape.

For organizations trying to maximize their investment in cyber insurance, understanding the specific risks associated with the business becomes more important. Cyberattacks not only cause damage to the infiltrated business; they also often affect the organization’s customers due to the interconnectedness of modern business. When deciding on an insurance provider, your company should make sure that all third-party liability coverages match your business needs.

3) The Internet of Things and Cyber Insurance

Businesses increasingly depend on smart devices and other technology connected to the internet, collectively known as the “Internet of Things” (IoT). The sheer volume of potential entry points that are incorporated into most businesses via IoT can affect your insurance needs, too.

IoT cyber threats could result in more than just traditional data loss. Physical and bodily damage is a part of most traditional property insurance policies, and while you may not expect it, an IoT cyberattack can be a contributing factor to this kind of harm.

For example, a breach in a healthcare facility with IoT devices could result in serious harm to patients. Your cyber risk insurance, however, may not cover this kind of damage. Limitations on the coverage can be negotiated, but first your company needs to recognize what your insurance profile looks like across coverage lines.

Your organization will also need to determine whether the coverage available incorporates an appropriate loss scenario. This means that prior to purchasing and negotiating the coverage, you should look at the potential losses an IoT attack might cause to ensure that deductibles and self-insured retentions make sense in light of the current risk profile.

4) Cyber Insurance Does Not Absolve a Company of Its Responsibilities

The biggest issues in cybersecurity remain those arising from human error. Cybercriminals often prey upon your company’s employees, tricking them into sharing data. This can take the form of links, videos, or pictures shared in emails or on social media. In addition, phishing scams can trick employees by looking like a trusted resource while accessing the workstations with malware or ransomware.

Cyber insurance coverage can help against monetary losses arising out of data breaches, against libel arising out of a breach, and against business interruption. It cannot, however, protect against employee mistakes. Prevention is still the most important step when it comes to minimizing risk.

5) Information Security Compliance Can Help Cyber Insurance Outcomes

As the cyber insurance market matures, underwriters are getting a better grip on how to price potential losses. If your organization wants to obtain the best premiums for a cyber insurance policy, having a strong compliance and third party risk management stance is one step in the right direction.

Moreover, strong controls can help support a filed claim. Insurance companies will first look to see if the organization was negligent, which would cancel coverage. Since negligence in these areas is currently ambiguous, your company’s compliance stance will help to prove your cybersecurity efforts and to obtain better claims outcomes if you ever need to file.

Can GRC Software Reduce the Cost of Cyber Insurance?

Ultimately, you’ll need to decide whether cyber insurance is a worthwhile expenditure for your company. If you’re unsure if insurance is the right choice for you, there are other risk management measures you can explore.

ZenGRC is a unified software platform that provides your company with continuous monitoring and clear management of your entire risk management landscape. By centralizing and streamlining your risk management and mitigation, ZenGRC can help you identify data breaches before they have the opportunity to harm your company and your clients. That better insight can then inform your decisions about cyber insurance.

Schedule a demo today to learn more about how ZenGRC can help you save money by creating a risk management program that works for you.

From the Back Office to the Boardroom:
The Changing Role of the Security Executive