Cybercriminals constantly find new ways to circumvent corporate defenses, and just about every business falls victim to an attack sooner or later. Hence cyber insurance has become a lucrative product for insurance companies and a must-have for businesses that want to offset the costs of attack-inflicted damage.

What Is Cyber Insurance and Why Do You Need It?

Cybersecurity insurance is insurance specifically designed to cover expenses or losses that might arise from a data breach. This could include the cost of legal fees or data recovery, reputational damage, or loss of income due to business disruptions. Extortion via ransomware attacks is also often covered under such policies. Most standard business insurance policies don’t cover cyber risk, so adding cyber insurance is an increasingly attractive option for many companies.

The cost of cyber insurance can vary due to several factors. The size of your company, the amount of data you transmit or store, and whether or not you’ve experienced a breach in the past can all affect the premiums you might pay for your cyber policy. Although the price can be steep, usually the cost of a data breach is even higher, making cyber insurance a worthwhile consideration for your business.

What You Need to Know About Cyber Insurance

All companies deal in digital transactions, which means that all companies are potentially at risk for a breach. Having a cyber insurance policy can go a long way toward providing peace of mind for your investors, your customers, and your staff. Here are five things you need to know to choose a viable cyber insurance policy.

There Are Seven Types of Liability Coverage

To make the right decision about coverage, your company needs to focus on its most significant risks. The Center for Insurance and Policy Research addresses seven types of cyber liability insurance:

  • Liability for security or privacy breaches. This would include losing customer information by allowing unauthorized access to computer systems.
  • The costs associated with cleaning up after a cyber incident, including consumer notification, customer support, and the fees of providing credit monitoring services to affected consumers.
  • The costs associated with restoring, updating, or replacing business assets stored electronically.
  • Business interruption costs and extra expenses related to a security or privacy breach.
  • The liability associated with libel, slander, copyright infringement, product disparagement, or reputational damage to others when the allegations involve a business website, social media, or print media.
  • Expenses related to cyber extortion (that is, ransomware payments).
  • Coverage for expenses related to regulatory compliance for billing errors, physician self-referral proceedings, and Emergency Medical Treatment and Active Labor Act proceedings.

Such policies can help to protect the company from the costs associated with a security breach. An organization should first look at its IT compliance program and controls to understand the types of disruption it might face. Understanding the potential liabilities in the event of a breach can help to determine the best return on investment for cyber insurance coverage.

Cyber Insurance Does Not Cover All Events

Cyber insurance is an evolving field of coverage. Insurance companies have not yet determined how to best design their policies to protect themselves from unintended payouts. Emergent risks are often unquantifiable, meaning those purchasing cyber insurance must review their policies carefully.

Your organization needs to understand not just what is covered, but also what is excluded. For example, cyber terrorism is one common exclusion. It’s important to note that while cyber extortion and malware are common coverages, these definitions may evolve or overlap in the years to come. Also, expect litigation and court rulings to clarify this currently murky landscape.

For organizations trying to maximize their investment in cyber insurance, understanding the specific risks associated with the business becomes more important. Cyber attacks not only cause damage to the infiltrated business; they also often affect the organization’s customers due to the interconnectedness of modern business. So when deciding on an insurance provider, your company should assure that all third-party liability issues are covered.

The Internet of Things and Cyber Insurance

Businesses increasingly depend on smart devices and other technology connected to the internet, collectively known as the “Internet of Things” (IoT). The sheer volume of potential entry points incorporated into most businesses via IoT can also affect your insurance needs.

IoT cyber threats could result in more than just traditional data loss. For example, bodily damage is a part of most traditional property insurance policies. While you may not expect it, an IoT cyber attack can contribute to this kind of harm.

For example, a healthcare facility with an IoT device breach could seriously harm patients. Your cyber risk insurance, however, might not cover this kind of damage. You can negotiate limitations on the coverage, but first your company needs to understand what your insurance profile looks like across coverage lines.

Your organization must also determine whether the coverage available incorporates an appropriate loss scenario. This means that before negotiating and purchasing a policy, you should look at the potential losses an IoT attack might cause. This lets you assure that deductibles and self-insured expenses make sense for the risk profile you have.

Cyber Insurance Does Not Absolve a Company of Its Responsibilities

The most significant issues in cybersecurity remain those arising from human error. Criminals often prey upon your company’s employees, tricking them into sharing data. These can be links, videos, or pictures shared in emails or social media. In addition, phishing scams can trick employees by looking like a trusted resource while accessing the workstations with malware or ransomware.

Cyber insurance coverage can help protect against monetary losses arising out of data breaches, against libel arising out of a breach, and against business interruption – but insurance can’t protect against employee mistakes; prevention is still an essential step in minimizing risk.

Information Security Compliance Can Help Cyber Insurance Outcomes

As the cyber insurance market matures, underwriters are getting at pricing potential losses. If your organization wants to obtain the best premiums for a cyber insurance policy, a robust cyber compliance and third-party risk management programs is one step you can take to reduce your insurance costs.

Also remember that strong controls can help support a filed claim. Insurance companies will first look to see whether the organization was negligent, which would cancel coverage. Since negligence in these areas is currently ambiguous, your company’s compliance stance will help to prove your cybersecurity efforts and to obtain better claims outcomes if you ever need to file.

What Does a Cyber Insurance Policy Cover?

Typically, cyber insurance includes four categories of protection to safeguard your business from these key risks.

Network Protection

Network security coverage is crucial for most businesses, especially those exposed to information and privacy risks. This coverage protects your company in case of a breakdown in network security, such as a data breach, malware infection, cyber-extortion demand, ransomware, or compromised corporate emails.

First-party expenditures (that is, those you directly incur due to the cyber event) are covered under network security coverage. These costs include:

  • Law-related costs
  • Forensic IT
  • Negotiation of a ransomware demand and its payment
  • Data recovery
  • Consumer breach notification
  • Establishing a call center
  • Knowing public relations
  • Identity restoration and credit monitoring

Data Breach Liability

For most businesses, particularly those with information or privacy risk, privacy liability coverage is also crucial.

Information about customers and employees can be sensitive, and leaks or violations that reveal such data jeopardize the security of the people affected and put your company at risk of a lawsuit.

Privacy liability coverage shields your business from liabilities if a cyber incident or privacy law violation occurs. These expenses may result, for instance, from weaknesses necessary to fulfill a contractual commitment or governmental and law enforcement regulatory inquiries.

Business interruption on the network

How much of your business’s operations depend on technology? Network business interruption coverage offers a solution for companies exposed to operational cyber risks.

You can recover lost earnings, fixed expenditures, and additional costs spent during the period your business was disrupted when your network or the network of a provider on whom you rely goes down due to an event.

This involves damage brought on by flaws in security, such as a third-party hack; or system failures, including unsuccessful software patches and human errors.

Media Responsibility

This offers protection against intellectual property infringement caused by the promotion of your services, except patent infringement. It frequently applies to your printed and internet advertising, including social media posts.

Errors and Omissions (E&O)

E&O coverage protects against lawsuits brought about by mistakes made while delivering your services or by their non-performance.

This can include professional services more commonly delivered by attorneys, surgeons, architects, and engineers and technology-related services such as software and consultancy.

Should this happen, E&O coverage covers claims of carelessness or contract violation. It may also cover the expense of indemnification or legal defense in case of a lawsuit or customer disagreement.

What are the requirements for cyber insurance?

Most insurance carriers do a cyber risk assessment as part of their underwriting, to determine your premium, policy limitations, and whether you even qualify for cyber insurance in the first place. Depending on the size of your business, this procedure might range from a questionnaire to a thorough investigation performed for several weeks by a cybersecurity firm. Insurance carriers might also perform new risk assessments over time to assure that their pricing is accurate.

Policyholders must adhere to fundamental IT security requirements to be eligible for cyber insurance. At the very least, the following security measures must be in place for a business interested in purchasing cyber insurance:

  • Antivirus software installed on every PC and kept up to date.
  • A firewall to secure the enterprise network.
  • Regular company data backups, performed on secure cloud services or external media.

A secure provisioning method must be followed when granting user access rights and permissions.

Use ZenRisk to enhance your cybersecurity.

If you’re unsure whether insurance is the right choice for your business, there are other unified risk management measures you can explore.

ZenRisk is a unified software platform that provides your company with continuous monitoring and precise management of your entire risk management landscape. By centralizing and streamlining your risk management and mitigation, ZenRisk can help you identify data breaches before they have the opportunity to harm your company and your clients. Those better insights can then inform your decisions about cyber insurance.

Schedule a demo today to learn more about how ZenRisk can help you save money by creating a risk management program that works for you.

From the Back Office to the Boardroom:
The Changing Role of the Security Executive