What Is Cyber Insurance?

Data breaches cost organisations billions every year and cyber insurance allows organisations to off-load the residual risk-related reliability and costs associated with cybersecurity events. Cyber insurance (also known as cyber-liability insurance) minimises the costs of a cybersecurity event such as ransomware, data breach or network compromise so that businesses do not suffer from severe financial strain.

Any business that hosts or stores sensitive information can benefit from cyber insurance. The more risk they face, the more important it is for organisations to buy cyber insurance policies to reduce costs from a data breach or disruptive cyber attack. Should a threat lead to data theft, the organisation must pay for incident response, remediation, brand damage, litigation, compliance fines and potential customer reparations. Cyber insurance helps cover some of this cost.

Data loss and destruction, especially in the case of ransomware. are also risks from a compromise. Cyber insurance policies cover fallout costs from these cybersecurity incidents. For example, ransomware is a crippling event that could take weeks to remediate using disaster recovery. A cyber insurance policy covers some of these costs.

After a cybersecurity incident, the organisation must cover costs for subsequent remediation actions. These include:

• Incident response
• Containment
• Forensics and investigations
• Litigation
• Compliance audits
• New security infrastructure and policy changes

Any cyber event that results in data loss, investigations and cost-related consequences could be covered in an insurance policy. But coverage depends on the cyber insurance company and the type of coverage the organisation chooses. The type of coverage determines policy premiums, so cost is often a factor in the organisation’s policy choice. Most policies cover costs associated with credential theft, phishing, ransomware, malware and insider threats.

For many insurance policies, cybersecurity events are explicitly excluded in coverage. General insurance liability typically excludes cyber attacks and other digital data theft. That means organisations usually must buy cyber insurance separately. (Every business should check their policy for their specific coverage.)

Just one cybersecurity incident can cost tens of thousands of dollars, making it too costly for insurers to cover in general liability policies. Also, the volume of risks is a large factor in insurance premiums. That makes actuarial calculations difficult, especially as organisations grow and add more infrastructure to their environment.

Because every corporation has their own set of risks and coverage preferences, the cost of cyber insurance is never a “one size fits all” structure. Size of the business and annual revenue are also factors that affect insurance premiums. Industries such as health and finance are major targets, so this factor might also influence coverage and costs.

Just like general insurance, past events also affect cost of coverage. If an organisation has fell victim to a cyber attack before, premiums and deductibles will likely be higher than an organisation that successfully defends against threats.

Costs depend on several factors, including the organisation’s chosen coverage. As business owners shop around for coverage, every insurance company offers its own packages and policies. Insurance agents will send quotes for coverage options with different costs and a business owner can choose from a list of policies.

Generally, cyber insurance covers:

• Loss of data and associated recovery.
• Loss of revenue due to business interruptions from a cybersecurity event.
• Loss of transferred funds from events such as fraud and social engineering.
• Loss of funds from computer fraud and extortion.

The above list covers the actual cyber-event. Many insurance policies also cover the aftermath and follow-up events associated with a data breach.

After suffering from a data breach, a cyber insurance policy will likely cover:

• Notification costs. Costs associated with identifying victims and sending notices so that they are aware of the breach. This is often a compliance mandate.
• Credit monitoring. Costs associated with victim (customer) credit monitoring after data loss and identity theft.
• Civil litigation. Costs associated with lawsuits and reimbursing affected customers.
• Forensics. Costs to hire consultants and forensics experts so that damage and the root causes can be analysed.
• Brand damage. Costs associated with public relations to repair damage to the organisation’s reputation.

Organisations should check with the insurance company for cost coverage to help stop attacks before they happen. An insurance company might help with prevention training against phishing and social engineering.

Organisations buy cyber insurance policies to cover monetary loss during a cybersecurity event. But policies don’t cover everything. For example, a cyber insurance policy does not cover projected future revenue loss. Any intellectual property loss from a data breach must be covered under another tailored policy.

Acts of war from foreign attackers are not usually covered. And any costs associated with building cybersecurity infrastructure before and after the breach might not be covered. As usual, check with the insurance company and the policy to find any exclusions to coverage.

Just like any other insurance policy, cyber insurance has a deductible, but you can choose the deductible when the policy is written. Insurance companies will give organisations a deductible choice and the deductible price will determine the insurance premiums. The lower the deductible, the more an organisation will pay for their premiums.

It might seem like cyber insurance is the magic bullet for a data breach. But it should be used only as a supplemental addition to your cybersecurity strategy—never the entire strategy. It’s important to read the cyber insurance policy to ensure that all terms and conditions are met, including a plan that covers infrastructure necessary to protect data.

A data breach is expensive. Cyber insurance does not cover future revenue from newly released products and business growth. This lost revenue from brand damage and costs associated with a data breach can permanently dampen future revenue. For an organisation to sustain, it must have a cybersecurity strategy that helps reduce risk and avoid a compromise.

In 2017, several major cybersecurity events destroyed data for large organisations and government entities across the globe. WannaCry, Petya and NotPetya were a few of the ransomware attacks affecting small and large organisations. It would seem like cyber insurance would cover the damage from these ransomware attacks. But forensics experts suggested that the attacks could be targeting specific countries.

As mentioned above, “acts of war” are not covered in most cyber insurance policies. After numerous ransomware attacks in 2017, some insurance companies claimed that they did not need to pay for ransomware damage because it was considered an act of war. This left several organisations left to cover the expenses after ransomware damage—one of today’s most expensive attacks.

The first step towards acquiring cyber insurance is to audit your infrastructure and document your cybersecurity policies and systems. To determine coverage and costs, a cyber insurance company will want to know what cyber defences are in place. As with any insurance company, a cyber insurance company will not cover an organisation with no cybersecurity strategy and infrastructure in place. Such an organisation is sure to be a victim of a data breach, if not multiple breaches.

After an audit of cybersecurity infrastructure, it’s time to shop for a policy by contacting various insurance companies. Every company will have their own policy standards, exceptions and costs. So ensure that you read the policy terms and conditions before agreeing to a policy. An insurance company will review current cybersecurity strategies to determine your level of risk and decide whether they are willing to write a policy for you.

Cybersecurity events cost organisations billions every year. The costs of a single event—including containing, remediating, investigating and covering monetary loss from brand damage and compliance violations—can run well into six figures. As more organisations realise the huge cost associated with a cybersecurity event and data breach, they will want to pay for policies that cover the damages and monetary loss from these events.

Insurance companies always tailor their policies so that they make money on premiums. That means you should always be aware of the exclusions written into the contract. Large payouts are expensive to insurance providers. For that reason, they add limitations to ensure that coverage involves incidents only where the organisation put necessary cyber defences in place and did all they could to stop a compromise.

Insurance providers are more hesitant to write policies for organisations with poor cybersecurity controls. Therefore, you must put specific strategies and infrastructure in place before shopping around for a provider. Better cybersecurity controls will also reduce risk—and therefore reduce insurance premiums and costs for coverage. Before shopping for a policy, an organisation can lower premium payments by installing effective cybersecurity infrastructure across their environment.