Data breaches cost organisations billions every year, and cyber insurance allows organisations to off-load the residual risk-related reliability and costs associated with cybersecurity events. Cyber insurance (also known as cyber-liability insurance) minimises the costs of a cybersecurity event such as ransomware, data breach or network compromise so that businesses do not suffer from severe financial strain.
Who Needs Cyber Insurance?
Any business that hosts or stores sensitive information can benefit from cyber insurance. The more risk added to a network, the more important it is for organisations to buy cyber insurance policies to reduce costs should the network suffer from a compromise. Should a threat lead to data theft, the organisation must pay for incident response, remediation, brand damage, litigation, compliance fines, and potential customer reparations. Cyber insurance helps alleviate some of this cost.
Destruction of the network and data are also risks from a compromise, and cyber insurance policies cover fallout costs from these cybersecurity events. For example, ransomware is a crippling event that could take weeks to remediate using disaster recovery, so a cyber insurance policy covers some of these costs.
What Attacks Result in Cyber Insurance Claims?
After a cybersecurity incident, the organisation must cover costs for several subsequent remediation actions. Incident response, containment, forensics and investigations, litigation, compliance audits, additional security infrastructure, and policy changes are just a few subsequent events that follow a network compromise.
Any cyber-event that results in data loss, investigations, and cost-related consequences could be covered in an insurance policy, but coverage depends on the cyber insurance company and the type of coverage the organisation chooses. The type of coverage determines policy premiums, so cost is often a factor in the organisation's policy choice. Most policies cover costs associated with credential theft, phishing, ransomware, malware, and insider threats.
Why General Insurance Liability Won’t Cover Cyber Crimes
For many insurance policies, cyber-events are specifically excluded in coverage. Every business owner should check their policy for coverage information, but it’s standard for general insurance liability to exclude hacking and other digital data theft and force business owners to purchase additional cyber insurance.
Just one cybersecurity incident can cost tens of thousands of dollars, so it costs too much to include in general liability policies. Also, the number of risks is a large factor in insurance premiums, so premiums could change as organisations grow and add more infrastructure to their environment.
What Does Cyber Insurance Cost?
Because every corporation has their own set of risks and coverage preferences, the cost of cyber insurance is never a “one size fits all” structure. Size of the business and annual revenue are also factors that affect insurance premiums. Industries such as health and finance are major targets, so this factor might also influence coverage and costs.
Just like general insurance, past events also affect cost of coverage. If an organisation has fell victim to hacking previously, the cost of coverage will likely be higher than an organisation that successfully defends against threats.
What Does Cyber Insurance Cover?
Costs depend on several factors, including the organisation's chosen coverage. As business owners shop around for coverage, every insurance company offers its own packages and policies. Insurance agents will send quotes for coverage options with different costs, and a business owner can choose from a list of policies.
Generally, cyber insurance covers:
- Loss of data and associated recovery.
- Loss of revenue due to business interruptions from a cybersecurity event.
- Loss of transferred funds from events such as fraud and social engineering.
- Loss of funds from computer fraud and extortion.
The above list covers the actual cyber-event, but insurance policies usually cover the aftermath and follow-up events associated with a data breach.
After suffering from a data breach, a cyber insurance policy will likely cover:
- Notification costs: Costs associated with identifying victims and sending notices so that they are aware of the breach. This activity is often a compliance requirement.
- Credit monitoring: Costs associated with victim (customer) credit monitoring after data loss and identity theft.
- Civil litigation: Costs associated with lawsuits and customer reparations.
- Forensics: Costs to hire consultants and forensics experts so that damage and the root-cause can be analysed.
- Brand damage: Costs associated with public relations to repair damage to the organisation's reputation.
Organisations should check with the insurance company for cost coverage to help stop attacks before they happen. An insurance company might help with prevention training against phishing and social engineering.
What Does Cyber Insurance Not Cover?
Organisations buy cyber insurance policies to cover monetary loss during a cybersecurity event, but policies don’t cover everything. For example, a cyber insurance policy does not cover projected future revenue loss. Any intellectual property loss from a data breach must be covered under another tailored policy.
Acts of war from foreign attackers are not usually covered, and any costs associated with building cybersecurity infrastructure before and after the breach might not be covered. As usual, check with the insurance company and the policy to find any exclusions to coverage.
Does Cyber Insurance Include a Deductible?
Just like any other insurance policy, cyber insurance has a deductible, but you can choose the deductible when the policy is written. Insurance companies will give organisations a deductible choice, and the deductible price will determine the insurance premiums. The lower the deductible, the more an organisation will pay for their premiums.
Why Isn’t Cyber Insurance Meant to Replace a Security Strategy?
It might seem like cyber insurance is the magic bullet for a data breach, but it should only be used as a supplemental addition to your cybersecurity strategy and never the entire strategy. It’s important to read the cyber insurance policy to ensure that all terms and conditions are met, including a plan that covers infrastructure necessary to protect data.
A data breach is expensive, and cyber insurance does not cover future revenue from newly released products and business growth. This lost revenue from brand damage and costs associated with a data breach can permanently affect future revenue. For an organisation to sustain, it must have a cybersecurity strategy that helps reduce risk and avoid a compromise.
Coverage on Cybersecurity Events
In 2017, several major cybersecurity events destroyed data for large organisations and government entities across the globe. WannaCry, Petya, and NotPetya were a few of the ransomware attacks affecting small and large organisations. It would seem like cyber insurance would cover the damage from these ransomware attacks, but forensics experts suggested that the attacks could be targeting specific countries.
As mentioned above, “acts of war” are not covered in most cyber insurance policies. After the numerous ransomware attacks in 2017, some insurance companies claimed that they did not need to pay for ransomware damage because it was considered an act of war. This left several organisations left to cover the expenses after ransomware damage, which is one of the most expensive attacks.
What Do You Need to Acquire a Cyber Insurance Policy?
The first step towards acquiring cyber insurance is to audit the current infrastructure and document your cybersecurity policies and systems in place. A cyber insurance company will want to know what systems are currently in place to determine coverage and costs. As with any insurance company, a cyber insurance company will not cover an organisation with no cybersecurity strategy and infrastructure in place, because such an organisation is sure to be a victim of a data breach in the near future.
With an audit of cybersecurity infrastructure, it’s time to shop for a policy by contacting various insurance companies. Every company will have their own policy standards, exceptions, and costs, so ensure that you read the policy terms and conditions before agreeing to a policy. An insurance company will review current cybersecurity strategies to determine if they are willing to write a policy for you.
What Is the Future of Cyber Insurance?
Cybersecurity events cost organisations billions every year. A single event can cost an organisation six figures to contain the threat, remediate the vulnerability, pay for forensics, and then the monetary loss from brand damage and compliance violations. As more organisations realise the huge cost associated with a cybersecurity event and data breach, they will want to pay for policies that cover the damages and monetary loss from these events.
Insurance companies will tailor their policies so that they make money on premiums, so organisations should always be aware of the exclusions written into the contract. Large payouts are expensive to insurance providers, so they add limitations to ensure that coverage only involves incidents where the organisation put necessary cybersecurity infrastructure in place and did all that was necessary to stop a compromise.
Because insurance providers are more hesitant to write policies for organisations with poor cybersecurity controls, you must put specific strategies and infrastructure in place before shopping around for a provider. Better cybersecurity controls will also reduce risk and therefore reduce insurance premiums and costs for coverage. Before shopping for a policy, an organisation can lower premium payments by installing effective cybersecurity infrastructure across their environments.