What is Cyber Insurance?

More cyberattacks are happening today than ever before. The risk of compromise is at an all-time high. To ward off cyber intrusion, it's crucial for every company, regardless of size or industry, to keep enhancing its security outlook.

But sometimes, even advanced protection measures can fall short against highly sophisticated cyberattacks. It would be safe to say that you can’t build an infrastructure that’s impervious to malicious attacks.

To manage this risk, organizations turn to the classic hedging mechanism: insurance. Be it regulatory requirement or keen understanding of risk by the chief risk officer (CRO), cyber insurance helps lower risk to tolerable levels for the organization.

The risks covered by cyber insurance vary from policy to policy. Cyberattacks can lead to significant financial losses, including the cost of investigating and recovery, legal expenses and potential compensation for affected customers. A cyber insurer can help cover these expenses and offer additional support to recover from a breach.

Moreover, cyber incidents can damage a company's reputation and result in a loss of customer trust. Cyber insurance coverage may also include the cost of public relations and marketing campaigns to help repair the company's image and restore customer confidence.

The costs and coverage of a cybers insurance policy can vary based on factors like contract negotiation and the company’s cybersecurity posture. With that said, a typical liability policy may cover:

• Cost of investigation and forensic analysis to determine the nature, cause and extent of the breach
• Notification and credit monitoring services for affected customers
• Costs related to restoring exposed data and compromised systems
• Business interruption losses caused by downtime, property damage or data loss
• Legal and regulatory costs related to the attack (e.g., if the company gets sued, the insurance provider may onboard a legal firm)
• Public relations and crisis management expenses to avert any malpractice suits and help rebuild the brand’s image
• Supply chain costs: Costs related to any third-party integrations (e.g., if a breach in a company’s system propagates into their partner’s infrastructure, the company may be liable for third-party damages)

Real life cyber liability coverage

A large company from the energy industry fell victim to a Ryuk ransomware attack. Ryuk bypassed network security and encrypted core systems and data, rendering them unusable. Malicious actors demanded a substantial ransom amount for the decryption key.

Fortunately, the company had data breach insurance. The insurer formed a panel of cyber experts, including a loss adjuster, forensic accountants and a firm that specializes in ransomware attacks. The panel managed to completely remove the Ryuk ransomware from the company’s network. The insurance business also paid recovery expenses, which included staff overtime and data recreation costs.

Companies from the cyber insurance industry offer a wide range of cyber insurance policies. While choosing one for your business, take the following factors into consideration:

Meet the minimum security standards

Before applying for cyber insurance, take some time to evaluate your infrastructure and identify areas where security can be improved. Remember, the insurance vendor will offer coverage after performing a security audit of your infrastructure. If you don’t pass the audit, you may not be eligible for coverage.

By raising your security standards, you might be eligible for more insurance offers, allowing you to shop around for the policy that suits your needs. Since this is still a nascent market, pricing, terms and conditions show wide variation, so make sure to apply for, receive and compare competing offers.

When establishing a minimum security standard, insurance companies are looking for solutions such as Multi-Factor Authentication, Privileged Access Management and Active Directory security. The exact list of requirements varies, but in general terms, insurers are looking for a mature Identity and Access Management system, in combination with robust backup and disaster recovery capabilities. Organizations looking for the best terms in cyber insurance should consider investing in these technologies to meet security baselines.

Coverage

Insurance policies can vary based on attack type and the company’s risk profile. For example, a data breach policy usually provides coverage for notification costs, credit monitoring and forensic investigations. A social engineering policy covers losses resulting from social engineering attacks, such as phishing attacks or baiting. Errors and omissions insurance offers coverage against liability claims of negligence or inadequate work.

Depending on your compliance and business liability requirements, you may choose one or a combination of insurance policies.

Premiums

As a business owner, you may also consider the cost of the premiums while evaluating a policy. Make sure to read the fine print and be aware of any deductibles or copayments that you may be responsible for.

Reputations

Choose a reliable insurance provider with a proven track record of paying indemnity claims promptly and fairly. What are other customers saying about them? Are they easy to work with? How well do they respond to customer complaints? Do they offer insurance endorsements?

Limitations

Are there any known exclusions or limitations to the policy? What are the conditions or requirements that must be met to receive benefits (if any)?

Here are some ways in which a cyber insurance policy can protect your business:

• Data: Data is arguably the most valuable asset of your company. When you purchase a data breach policy, the insurance provider ensures that you follow best practices for protecting data. If a breach does occur, the insurance provider onboards experts to recover data and cover any related costs

• Business continuity: Cyberattacks might interrupt day-to-day business, resulting in loss of revenue and profits. Some insurance policies offer coverage for this loss and also help with creating and updating your disaster recovery and business continuity plans.

• Systems and devices: Cyber insurance providers also assist in recovering compromised systems and devices

• Periodic risk assessment: Some cyber insurers also conduct periodic risk assessments of companies’ infrastructures to help identify any vulnerabilities and improve their security posture

• Financial loss mitigation: The average cost of a data breach is $4.35 million. By having the right policy in place, you can mitigate a significant portion of these losses.

Here’s how a typical data breach insurance policy works:

1. An organization applies for a data breach policy
2. The insurance vendor conducts a security assessment of the organization’s infrastructure
3. If the audit succeeds, the vendor and the organization start contract negotiations. If it fails, the vendor typically recommends security improvements to the organization
4. The contract is signed and the organization starts making monthly or yearly payments
5. If an incident occurs, the organization informs the vendor
6. The vendor launches an investigation to determine the cause of the breach and the extent of the company’s coverages
7. The vendor helps the organization remediate the situation
8. If applicable, the vendor offers financial compensation to the organization. This may include costs related to data loss, business interruption, legal services and regulatory fines