Understanding the Basics of Cyber Insurance: What You Need to Know
Data breaches and cybercrime are all too common. And in recent years, ransomware attacks have caused many organizations to face hefty extortion payments, legal fees, and reputational damage – not to mention the major headache that comes with each. Cyber insurance has become a powerful tool in the world of cyberattacks to help protect organizations from the implications of a ransomware attack, but many don’t understand what a cyber insurance policy actually covers.
In this blog, we will identify the basics of cyber insurance and outline everything your organization needs to know surrounding cyber coverage in the event of a cyberattack.
Brief history of cyber insurance
Cyber insurance was developed in the 1990s to cover lawsuits from data breaches on an organization’s computer system security. In some policies, cyber insurance even covered business interruption loss from a compromised system. While many US companies bought cyber insurance for coverage, most were forced due to the liability risks of data privacy.
Data privacy became a focus in 2003 when California passed a law requiring companies to notify individuals if/when their private information had been breached or compromised — and many states followed suit. Despite the growth across states, there are minimal data privacy laws outside of the US. However, what did resonate was the interest in cyber insurance.
Concerns surrounding cyberattacks and data breaches were top of mind across the globe, especially as cyber threats become more serious and sophisticated. But over the last few years, ransomware attacks have multiplied as WannaCry, Petya, and NotPetya transformed ransomware from a nuisance to an extreme problem. To stay ahead of the threats presented from these attacks, organizations have relied on cyber insurance to provide coverage for their network, and the ever-changing threat landscape of cyberattacks.
What is cyber insurance?
Cyber insurance (also referred to as cyber attack insurance, or cyber liability insurance) covers the liability, costs, and risk of disruption that occur from a cyber attack, as well as nonmalicious mistakes made by a user that lead to a cyber incident (accidentally making a database public, losing a laptop, etc.). In most cases, cyber insurance covers any expenses that result from a data breach or ransomware attack including regulatory fines, investigation processes, or customer notification. Despite a swell in cyber insurance providers, many organizations do not have coverage that exceeds $100 million. And as the cost to reconcile all aspects of a cyber incident is often nearly $300 million, the cyber insurance coverage for many organizations is simply not enough.
First-party vs third-party cyber insurance
It’s worth noting that there are differences between first-party vs third-party insurance.
One of the primary components of cyber liability insurance is first-party coverage, which deals with the immediate costs an organization incurs after a cyber incident. First-party insurance helps you respond to data breaches on your own organization’s network and systems. Third-party coverage focuses on liability to others as a result of a cyber incident. Third-party insurance helps pay for any lawsuits caused by data breaches on a client or partner’s network and systems.
While both policies help you in the event of a data breach, they differ in regard to response and level of coverage.
What cyber insurance generally covers
A basic cyber insurance policy often covers claims resulting from data security risks and data privacy — but not every business is entitled to the same protection. While every company faces cyber risk, the bigger the company, the more areas of vulnerability — and therefore, the need for additional coverage.
Here are a few distinct insurance agreements that most cyber insurance companies offer.
Network security and privacy liability
Network security and privacy liability are two of the most important coverages to have for an organization.
Network security liability protects against claims from third parties resulting from a failure of network security. This could be due to a data breach where personal information is exposed or unauthorized access to confidential business data. Network security covers direct expenses from a cyber incident and first-party costs including:
Restoration of data
Ransom negotiation and payment
Business email compromise
Privacy liability, a subset of network security liability, covers claims arising from the unauthorized access or disclosure of personal information. Privacy liability protects your company from a cyber incident or privacy law violation on sensitive data including customer and employee information. This protection is especially important when defending your organization from consumer class action litigation, legal expenses, fines, or other penalties from regulatory investigations by governments and law enforcement.
Network business interruption
If your business is dependent on technology to operate, then it should consider network business interruption coverage. Network business interruption coverage is for companies that are susceptible to operational cyber risk, or rather when a network provider you rely on collapses due to a cyber incident. With this coverage, companies can recover costs from third-party security and system failures that result in:
Extra costs incurred from a breach
Media liability covers intellectual property infringement that results from the advertising of services your business offers. This often applies to both online and printed advertising. Media liability offers broad protection for businesses to help policyholders manage the costly damages that result from media-related claims.
Errors and omissions
Errors and omissions (E&O) cover claims that result from errors or failure of the performance of your services due to a cyber event. Errors can be anything from the failure to perform technology services (software, consulting, etc.), to the failure to fulfill contractual obligations of professional services (doctors, architects, lawyers, engineers, etc.). Errors and omissions address a breach of contract or allegations of negligence and can include legal defense costs or compensation from a lawsuit or dispute with your customers.
What cyber insurance does not generally cover
Like most insurance policies, cyber insurance does not cover every possible risk and cost of a ransomware attack. Before getting cyber insurance, it’s important to understand exactly what will be covered for your business, and what will not. Here are the most common aspects of coverage that cyber insurance policies generally do not offer.
Potential profits loss
Cyber insurance policies are not responsible for restoring potential profit losses from a ransomware attack. For example, if your company experiences reputational damage due to a recent ransom attack, the insurance company is not responsible for compensating for this loss.
Theft of intellectual property
Theft of intellectual property is when a cybercriminal steals a company’s ideas, inventions, trade secrets, etc. If a cybercriminal steals intellectual property and it results in a devaluation of the company, most cyber insurance companies will not cover this loss.
Costs of software or security upgrades
If your business suffers a severe data breach, you’ll want to consider upgrading your systems or networks to prevent a ransomware attack in the future. However, most cyber insurance policies will not cover the cost of new software or security upgrades, even though it could help mitigate risk.
The Role of Cyber Insurance Coverage in Risk Management
It’s important to note that cyber insurance doesn’t replace sound risk management practices but rather augments them. As cyberattacks escalate, the demand for policies surges, leading to higher costs and stricter requirements. Organizations with mature risk management practices, robust controls, and technologies like Multi-Factor Authentication (MFA) are better positioned to secure favorable policies.
Cyber Risk Quantification (CRQ) plays a pivotal role in determining the appropriate coverage. Given soaring premiums, CRQ tools help calculate cyber risk exposure in financial terms, align coverage levels, and pricing with the organization’s cybersecurity maturity.
What factors influence cyber insurance premiums?
Premiums are influenced by various factors, including company-specific elements like size, industry, claims history, and cybersecurity maturity. Implementing controls like MFA, network segregation, and data backup can offset premiums. Insurers are also influenced by market-specific dynamics, with standalone cyber coverage premiums increasing due to rising cyberattacks and a lack of historical loss data. Systemic risk factors, like geopolitical fluctuations, can significantly impact profitability.
What additional value do cyber insurance providers offer?
While cyber insurance primarily covers losses from security incidents, providers are enhancing policies with value-added services. These may include:
- Virtual CISO services to assess security and recommend actions.
- Incident response planning assistance.
- Training and awareness portals for policyholders.
- A network of preferred providers with negotiated rates for legal advice, ransom negotiation, and bitcoin acquisition.
How SecurityScorecard can help
Cyber insurance is a vital component of modern risk management, but its landscape is evolving rapidly. Understanding how it fits into your risk strategy, defining appropriate coverage, balancing costs, considering premium factors, and leveraging additional value from providers are key steps in navigating this complex terrain. In a world where cyber threats are constantly evolving, a well-considered cyber insurance policy can provide much-needed security and peace of mind.
Cyber insurance policies are not a one-size-fits-all solution. And obtaining insurance isn’t as easy as it used to be. The requirements for insurance have become more stringent and companies could face higher premiums, less coverage, or risk of not being offered insurance at all if they don’t have a strong security posture. SecurityScorecard allows risk managers and CISO’s to understand their current security posture and define the risk management strategies needed to improve insurability.
With the ability to make better, more educated decisions, streamline insurance workflows, and satisfy your customers, SecurityScorecard makes it easy to make trusted cyber security decisions for the future.