What is Cybersecurity Insurance Coverage and is it Right for You?
First, what is it? Getting cyber insurance from an insurer is very similar to getting any other type of insurance product: your risks are assessed, an offer of coverage is made, you pay a regular premium, and – if the worst happens – you make a claim to cover your losses.
In the case of cyber insurance, the “losses” are the costs that could arise from a cyber security incident involving your computer systems. So, in the event of a data breach, malware attack, ransomware incident, relevant expenses you incur in remediating the problem would be covered, within the limits and exclusions of your policy. And don’t forget to contact ISA’s Incident Response team if your company ever experiences a breach and you need immideate help.
Every cyber insurance policy is different, but the following are items that you should consider when evaluating of a policy. Some of these are routine offerings in cyber insurance contracts, other may be add-ons or “endorsements” (i.e., changes or additions) to a basic policy. Note that the common thread in all of the items is that they are “response oriented”: coverage is offered for losses resulting from a breach, not your regular, day-to-day operating expenses for running your information security program (e.g., training, licensing, monitoring, etc.)
· Customer, regulator, or partner breach notification and ongoing communications
· Crisis management and public relations expenses incurred while managing an evolving situation
· Business interruption compensation and expenses incurred as a result of an outage
· Recovery or release of corrupted/encrypted data (some policies can even cover the expense of retaining a professional negotiator to assist in ransomware incidents)
· Cyber forensics to determine root cause and remediation of the incident
· Goodwill services like identity theft monitoring, “dark web” monitoring for exfiltrated data, or credit bureau monitoring
· Fines or penalties from industry/government regulators, partners, or other third parties
· Legal and civil damages, including individual or class action litigation costs and settlements
· Recovery/reimbursement of stolen funds
How Much Insurance Do You Need?
Assessing how much coverage you need can be a matter of estimating your potential losses in these areas in case of a breach. How much business would you lose if your website were down for a day or a week? What impact would there be if private information about your customers or staff were stolen? What penalties would a breach or business interruption attract?
Fortunately, one of the basic ways of trying to quantify your risk is also one of the first steps in putting together a comprehensive cybersecurity program in your firm. Developing and maintaining an inventory of your digital assets (hardware, software, and the actual data you use to operate your company) is part one. The next step involves attaching a level of criticality and sensitivity to each of those assets. In other words, evaluating how important each item is your operations, and the level of confidentiality associated with the assets.
This exercise will help you get a more complete sense of your risk and exposure in the event of losing those assets. Having this inventory and assessment in hand will help you quantify how much cyber insurance coverage is appropriate for your company.
The Underwriting Process
Most cybersecurity insurers will have a detailed questionnaire for you to review and complete. This will allow the insurer to assess the risk you present, and allow them to recommend appropriate coverage, the premium for that coverage, and define any limitations/exclusions in the policy. The underwriting process is usually in-depth, and can cover such areas as:
· Company financials, history, operating locations and environment
· Types, sensitivity, and amount of data stored (which will come right from the asset inventory described above)
· Extent and use of encryption to protect data
· Location of data stored (onsite and/or cloud?)
· Previous privacy/security breaches, outstanding litigation against the company
· An overview of your information security programs and processes (e.g., remote access policies, mobile/portable device policies, use of encryption to protect sensitive data, etc.)
· Extent of backup and data recovery procedures
· Business continuity and incident response plans – and the testing thereof
Completing the questionnaire is often a team effort for a company, as insights from executive team members, finance personnel, and IT professionals may be required. It’s essential for you to complete the questionnaire candidly (incorrect answers could result in an “off-coverage” position by the insurer), and fully understand what coverage is available to you in the event of a claim…. and, just as importantly, what isn’t covered!
Many firms will seek the assistance of an insurance broker who will guide you through the questions to understand your situation and needs, then scan the insurance marketplace for the best fit of coverage and pricing. Whether you use a broker or work directly with an insurance carrier, it is also worth considering the services of legal counsel to review and assess contracts of insurance before sign-off, to help that ensure your needs and interests are being met. It is also prudent to conduct due diligence on the insurer as well – not all carriers are created equal.
While cyber insurance has been around since the 1990s, there has been an explosion of interest in the market in the last few years, with new insurers competing against more established firms. Gain confidence that your carrier of choice has the expertise and resources to assist you in the event of a cyber incident, instead of simply going for the cheapest option.
Coverage in Place
Once you have entered into a contract of cyber insurance, make sure that the information on how to place a claim is integrated with your company’s incident response and business continuity plans – during a crisis, you’ll want to have all the information available at a moment’s notice. It also goes without saying that having insurance coverage in place does not relieve you of your responsibilities at maintaining a “cyber secure” enterprise. The insurance is meant as a backstop if, despite best and reasonable efforts to prevent a breach or attack, a cyber incident befalls your firm.
Like any insurance product, the hope is that you will never come to need to make a claim. But, given the pervasive nature of cybersecurity incidents, having cyber insurance coverage and the support of ISA’s incident response team may save your company from catastrophic losses in the event of a breach.