Why Do Companies Need Cyber Insurance?
Cyber-Attacks are Becoming Less “Personal”
Personal cyber-attacks are usually carried out as a means of financial gain. The most common attacks involve the theft of money, tax returns, health records, social security numbers, bank accounts, credit card numbers, driver’s license numbers and other forms of personal identification. Hackers often use this sensitive information to successfully steal somebody’s identity without their knowledge.
Unfortunately for the corporate world, physical attacks, extortion, and hijackings are escalating at a rapid pace. When hackers strike companies and corporations, the stakes can be much higher costing them millions of dollars to clean up the mess. Cyber-attacks often lead to a costly interruption of business as well as irreversible damage to the organization’s reputation and a loss of faith and clients. Criminals generally look for valuable assets such as trade secrets and customer lists by using malicious computer codes, worms, and malware. Critical consumer information such as health and financial data is commonly stored in electronic form and needs to be properly protected from hackers. Employees can also inadvertently assist in the theft of information by sending infections to unintended recipients via email.
There have been numerous instances of high-profile breaches of data over the past few years in the Financial Services, healthcare, Education and Retail industries and it appears nobody is immune to them.
All of this has created a growing market for the Cyber Insurance industry.
What is Cyber Insurance?
Most businesses are insured by Commercial General Liability policies which offer liability coverage for physical things such as property damage and personal injury. However, the majority of these policies don’t cover most types of cyber risks. Business owners can protect themselves from these unique risks with specific cyber liability policies. As corporations become more aware of the cyber risks involved with their daily business, the greater the demand has become for cyber insurance. Businesses need to protect the important information they possess in electronic form against unintentional security breaches and possible attack from criminals, terrorists, activists, competing companies, and even company insiders.
On its own, cyber insurance (commonly known as network security, privacy liability, privacy breach insurance, cyber-liability insurance or privacy insurance) can’t prevent attacks but can help mitigate the costs of an attack. Cyber insurance is relatively new and has gotten off to fast start due to the ongoing developments and advancements in technology. The National Association of Insurance Commissioners (NAIC) appointed a task force in 2014 to deal with cyber security issues and the industry is expected to expand dramatically over the coming years as more businesses become aware that cyber insurance is necessary.
It’s important that business owners understand that cyber insurance isn’t a security system, but is considered an important risk and crisis management strategy which could prove to be invaluable in the event of attack. Cyber insurance is becoming more standardized and broader as the industry grows and covers third-party liabilities along with first-party costs involved with security breaches. The coverage often includes important assistance from IT forensics, legal, and crisis-communication experts and may cover data stored with an outsourcing company such as cloud service providers.
If a firm is targeted by an attack, cyber insurance can help cover costs related to credit-monitoring services, business interruption and replacing and restoring or updating electronically-stored assets. If a company’s website or social media accounts are affected, the insurance may cover things such as slander, libel, and copyright infringement.
Here’s is a closer look at what is and isn’t covered:
What Should a Cyber Insurance Policy Cover?
First and foremost, the policy should cover compromised Personal Confidential Information (names, dates of birth, social security numbers, bank account and credit card information). The policy must also cover the costs associated with managing a security incident. Let’s take a closer look at these critical components.
First-party costs represent the direct internal costs an organization must deal with after a security breach. Since there aren’t well developed standards in the marketplace, each business typically needs to request specific types of coverage. Common coverages include protection against data theft and fraud, the costs of forensic investigation, the costs of business interruption and restoring lost data.
Third Party Liability Exposure
- Cyber Insurance must also cover the costs of damages to third-parties. An important component is Privacy Liability. Customers, clients, and employees can all be exposed during a cyber-attack. A good cyber insurance policy must include “failure to protect” coverage when it comes to third-party liability.
- Cyber Insurance must also cover a business from Regulatory Actions and include insulation from civil penalties or fines that could be levied by the government.
- Cyber Insurance should also cover any Notification Costs that a company could incur when reporting an incident. Federal and State laws have strict reporting requirements and a good policy will cover the costs of compliance.
- Cyber Insurance should also cover Crisis Management and the costs of Public Outreach.
- Coverage is needed if a third party claims that malware has caused damage to them. Businesses must know whether its services or products can potentially transmit viruses or malware during a security breach.
- Third-party coverage should include data theft and fraud in case data or finances have been destroyed or stolen. Organizations will have to undergo forensic investigation in case of a breach to try to determine how their computer network was compromised. It’s important that cyber insurance covers these costs as well as taking care of Business Interruption if the company faces down time due to denial of service to its customers.
Other Important Terms of Coverage to Consider
Be sure to read the fine print of the policy regarding third-party liability and know exactly what the insurance does and doesn’t cover. When it comes to regulatory and privacy liabilities, the insurer may only have to cover what is legally required. It’s important to ask questions of the insurer and have all coverage details fully clarified.
Make sure you are properly protected against business interruption. Understand that providers and policies have very specific provisions about when the policy kicks in. If your policy protects you for costs incurred when your systems are down for 8 hours or more, you will incur costs for outages shorter than that timeframe.
Also be sure to ask if the policy includes any payout limits by category. For example, a policy may cover $7.5 million for a security breach, but it could include sub limits and only payout $200,000 for notification costs. This means the business is responsible for any costs over this amount.
What is Not Covered by Cyber Insurance?
Since the cyber insurance industry doesn’t have set standards, it’s also imperative to understand what isn’t covered. Currently, cyber insurance won’t cover for loss of reputation and trust with their customers, loss of future revenue from negative media or other exposure, and improvement costs for security infrastructure or system upgrades. This may change as the industry evolves.
What Does a Typical Cyber Insurance Policy Cost?
In general, the cost of liability coverage will depend on the type and size of the business and the cyber security measures it has in place. For example, a premium for a $1 million policy can range between $6,000 and $13,000 a year for businesses that have revenues of approximately $25 million. However, some policies can reach $50,000 per year depending on the company’s total revenues and the specifics involved in the coverage.
Because the industry is relatively new, industry standards are evolving and policies and pricing can vary greatly from business to business. Insurance underwriters will typically assess the risk management techniques and procedures of a business and customize a policy for them based on their findings.
Other factors typically include the type of data the company gathers and stores electronically. Cyber insurance policies can cover breaches of privacy and/or security such as the loss of confidential data and information through unauthorized computer system access.
What is the Insurance Industry Doing About Cybersecurity?
State insurance regulators and the National Association of Insurance Commissioners (“NAIC”) are doing what they can do defend against cybersecurity risks and the task force has created the “Principles for Effective Cybersecurity Insurance Regulatory Guidance”. This consists of 12 principles which are designed to help insurers, and other types of regulated organizations to put their heads together to help identify and tackle potential cyber risks. The NAIC is also developing and introducing new reporting requirements which insurers can use to keep track of cyber liability policies which have been issued.
In addition, the NAIC intends to educate the public regarding cyber risks and help people protect their valuable information. The task force has created a Cybersecurity Consumer Bill of Rights which lets clients know what they can expect from insurers in case of a data breach. The bill of rights was adopted by the NAIC in December of 2015 and has been named the NAIC Roadmap for Cybersecurity Consumer Protections. In the meantime, state insurance regulators are working with the Obama Administration, Congress, and other financial regulators to help identify and defend against specific types cyber threats.
There is a federal US National Data Breach Notification Standard in place which companies are required to follow in case of a security breach. This involves basic notification requirements to those who have been affected, such as clients and employees. There are also state regulations which may be more detailed than the national standard. The notification costs involved are typically covered by cyber insurance and it’s a good idea to look for a policy which doesn’t force a business to pay for any additional notification costs.
Cyber insurance will continue to develop and evolve as new regulations come about and as new cyber risks evolve. As the cyber insurance industry grows there will also be a need for knowledgeable and skilled expertise in the area of risk assessment. Cyber insurance can’t replace a good security system, but it can offer a form of protection in case of a damaging incident.
Cyber Insurance – Takeaway
It’s important that business owners understand cyber insurance isn’t a security system, but is considered an important risk and crisis management strategy which could prove to be invaluable in the event of attack. Cyber insurance is becoming more standardized and broader as the industry grows and covers third-party liabilities along with first-party costs involved with security breaches. The coverage often includes important assistance from IT forensics, legal, and crisis communication experts and may cover data stored with an outsourcing company such as cloud service providers.
Traditional casualty and property insurers are currently examining ways to extend coverage to cyber risks, but standalone cyber policies are viewed as the best way to go by most businesses and corporations. One reason for this is due to a gap between standalone and traditional policies relating to physical damage caused by a cyber incident. For instance, a hacked industrial computer control system could result in an explosion or fire, but the cause could be difficult to prove. Some businesses ask for physical damage to be included in their standalone policies.
The field of cyber insurance will continue to develop and evolve along with new regulations and cyber risks. This means new types of policies and interpretations are likely on the horizon to keep underwriters busy. As the cyber insurance industry grows there will also be a need for knowledgeable and skilled expertise in the area of risk assessment. Cyber insurance can’t replace a good security system, but it can offer a form of protection in case of a damaging incident.
Share this Post