Cyber Insurance 101: The Basics of What You Need to Know
Our world is more digitally connected than ever before, and with that convenience comes more cybersecurity threats to consumers and businesses. The PricewaterhouseCoopers 2016 Global State of Information Security Survey revealed a 38-percent increase in the number of security incidents in 2015 over the previous year. Companies are making cybersecurity a top priority, increasing their funding and awareness efforts to protect one of their most valuable assets – their data.
Along with the implementation of new technologies, strong monitoring capabilities and access management policies, companies are also adding cyber insurance to their cybersecurity strategies. Cyber insurance, a new trend in the information security sector, can offer an additional layer of protection that may fill the gaps where traditional business insurance policies may falter.
So… what exactly is cyber insurance?
As a relatively young – but growing – industry, cyber insurance provides a partial solution to cover the risks of disruption that can occur from cybersecurity issues. The majority of cyber insurance policies cover costs and liability from data breaches, often including expenses resulting from regulatory fines, customer notification and/or investigation processes.
Despite the surge in cyber insurance providers, very few have coverage exceeding $100 million. However, there are opportunities to create “towers” of coverage, which are constructed by purchasing multiple layers of insurance until a desired limit is reached.
Who needs it?
The first step in determining whether your business needs cyber insurance is determining what type of potential risk your organization has.
Consider these questions:
- What type of information does my organization hold?
- What are the consequences if this information is stolen and/or exposed?
- What are the current cybersecurity policies in place?
- Does my current insurance policy cover any type of cybersecurity related risk?
Some helpful tools are the National Institute of Standards and Technology (NIST) Cybersecurity Framework resources and the Federal Financial Institutions Examination Council Cybersecurity assessment tool.
What’s next?
When you are ready to choose a policy, identify the gaps in your existing insurance first – understanding what your traditional policy offers is essential to recognizing the types of additional coverage you’ll need. Coverage can vary significantly, ranging from protection for your extra expenses, to protection for business interruption losses, event response expenses, litigation defense fees and/or settlement costs.
Create a checklist before you approach an insurance broker to ensure you are prepared to describe your firm’s current cybersecurity risk position. These items on your checklist can range from probing about existing cybersecurity policies, to employee education and training, to vendor management and safety precautions you have in place. Getting these basics down before you seek coverage will allow the process to run more smoothly and better inform you about your needs.
Do your homework
If you choose to purchase cyber insurance, ensure you clearly understand when the policy is triggered and set guidelines in advance to avoid confusion in the thick of a breach. Establish processes to notify insurers and senior leaders (e.g., executives and board members) customers, employees and vendors.
Stay aware of major exclusions in your policy, do your research and know there is room to negotiate. Always ask questions if something is unclear, and be sure to immediately contact your insurer if information is compromised, because the legal clock starts ticking as soon as an incident is discovered.
Remember…
Cyber insurance can be an important part of your cybersecurity plan, but it should not serve as the main line of defense.
For a more comprehensive guide to cyber insurance, please reference the FSSCC “Purchasers’ Guide to Cyber Insurance Products.”
About the Author
Keith Gordon is a cybersecurity threat intelligence and customer protection executive at Bank of America, a National Cyber Security Alliance board member company.