Before I begin the last segment on cyber risk, I want to thank those of you who are still following this blog. You may have noticed the posts have been rather sporadic over the past four months and I would like to share why. I have faced personal tragedy this year with the loss of both parents in close succession. The inevitably of death is a fact and no matter how prepared one might believe they are, it seems we are never truly ready when the time comes. These unfortunate events have distracted me from contemplating risk management issues. I recently remembered a quote by Winston Churchill, “If you are going through hell, keep going.” So here we go.
In previous posts, we reviewed several different cyber risk exposures and how to develop a strategy to protect against them. We also looked at how to manage a social media presence and the associated risk. But even with a well-defined plan, a cyber risk strategy should also include a layer of insurance to fill any gaps and potential exposure. General liability insurance does not provide adequate protection as most policies exclude losses resulting from a cyber-attack. Cyber insurance, on the other hand, will cover most of the following:
- Legal fees and court costs
- Investigative costs related to a data breach
- Mandatory customer notification requirements
- The cost to recover data
- The cost to repair and restore compromised software and systems
In this post we will address three common questions about cyber liability insurance:
- What is cyber liability insurance?
- What should you as a business owner or decision maker look for when purchasing cyber liability insurance?
- How do insurance companies price cyber liability insurance?
A cyber insurance policy, also referred to as cyber risk insurance or cyber liability insurance coverage (CLIC), is designed to help an organization mitigate risk exposure by offsetting costs involved with recovery after a cyber-related security breach or similar event. With its roots in errors and omissions insurance, cyber insurance began catching on in 2005 and is still evolving. Cyber risks change frequently, and the true risk of cyber-attacks is not completely understood.
Although there are few standards for underwriting these policies, the following costs are commonly paid or reimbursed:
- Investigation expense: After an event, a forensics investigation is necessary to determine what occurred, how to repair damage and how to prevent the same type of breach from occurring in the future. Investigations may involve the services of a third-party security firm, as well as coordination with law enforcement and the FBI.
- Business interruption and reputational damage: A cyber insurance policy may pay for similar items that are covered by an errors & omissions policy (errors due to negligence and other reasons), as well as monetary losses caused by network downtime, business interruption, data loss recovery and costs involved in managing a crisis, which may also involve repairing reputation damage.
- Privacy breach notifications: This includes the costs of required data breach notifications to customers and other affected parties, which are mandated by law in many jurisdictions, and credit monitoring for customers whose information was or may have been breached.
- Lawsuits and extortion: This includes the cost of legal expenses due to the release of confidential information and intellectual property, legal settlements and regulatory fines. This may also include the costs of cyber extortion, such as from ransomware.
While the number of insurance companies that offer cyber liability insurance is growing, there is still no standard form. Therefore it is important for the buyer to pay closer attention to what is covered and excluded. Below are some questions to ask and items to consider when discussing cyber liability and reviewing the proposals with your insurance broker.
- Does the insurance company offer one or more types of cyber insurance policies? In most cases, a stand-alone policy is best and more comprehensive. Also, ask if the policy is customizable to an organization.
- What are the deductibles? Be sure to closely compare deductibles among insurers.
- How do the coverage and limits apply to both first and third parties? For example, does the policy cover third-party service providers? On that note, find out if your service providers have cyber insurance and how it affects your agreement.
- Does the policy cover any attack to which an organization falls victim or only targeted attacks against that organization in particular?
- Does the policy cover non-malicious actions taken by an employee?
- Does the policy cover social engineering as well as network attacks? Social engineering plays a role in all kinds of attacks, including phishing, spear phishing, and advanced persistent threats.
- Since advanced persistent threats take place over time, does the policy include time frames within which coverage applies? In other words, if an advanced persistent threat is discovered during the current policy period yet the origin was in an earlier policy period or before coverage was secured, is the policy limited to only damages caused during the current policy period?
Many insurance brokers and insurance companies will offer a checklist of items to consider when purchasing cyber insurance. Gather several examples and compile your own customized list of items important to consider based on your particular operations.
When pricing cyber liability coverage, an insurance company wants to see that your organization has taken some steps to assess your vulnerability to cyber attacks. They may ask:
- Do you follow established best practices enabling defenses and controls?
- Do you have an established employee education program for security awareness, especially for phishing and social engineering?
- Have you conducted a cyber threat assessment (even if not required by regulations)?
- Have you consulted threat intelligence services for the latest information on targeted attacks?
- Have you engaged the services of ethical hackers to reveal security weaknesses?
A threat assessment and ethical hacking services may be financially out of reach for many small businesses. However, investing in some type of vulnerability assessment tool or engaging the services of a penetration tester to probe external network defenses may go a long way toward improving security and benefit the negotiation of cyber insurance.
As cyber risk evolves, and insurance coverage becomes more standardized, an insurer might request an audit of an organization's processes and procedures as a condition of coverage, although this is not currently a common practice. An insurer may agree to provide coverage but perhaps at a level below what you feel you need. Keep searching for the right fit because the cyber risk is real and there is too much at stake to settle on coverage that leaves you vulnerable.
Until next time, stay safe and be kind to one another.