Making the case for cyber insurance

Like every business asset we need to insure, our network and security is also an asset we need to be protecting. The data within the network, the operating systems and software, they all need to be viewed as a corporate asset and hence the need for cyber insurance.

The risk of cybercrime is growing exponentially with each passing year. The average U.S. business spends roughly $9.48 million per breach. And it is not just money that is at risk when organizations are attacked — intangible things like loss of consumer trust, market reputation, and competitive edge have massive implications on businesses. Cyber insurance provides a safety net against a range of tangible and intangible losses in case of a cyber incident. 

What do cyber policies typically cover?
Business revenue has always been tied to a product. Today, this is not the case. Revenue is now intrinsically tied to your data, your network, your internet traffic. The ability for clients to access your portal, to access your services, to order products, to engage with your people, are linked to their ability to get on your network. If your network experiences downtime for some unforeseen reason, cyber insurance can provide some level of mitigation against such business income losses. 

Say your organization experiences a data breach. You will be held accountable for any PII (personally identifiable information), financial data (credit card information) or healthcare records that are leaked. Potential fines may be levied by anyone who is impacted by the data release. Cyber insurance serves as a financial backstop, up to the limit on the policy and subject to retention limits.

In the event of cyber extortion from a ransomware attack, which can cost upwards of $5 million in recovery expenditures, cyber insurance should cover everything from initial investigation to incident response, from the extortion claim that's paid, to legal fees. If your systems go down and you need to have your network reconstructed, cyber insurance should cover those costs.

If you encounter hardware damage that necessitates costly replacement and requires a substantial capital investment, the policy can offer financial support for these expenses. This coverage is commonly referred to as bricking coverage if you have chosen to include it in your policy.

Many carriers can underwrite for fund transfer fraud. For example, if someone social engineers your accounting department (using tactics like business email compromise), most cyber policies will provide some level of cover for those types of incidents. Cyber policies can also provide coverage for fund transfer, associated business income losses, fines and penalties, as well as reparation of systems. 

Key requirements for cyber insurance
Underwriters prioritize revenue when underwriting policies, ensuring that it aligns with the associated data exposure. This involves an evaluation of the type, volume and risk level of the data records in conjunction with the organization's revenue. Based on these assessments, underwriters calculate a rate per million to determine the premium. Additionally, the organization's controls, policies and processes may influence the application of credits during this process. These may include:

Multi-factor authentication: Given that most insurance claims arise through email intrusion, MFA is a mandatory cybersecurity capability and a critical underwriting factor.

Endpoint detection and response: 70% of breaches begin at the endpoint, where users encounter malware or are hacked and social engineered. If endpoints are not well secured, the entire organization is at a higher risk of breach or exposure.

Policies, compliance and procedures: The depth and structure of your current cybersecurity policy, the level of incident preparedness, the state of crisis management procedures, adherence to compliance standards — all these things matter to an insurer and help them judge how mature and serious an organization is about their cybersecurity.

Training and simulation exercises: Having a comprehensive security training program, conducting regular cybersecurity awareness exercises and tabletop exercises, and providing training to employees on responding to and reporting security incidents all contribute to earning credit points with insurers.

Routine vulnerability assessments: Most insurers require policyholders to run vulnerability assessments at regular intervals because cyber threats evolve with changes in technology and changes in attack vectors. How well organizations know their own vulnerabilities and exposures is a clear indication of the level of control they have on evolving risks.

Before committing to a cyber policy it is important that organizations dive deep into the fine-print — the rights, the inclusions, the deductibles, the exclusions, and the carve backs; for example, systemic or infrastructure failures. Cyber insurance is a valuable risk management tool not to be confused with cybersecurity. Cybersecurity is the foundation for protecting against cyber threats, while cyber insurance provides financial protection in the event of an incident.

See more:
How to protect against the rising threat of cyber attacks

Inbox is source of over half of cyber insurance claims: Coalition