Cyber Insurance: What It Is and Why Your Organization Should Have It
In May 2021, Colonial Pipeline, which supplies 45% of the gasoline and jet fuel to the East Coast, faced a massive ransomware attack caused by the crime group DarkSide. They stole 100 gigabytes of data and threatened to leak it on the internet unless a ransom demand of $4.4 million was fulfilled. To mitigate the attack, the company temporarily shut down its services, resulting in panic buying, gas shortages, and price hikes in several states. The company made the decision to pay the ransom.
This attack pushed several U.S. energy companies to buy more cyber insurance, despite a drastic increase in premiums following the attack, to ensure better protection. So what is cyber insurance? What does it cover? And how do you choose a cyber insurance policy? All of these questions are answered in this post.
What is cyber insurance?
As technology advances, so does the frequency and sophistication of cyberattacks. Any business that’s connected – even partially – to the digital environment is inherently at risk. That’s where cyber insurance comes in. Also known as cyber risk, or cyber liability insurance, it is a method of mitigating risk and protecting your organization from the inevitable fallout in the unfortunate event of a cyberattack.
However, cyber insurance by no means prevents cyberattacks. Your organization must have a robust cybersecurity system and policies in place, especially when dealing with highly sensitive data, the privacy of consumers/patients/citizens/students/employees, and your third-party providers and associates. This, combined with a strong cyber insurance policy, is non-negotiable to ensure the maximum safety of your organization.
What does cyber insurance cover?
Cyber insurance originates from the errors and omissions (E&O) insurance. Usually, cyber insurance policies provide first- and third-party coverages. First-party coverages refer to the costs that are sustained by an organization directly due to a breach. Third-party coverages refer to settlements an organization is compelled to pay due to consumer claims as a result of malpractice or failure to act on the company’s part.
Standard reimbursable expenses include:
- Investigation: This covers the expenses to conduct an investigation to determine the scope of the breach, how it happened, the repair requirements, and how to prevent a similar attack in the future.
- Data recovery: This covers the cost of restoring electronic data and any software/programs that were breached during an attack.
- Transmission of malicious content: This covers the costs of your system’s transmission of malicious content to your client(s). This is important as your organization could be held liable by your clients in the event of a breach. It also covers defamation suits as those claims can be very hefty.
- Business losses: This covers the expenditure of income loss, business interruption, and operation restoration due to the interruption of normal business operations after a cyberattack.
- Extortion payments: This covers the expenses of a cybercriminal demanding a ransom for a nefarious act – usually seen in ransomware.
- Notification costs: This covers the costs of notifying customers and other affected parties if their data has been compromised and stolen in a breach. This is mandated by law in several states. Additionally, many policies cover the costs of credit monitoring services as well.
- Crisis management: Some policies offer to cover the costs of hiring experts like lawyers, a PR team, and tech experts to help navigate the situation and save the reputation of the affected organization.
It’s important to mention that cyber insurance policies don’t offer coverage for bodily injury, property damage, contract violation, if the insured has caused or had knowledge of the cyberattack, and international offenses like terrorism or treason.
Why is cyber insurance important?
Lost, compromised, or stolen electronic data would negatively impact your organization both in terms of revenue and reputation. It could also be liable to lawsuits by third parties claiming data theft or negligence, leading to further financial losses. Effective cyber insurance can help your organization cover these losses and recover from the aftermath of an attack in more ways than one.
With cybercrime surging, cyber insurance has become a necessity. Ransomware attacks contributed towards 41% of cyber insurance claims in the first half of 2020.
How to choose a cyber insurance policy?
Before picking a cyber insurance policy, there are a few factors to explore.
1. Make sure your organization knows its risks. Create a cyber risk profile that includes all the vulnerabilities that could be exposed in a breach. Based on this, gauge the level of coverage your organization would require.
2. Evaluate your policy. The aforementioned are the standard coverages offered. A stand-alone policy is the best option to consider in terms of coverage and price. Also, check if your policy is customizable to include specific coverages that your organization needs.
3. Read the fine print! Carefully check the coverages that are related to your organization’s business practices, territory coverage, vendor coverage, and social engineering. In several policies, these coverages are excluded. This is not good, especially in the case of social engineering as it plays a major role in cyberattacks such as phishing, spear phishing, APTs, and, even ransomware.
4. Cyber insurance policies often contain complicated language and jargon which can be difficult to comprehend. As such, form a team of experts – lawyers, technical and business experts, HR, and PR – to review different policies and help select the ideal one for your organization.
Of course, insurers also have a say when it comes to offering coverage. An organization that has efficient cybersecurity practices and low risk is ideal for insurers. Typically, organizations have to undergo a security audit by the prospective insurance company or submit documentation from an approved assessment tool. The results from these events will play a role in the coverage provided as well as the cost of the premiums of the insurance policy.