The growing need for cyber insurance

Fueled by the growing number of data breaches, an expanding attack surface and a shortage of cybersecurity talent, cyber risk is a mounting concern for organizations across all industries. A survey of risk managers by consultancy Allianz identified cyber incidents as the top-ranked business risk globally (tied with business interruption). This trend has changed tremendously in the past decade — nine years ago, cyber incidents were trailing in the No. 15 spot in the risk survey.

The costs of security incidents and data breaches are rising as well. The average cost per lost record increased from $148 in 2018 to $150 in 2019, with the average cost of a breach going from to $3.86 million to $3.93 million, according to annual reports on data breach costs by the Ponemon Institute and IBM.

For some organizations, the results are devastating. In the last couple of years, we saw several companies shutting down or declaring bankruptcy as a result of a major data breach. One example was American Medical Collection Agency, whose breach led to compromised patient records at LabCorp, Quest Diagnostic and other healthcare providers.

Given these kinds of implications, it would seem prudent to turn to cybersecurity insurance to mitigate risk. Especially since the data-driven economy will continue to push the boundaries for how information systems connect and interact with each other — and with that, the risk will compound.

Buying cyber insurance, however, is more challenging than other commercial policies. Below are some basic things to consider.

What is cybersecurity insurance?

A 2018 J.D. Power survey found that two-thirds of businesses combine their cyber-risk insurance with other policies rather than buying stand-alone coverage. However, don’t count on a general liability policy to cover your cyber risk. These policies typically exclude losses related to electronic data because data is not considered physical property.

The market for standalone policies is small (estimated at $2.5–$3.5 billion in the United States versus $275 billion for commercial property and casualty) but growing. A relatively new offering, policies vary widely from one insurer to the next and there are no standard terms. Some typical categories to look for include:

• Security and privacy liability: Damages typically related to data breaches that affect a third party
• Regulatory defense: Covers fines and penalties, as well as defense costs, when a regulatory agency investigates an incident
• Data recovery: The costs of restoring or recreating damaged or stolen data
• Crisis services: Such as computer forensics, breach notification, credit monitoring and public relations necessary after a suspected or confirmed breach
• Business interruption: Covers loss of business income due to a cyberattack
• Cyberextortion: For attacks such as ransomware

These categories are examples of what a core policy may include, but some insurers may provide them on an add-on basis instead.

What do you need to know before you buy?

Cyber insurance typically doesn’t pay for physical losses that result from a cyberattack. That’s where property/casualty or general liability insurance comes in.

In addition to understanding what a policy does — and does not — cover, there are many variables to consider. These are some of the questions to ask when comparing policies:

• Are there any policy conditions? For example, some carriers impose minimum standards and will deny a claim if you don’t meet the standard practices you listed on your application
• What are the exclusions? Some insurers have extensive exclusions that could range from negligence (like unpatched systems) to chargebacks (when credit card numbers are stolen) and even social engineering. Many also don’t cover employee fraud and other criminal activities
• Are prior acts covered? This refers to incidents that you didn’t know about yet when you purchased your policy — a typical situation, since some attacks go undiscovered for months and even years
• Can I use my own experts? Some carriers require you to use a pre-approved panel of experts for services such as forensics and data recovery, and you may not be able to use a vendor you already have
• What’s the jurisdiction? Since state laws are different, the jurisdiction will impact aspects like damage payouts if you have to take the company to court

Several recent lawsuits illustrate why it’s important to understand what you’re buying. One company sued AIG over an incident that was classified as a criminal act, which the carrier said was not covered. In another case, carrier Zurich refused to cover damages resulting from the NotPetya ransomware attack because it considered it an act of cyber war, which was an exclusion.

How much coverage do you need?

The J.D. Power survey found that 97% of businesses that were hacked and had cyber-risk insurance found their coverage adequate. However, determining how much coverage may be adequate for your situation is challenging. Financial company Fundera recommends considering factors such as:

• How many and what type of records do you store and where?
• How much would it cost you to replace affected hardware and software?
• What measures will be needed for notifying stakeholders such as customers in case of a breach?
• Will you need to hire an outside team to remediate, engage in public relations and so forth?

Managing risk holistically

A risk assessment, including an inventory of your data and other assets, is an important step before buying insurance. Carriers are likely to require you to mitigate risks by having good cyber defenses in place, and your cybersecurity posture may also impact your rates.

Insurance is a way to transfer some of your risk, but it’s not a stand-alone measure. Nor is it a replacement for a security program. A policy may help you recover financial losses, but it won’t help you bounce back from reputational damage and other negative impacts.

Source: https://resources.infosecinstitute.com