Considering cyber insurance? Here’s what you need to know
Fueled by the growing number of data breaches, an expanding attack surface and a shortage of cybersecurity talent, cyber risk is a mounting concern for organizations across all industries. A survey of risk managers by consultancy Allianz identified cyber incidents as the top-ranked business risk globally (tied with business interruption). This trend has changed tremendously in the past decade — nine years ago, cyber incidents were trailing in the No. 15 spot in the risk survey.
The costs of security incidents and data breaches are rising as well. The average cost per lost record increased from $148 in 2018 to $150 in 2019, with the average cost of a breach going from to $3.86 million to $3.93 million, according to annual reports on data breach costs by the Ponemon Institute and IBM.
For some organizations, the results are devastating. In the last couple of years, we saw several companies shutting down or declaring bankruptcy as a result of a major data breach. One example was American Medical Collection Agency, whose breach led to compromised patient records at LabCorp, Quest Diagnostic and other healthcare providers.
Given these kinds of implications, it would seem prudent to turn to cybersecurity insurance to mitigate risk. Especially since the data-driven economy will continue to push the boundaries for how information systems connect and interact with each other — and with that, the risk will compound.
Buying cyber insurance, however, is more challenging than other commercial policies. Below are some basic things to consider.
A 2018 J.D. Power survey found that two-thirds of businesses combine their cyber-risk insurance with other policies rather than buying stand-alone coverage. However, don’t count on a general liability policy to cover your cyber risk. These policies typically exclude losses related to electronic data because data is not considered physical property.
The market for standalone policies is small (estimated at $2.5–$3.5 billion in the United States versus $275 billion for commercial property and casualty) but growing. A relatively new offering, policies vary widely from one insurer to the next and there are no standard terms. Some typical categories to look for include:
These categories are examples of what a core policy may include, but some insurers may provide them on an add-on basis instead.
Cyber insurance typically doesn’t pay for physical losses that result from a cyberattack. That’s where property/casualty or general liability insurance comes in.
In addition to understanding what a policy does — and does not — cover, there are many variables to consider. These are some of the questions to ask when comparing policies:
Several recent lawsuits illustrate why it’s important to understand what you’re buying. One company sued AIG over an incident that was classified as a criminal act, which the carrier said was not covered. In another case, carrier Zurich refused to cover damages resulting from the NotPetya ransomware attack because it considered it an act of cyber war, which was an exclusion.
The J.D. Power survey found that 97% of businesses that were hacked and had cyber-risk insurance found their coverage adequate. However, determining how much coverage may be adequate for your situation is challenging. Financial company Fundera recommends considering factors such as:
A risk assessment, including an inventory of your data and other assets, is an important step before buying insurance. Carriers are likely to require you to mitigate risks by having good cyber defenses in place, and your cybersecurity posture may also impact your rates.
Insurance is a way to transfer some of your risk, but it’s not a stand-alone measure. Nor is it a replacement for a security program. A policy may help you recover financial losses, but it won’t help you bounce back from reputational damage and other negative impacts.
Ορφανίδου 2, Θεσσαλονίκη
Τ. (+30)2310 277 077
Κ. (+30)6978 188 463
Φ. (+30)2310 277 087
Ζαλοκώστα 44, Χαλάνδρι, Αθήνα
Τ. (+30)2316 019 734
Κ. (+30)6948 053 377
Μέλος Σ.Ε.Μ.Α. - Σύνδεσμος Ελλήνων Μεσιτών ΑσφαλίσεωνΠολιτική ασφάλειας πληροφοριών