So you don’t have cyber insurance? You’re in the same boat as about half of U.S. firms, according to the Insurance Journal. June 28 is National Insurance Awareness Day. Businesses purchase several types of insurance, but cyber insurance is still considered an unknown commodity. You may therefore not be sure whether or why you should consider getting cyber insurance for your business.
Let’s look at the big picture. Your business probably processes a lot of data, and a lot of this data is stored online. This data, especially if it is related to private or confidential or health data, happens to be very valuable in the black market. Cybercrime is on the rise. What does this mean? It means that your data is susceptible to being stolen.
Should you protect your digital property (data) with insurance?
Just as you may need to protect your physical property from loss by taking insurance coverage, you may need to evaluate if you should protect your digital property (data) by taking cyber insurance coverage. Some questions that you can ask yourself are:
- Do you store a lot of patient information?
- Do you process private confidential financial information of clients?
- Do you store information like social security numbers, driver's licenses, or any data that should be kept secure?
- What is the impact if any of this data is lost?
- Are you required by law to notify the government or your clients or anyone else if any of your data is lost or stolen (breached)?
Your company executives may not be aware of how high the cost of a data breach can be. The total cost of a data breach to your business could be as high as a staggering $3.62 million, according to the Ponemon 2017 Cost of Data Breach study sponsored by IBM. The average cost of each lost or stolen data record containing sensitive and confidential information was $141. All organizations that participated in the survey had experienced a data breach. Almost half of these organizations identified the root cause of the data breach as a malicious or criminal attack.
This is why it is crucial that you evaluate if you need to purchase cyber insurance for your business.
How do you go about purchasing cyber insurance?
While it has become easier to find agents offering cyber insurance these days, it is still not everywhere. All insurance companies do not offer this product. There is usually a long questionnaire to answer prior to getting a quote for premium. This will depend on your current security posture, whether or not you have conducted a security risk assessment, whether you have documented policies and procedures, what kinds of security tools you use, and more. We cannot stress enough the importance of answering this questionnaire truthfully. If you misrepresent any part of the questionnaire, knowingly or unknowingly, you run the risk of not being eligible for compensation should you experience a data breach.
What types of cyber insurance coverage are available?
There are different kinds of insurance coverage and each insurance company may have different names, inclusions, exclusions, and sub-limits for the various types of liability coverages they offer. Some of the types of available cyber insurance coverages include:
- Regulatory fines and penalties– offers insurance coverage for regulatory fines and penalties that could be huge.
- Business Interruption– Cyber attacks can be so damaging that the company may be unable to resume daily operations after the incident, for instance, damaged databases, inoperable systems, or loss of networks.
- Credit monitoring– covers identity protection and credit monitoring costs for victims of a data breach.
- Forensics– covers costs involved in a forensics investigation, gathering evidence, and resolution coordination.
- Litigation– offers some financial protection in the event of a lawsuit.
- Notification Expense– takes care of expenses involved with individual and government notifications, call center costs, and advertisements.
- Cyber Extortion coverage – Ransomware attacks fall under ‘Cyber Extortion’. A cyber insurance policy may or may not include cyber extortion – be sure to check for this. Often, an insurance policy may only cover ransom payment partially. Nevertheless, having cyber insurance cover part of a ransomware attack may still be more beneficial than not having one at all.
What questions should you ask when shopping for a cyber insurance policy?
- When is the coverage triggered?
- When is a notice to the insurers required?
- How are breach counsel and vendors selected?
- What requirements do you, as the insured company has to meet, to be eligible for payment of claims?
- Are there exclusions/sub-limits of the cover? Some examples are:
- Portable electronic device exclusions
- Intentional Acts Exclusion
- Terrorism Exclusions or Acts of God.
- Negligent Computer Security Exclusion
- Post-Breach Services
- Information maintained and stored by third parties
- Coverage for investigations and fines
- What about breaches that may have happened before purchasing coverage, but were discovered afterward?
- Are there any additional measures that you can put into place which will reduce your premium?
- What ongoing audit and compliance obligations are required to be met, in order to keep the policy effective?
- Will your premiums increase if you report a data breach?
- Is there a time limit within which you should report the data breach to your insurance company?
24By7Security had an active discussion on this subject during an incident response workshop conducted at a conference. If you’re interested in seeing a summary of some parts of this discussion, watch this video.
Cyber insurance has a significant role to play in your organization’s overall security strategy as a key risk mitigation component. If you store or process data that is sensitive or confidential, please take the time on National Insurance Awareness Day to review your business data storage practices and determine if you need to take new cyber insurance or increase any existing cyber insurance coverage you may have.
Take advantage of our National Insurance Awareness Day special!