With corporate data breaches on the rise, many business owners are rethinking their security practices and strategies for risk management. Hacks, breaches and network outages present more than just technology issues—they come with financial repercussions, a potential loss of customers and a negative reputation in the marketplace.
These potential consequences are leading business owners to adopt more-holistic approaches to security involving both preventative measures and response plans. Preventative measures help secure network defenses and implement best security practices. Response plans involve cybersecurity insurance, a policy designed specifically to trigger when a security incident occurs.
Cybersecurity insurance is a relatively new type of coverage, which explains why it’s often misunderstood. This article makes sense of cybersecurity insurance so business owners can better understand what types of coverage are available and ensure their business’s recovery after a cyberattack.
1. What Is Cybersecurity Insurance?
Cybersecurity insurance—sometimes referred to as cyber liability or data-breach liability insurance—is a type of standalone coverage. It helps companies recover from data loss owing to a security breach or other cyber event, such as a network outage or service interruption. Cybersecurity policies are different from property or general liability policies because prices and exclusions for cybersecurity insurance vary widely between insurers.
Although this situation may make choosing a policy more complicated, it shouldn’t deter business owners. Cybersecurity insurance is important to building a comprehensive strategy for risk management and response.
2. Should I Purchase Cybersecurity Insurance?
No business is immune to network outages and data breaches; in fact, studies show that small businesses are victims of 71% of cyberattacks. The impacts are often devastating, ranging from lost business opportunities to customer revolt, and from a damaged reputation to stolen data and funds. Repercussions can even extend to loss of employment, as Target’s former CEO discovered.
Considering these potential repercussions, cybersecurity insurance may be a wise investment for your company. It mitigates many of the costs associated with investigating and resolving a security incident, and it helps a business return to normal operations quickly.
3. What Types of Coverage Are Available?
Cybersecurity insurance comes in two types: first party and third party. Most insurers offer policies that combine features of both, but not always. Many carriers also write provisions and exclusions into first- or third-party policies, so businesses should carefully read their cybersecurity policy to understand what is covered in the event of a security breach.
A cybersecurity plan that focuses on first-party coverage is what most businesses will need. It protects against losses suffered by the insured and can include reparations for some of the following incidents:
- Damaged or lost digital assets, such as data and software
- Lost business opportunities or increased operational costs due to an interruption of the insured’s computer systems
- Cyber extortion if the hacker holds the insured’s data for ransom
- Money stolen through an electronic crime
Third-party coverage is generally geared toward the third-party companies who manage the software, network or system that holds the compromised data. Third-party plans typically cover costs associated with the following events:
- Security breaches of employee confidentiality
- Lost customer data and information
- Customer notification after a security breach
- Public-relations efforts as well as combatting defamation and intellectual-property violations.
4. What Doesn’t Cybersecurity Insurance Cover?
Cybersecurity policies are relatively new and still growing, but many don’t cover theft of intellectual property and have a difficult time protecting against damaged reputations and lower sales. These shortcomings may change, but cybersecurity insurance is so new that underwriters remain unable to easily and accurately assess risk. As a result, they exclude items—such as product designs, software code and reputation loss—that are hard to quantify.
5. What Kind of Cybersecurity Insurance Do I Need?
The best way to determine what kind of cybersecurity insurance your business needs is to perform a risk assessment and impact analysis. Businesses should carefully review their assets—including financial and customer data—as well as intellectual property, and categorize them as high or low risk. They should also recognize their main points of vulnerability during this process. The recent attack on Swift, which was once considered a highly secure financial messaging system, showed how hackers can exploit vulnerabilities in a system to steal a company’s physical assets.
Finally, business owners should visit with legal counsel and other department heads. Doing so will provide more insight into the implications of a data breach and pinpoint which assets are critical to safeguard when developing a risk-management strategy.
6. Should I Work with a Cybersecurity-Insurance Broker?
Businesses should work with a cybersecurity-insurance broker who has proven experience and expertise in selecting a cyber policy. This individual will be able to offer advice about different policies, prices and exclusions, allowing businesses to choose the coverage that best fits their needs.
7. Who Sells Cyber Insurance?
The perceived risk exposure of cybersecurity insurance is high, so it is currently available only through major carriers like AIG, Apogee Insurance Group, Chubb and Zurich. These companies have both the means and willingness to cover filed claims. The options will likely grow, however: as cyber threats increase, so does public demand for standalone coverage.
8. How Do Insurers Price Cybersecurity Policies?
Insurers price cybersecurity coverage using the same method that they employ for traditional insurance packages. Underwriters analyze the insured’s risk and author policies accordingly. But pricing cyber insurance can be more challenging. Underwriters have little data available, making it difficult to accurately assess risk. As more objective data becomes available, this situation will likely change.
9. Why Is Cybersecurity Insurance Expensive?
Premiums are based on risk, and data breaches present a high risk because they can necessitate large payouts. As a result, cybersecurity-insurance premiums have been trending sharply upward in the past few years. Because these policies are customized to fit each company’s needs, they take more time to create and are therefore more costly. Without quantitative actuarial data, underwriters use qualitative assessments of a business’ risk-management procedures and risk culture.
The nature of the business and type of data it stores come into play as well, which is why financial and health-care institutions typically face steeper premiums. The size and scope of an organization, its number of customers, and how it collects and stores data all affect coverage needs and pricing.
10. Are There Ways to Reduce Premium Costs?
Although cybersecurity insurance doesn’t follow the new usage-based model of auto insurance, there are still ways to reduce premiums. One is by implementing best security policies and practices for your business. The Department of Homeland Security urges businesses to adopt preventative cybersecurity measures and encourages insurance companies to base premiums on the insured’s level of self-protection.
Hacks and breaches are on the rise, but businesses can make two types of offensive moves. First, they can adopt best security practices. Second, they can develop a robust recovery plan that prominently features cybersecurity insurance. These two tactics will not only help guard against cyberattacks, but they will also help get businesses back on their feet quickly if their data is compromised.
About the Author
Sarah Brown is a tech specialist with a love of all topics relating to the IoT. She writes about upcoming technologies and internet safety. Sarah believes that the through entertainment, technology and the written word, we can all stay connected to each other and create a safe environment out in the ether. You can find her on twitter @SarahDBrown136.