This post discusses cybersecurity insurance – The meaning, operations, coverages, and limitations.

WHAT IS CYBERSECURITY?

Cybersecurity refers to the technologies, processes and practices designed to protect an organisation’s intellectual property, customer data and other sensitive information from unauthorised access by cybercriminals. Cyberspace is a virtual space that does not exist, but cyberspace is often used to understand digital weaponry against individuals’ and organisations’ digital devices. A cybersecurity threat is a malicious act that seeks to damage data, steal data, or disrupt digital life.

A cyber-attack is an attack against the digital devices of an organisation via cyberspace. Cyber-attacks include threats like computer viruses, data breaches, and Denial of Service (DoS) attacks. Many cyber-attacks are mere nuisances, while some cyber-attacks are severe. Cyber-attacks may threaten human lives. Cyber-attacks can cause electrical blackouts, military equipment failure, and national security secrets breaches. It can also result in the theft of valuable and sensitive data like personal and medical records. 

Furthermore, cyber-attacks can disrupt phones and computer networks, paralyse systems, and make data unavailable. The frequency and severity of cybercrime are rising, and there is a significant need for improved cybersecurity risk management as part of every organisation’s enterprise risk profile. Cybersecurity is the state or process of protecting and recovering computer systems, networks, devices, and programmes from any cyber-attack. Cyber-attacks are an increasingly sophisticated and evolving danger to organisations’ sensitive data, as attackers employ new methods powered by social engineering and artificial intelligence to circumvent traditional security controls. See the post on cybersecurity risk management.

WHAT IS CYBERSECURITY INSURANCE?

Every organisation is vulnerable to cyber incidents. Even if a company’s data is less attractive to hackers, its sensitive data may likely reside with third-party providers. Cyber security insurance covers the cost for a business to recover from a data breach, virus, or other cyberattacks. Cybersecurity insurance is also known as cyber insurance, cyber liability insurance and cyber risk insurance. 

Cybersecurity insurance is designed to mitigate losses from cyber incidents, including data breaches, business interruptions, and network damage. It also covers legal claims resulting from the breach. Any business that stores sensitive data in the cloud or an electronic device should have cyber security insurance. 

Cyber insurance helps firms hedge against the potentially devastating effects of cybercrimes such as malware, ransomware, distributed denial-of-service (DDoS) attacks, or any other method to compromise a network and sensitive data. Traditional commercial general liability and property insurance policies typically exclude cyber risks from their terms, leading to cybersecurity insurance as a “stand-alone” line of coverage. 

Cybersecurity insurance products are personalised to help companies mitigate specific risks. A robust cybersecurity insurance market could help reduce the number of successful cyber-attacks by

1. Promoting the adoption of preventative measures in return for more coverage; and 

2. Encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection.

WHO NEEDS CYBERSECURITY INSURANCE?

As businesses insure against business problems, natural disasters, and physical risks, they also need insurance coverage for cyber threats. Cybersecurity insurance helps companies respond during a cyberattack or data breach. As the number of applications and devices increases, an organisation becomes more vulnerable to attacks. 

Cybersecurity insurance can be essential if a company’s network or systems are hacked or corrupted by a virus. If a costly breach occurs, the company may not have the resources to combat these issues or recuperate losses. Cybersecurity insurance can provide support so these attacks do not cripple the business.

If a company purchases a cyber security insurance policy, it agrees to maintain appropriate security measures to prevent a cyber incident from happening in the first place. A general or professional liability insurance policy often contains basic cyber liability coverage. However, businesses that store Personally Identifiable Information (PII) for employees or customers should have stand-alone or enhanced cyber security insurance. 

PII includes any data that can be used to identify a particular individual, such as name, date of birth, email address, social security number, credit card number, or bank account number. An internal sound system is a primary way to protect a company against cyberattacks. For example, small business owners should limit access to personally identifiable information to a limited number of people in the organisation. 

Security should be the number one boardroom agenda of businesses. It would be best if the company staff used strong passwords and accessed different software tools on electronic devices. And the company should regularly update passwords and software. Technical and physical safeguards should be in place. Insurance coverage is an added layer of protection that enables the company to call upon the insurer in their moment of need.

WHAT IS COVERED BY CYBER SECURITY INSURANCE?

Most cyber insurance plans cover a broad range of cyber risk losses that may unexpectedly arise from cyberattacks. In addition, some cyber insurance plans may cover physical damage to hardware and loss of business income. Cyber security coverage may vary depending on the cyber insurer or the insurance provider. Depending on the insured’s business security policy, cyber insurance plans can be personalised. The reason is that there is no such thing as standard cybersecurity insurance.

Insurers have started offering cyber coverage only within the last couple of decades. Unlike many other more traditional lines of insurance, there is no standard policy form for cyber insurance. Each cyber insurer has its policy form, utilising its unique policy language. This creates challenges for companies comparing one cyber insurance policy with another. Most insurers offer two types of coverage within a cyber security policy: First-party cover and third-party cover. Let us consider these two types of cybersecurity insurance coverage.

FIRST-PARTY COVERAGE

This coverage pays for immediate expenses that a company incurs after a cyber breach. Covers provided by first-party cybersecurity insurance policies include data restoration, loss of income and extra expenses, cyber extortion, notification costs, and crisis management.

THIRD-PARTY COVERAGE

A data breach can also trigger third-party claims or lawsuits involving personally identifiable information such as social security numbers, health records, and credit card numbers. Third-party insurance covers the assets of others, including the company’s customers. The third-party coverage helps the company defend against lawsuits and legal claims. 

However, some insurance companies also provide risk mitigation services to help a firm to identify and avoid cyber threats before they occur. After a breach, some insurers often set up a hotline that customers and public members can call to get more information.

WHAT IS NOT COVERED BY CYBER SECURITY INSURANCE

It is essential to carefully read the cyber security insurance policy and understand any exclusions. Many cybersecurity policies exclude preventable security issues caused by humans, such as poor configuration management or the careless mishandling of digital assets. Other issues excluded by cybersecurity policies include the following:

1. Bodily injury or property damage claims,

2. Loss of property,

3. Criminal activity, and

4. Social engineering.

Like other insurance contracts, cybersecurity insurance policies also exclude certain types of claims, including: 

1. Intentional dishonest acts committed by the insured. 
2. War and terrorism.
3. Contractual liability.
4. Utility failure.
5. Cost of restoring computer systems to a higher functionality level than previously.
6. Acts committed before the retroactive date (subject to the policy terms and conditions).

CYBERSECURITY INSURANCE CLAIMS AND LAWSUITS COVERAGES

Many cyber policies include liability coverages. These coverages are usually claims-made. Cyber policies typically cover damages and defence costs within the basic limit or increased liability limit.

Cyber security insurance claims and lawsuits coverages include:

1. Network security and privacy liability.

2. Electronic media liability.

3. Regulatory proceedings – Covers fines or penalties imposed on the business by regulatory agencies that oversee data breach laws.

CAN BUSINESSES REPLACE CYBERSECURITY DEFENCE WITH CYBER INSURANCE?

The answer is capital ‘No’ because businesses cannot replace cybersecurity defence with cyber insurance. Cyber risk insurance can be a great way to mitigate the damage caused by a breach. Still, it should complement cybersecurity technology in an overall cyber risk management plan. Cyber risk insurers analyse the strength of a company’s cybersecurity posture before issuing any policy.

BEST PLACES TO BUY CYBER SECURITY COVERAGE

When shopping for cyber security insurance coverage, a well-known provider offering cyber security insurance coverage is an excellent place to start. If the prospective insured has general liability or professional liability policy, check if the company’s policy contains some cyber liability coverage. This will assist in ascertaining whether the company’s insurer offers separate cyber security insurance. This will not be sufficient for most businesses, but it is a good starting point. 

I recommend working with an insurance company rated A or higher by a reputable credit rating firm that ranks the financial solvency of insurance companies. An A rating or higher means the insurer has enough funds to pay out all valid claims. Top insurers and providers of cyber security insurance include Hiscox, Chubb, The Hartford, AIG, CNA, Arch, Hanover, Intact, Beazley, Axis, Liberty Mutual, Lloyds syndicates, and CoverWallet.

UNDERWRITING FACTORS AND PREMIUM OF CYBER SECURITY INSURANCE

Cyber risk often seems difficult to quantify, making it difficult for insurance companies to appropriately underwrite their cyber risk policies. The number of threat vectors and continuously evolving threats, such as new types of malware and ransomware, lead to confusion over fair pricing. Companies that underwrite cyber risk insurance policies need metrics to help reduce the risk in their portfolios. 

How the cyber security insurance proposer secures its data is an essential factor in the underwriting of cyber security insurance. This is because security ratings help insurance companies price their cyber risk policies better to reduce risk in their portfolios. 

Security ratings use publicly available information to assess potential data breach risks arising from control weaknesses. Cybersecurity insurance providers can use security ratings to gain insight into how policyholders and their supply stream partners secure data so that the insurance company underwrites cyber insurance policies based on metrics, not just guesses.

Cyber insurance pricing is based on the insured entity’s annual revenue and industry. Before the inception of cyber insurance, the individual or entity typically must submit to a security audit by the insurance company or provide documentation with the assistance of an approved assessment tool. The cost of a cyber insurance policy will depend on several factors, including the business’s size and annual revenue. 

Other factors can include:

• The company’s industry.
• The type of data that the business typically deals with.
• The network’s overall security.

An organisation with poor cybersecurity or a previous history of falling victim to hackers or a data breach would likely get charged more for a cyber insurance policy than one with a good reputation for keeping itself secure. Sectors such as health and finance are likely to find that cyber insurance policies cost more due to the sensitive nature of the fields they operate. 

Here are the factors that affect the cost or premium of cyber security insurance:

1. Coverage limits,

2. Data access,

3. Security measures,

4. The firm’s sector or industry, and

5. Claims history.

Compared to other types of business insurance, cyber security insurance costs are higher because the fallout can often be much more significant. A small business needs to contain the crisis, respond to customers, deal with public relations damage, fix damaged hardware or software, recover lost profits, and cover the cost of any legal claims. When the company computes the costs of a cyber incident, it might be significant and expensive.

See my video on Cybersecurity Insurance:  https://youtu.be/9S0drs9L3FY