Do you need it and, if so, what kind?
I am not a cyber insurance expert, nor am I qualified to give legal advice, but as someone who thinks a lot about IT vulnerabilities and threats, I believe that every business should evaluate the cost-benefit of cyber insurance to help protect from cyber risk.
Such an evaluation starts with a careful consideration of the business’ true exposure to the negative impact of cyber incidents. The next step is to review your current insurance policy to understand any deficiencies in coverage. If unacceptable gaps become apparent, you can likely find a cyber insurance policy to address them.
The Need for Cyber Insurance
We constantly read about widespread cyber attacks and system outages in the news, and I hear about smaller, targeted incidents just as frequently. In most cases, the exploited vulnerability is well known by IT experts, as are various ways of addressing it, but knowing is only half the battle. Sometimes closing a technical vulnerability is too inconvenient or impractical or expensive for a business to justify. Sometimes human error or unwillingness to follow proper procedures causes a problem. Sometimes the miniscule odds just aren’t in your favor.
Whatever the reason, the risk of a cyber attack or other incident cannot be completely mitigated via technology alone. Cyber insurance can contribute to a good night’s sleep in a world where acceptance of non-negligible risk is a sober reality.
Cyber insurance has evolved in recent years from a niche to a mainstream product offered by major insurance providers. General commercial liability policies often exclude cyber events from their coverage. In addition, many businesses’ exposure to cyber risk is significantly different from their exposure to other types of risk, which leads to a need for different limits, deductibles, etc. Consequently, cyber insurance is typically a separate offering.
Types of IT Risks
Common cyber risks and the types of insurance that mitigate them are divided into the categories of network security and privacy liability. Network security threats include system failures and cyber crimes such as crypto attacks, cyber extortion and funds transfer fraud. Exposure to network security incidents includes the direct costs of responding and recovering, as well as the cost of business interruption.
Privacy threats include theft, employee misuse, and employee mishandling of protected, confidential information. Exposure includes the direct costs and loss of reputation due to lawsuits, regulatory fines and other costs, as well as the cost of response, which could include notification, data recovery, legal and PR fees, and credit monitoring.
Cyber Insurance Coverage
Although the industry language can vary when describing types of cyber insurance coverage, the specific terms used by a given provider generally relate to universal concepts. In that light, types or aspects of first party cyber insurance coverage (which applies when the policy holder was negatively impacted) include business interruption, data loss, cyber extortion and reputational harm.
Types of third party coverage (which applies when another entity was negatively impacted) include privacy liability, privacy event expense reimbursement, and regulatory defense and penalties. Please talk to your insurance professional to decide what is appropriate for your business.
Could these scenarios apply to your business?
If they do, are you covered?
A cyber attack (crypto) renders IT systems unusable for days or longer.
An employee clicks on a link in an email, which sends malware to everyone in his address book.
A vendor sues for defamation in response to an employee’s Facebook post.
A targeted social engineering attack leads to fraudulent wire transfer.
An unencrypted laptop with third party personal information is stolen from an employee’s car.