ANS Blog

Cyber Insurance: Worth the Price?

May 10, 2018 in Cyber Response Plan

Cyber Insurance: Worth the Price?

Unless you’ve been living under a rock somewhere, it’s hard to miss the almost daily stream of media reports about cyberattacks and data breaches. Government agencies, healthcare providers, financial institutions, corporations and, yes, most definitely, small businesses—are all under attack. Savvy business owners and executives are finally beginning to learn about how the growing risks and costs associated with cybercrime can detrimentally impact their bottom line. So, it’s not a surprise that the interest in all forms of protection— including cyber insurance coverage—has also increased. 

But the market for cyber insurance is still relatively new and evolving; so, getting the right coverage at a competitive price isn’t necessarily an easy task.  The average business owner or executive will find the terms and conditions of these policies complicated. Getting the right coverage takes time and tenacity to ensure you’re getting the protection you truly want, without paying for coverage you don’t really need, prior to purchase.

What is Cyber Insurance? 

Depending on who you’re talking to, it can go by any number of names, including: data-breach insurance, cyber liability insurance, cyber insurance or cybersecurity insurance.  In a nutshell, cyber insurance helps protect businesses against losses resulting from cyberattacks or data breaches.

Cyber insurance is designed to be a post cyber incident safety net for an organization—its use comes into play after a cybersecurity or privacy related loss occurs. As such, it should be viewed as one part of an overall cyber risk management and response plan—never as a sole solution to rely upon when an incident occurs. At best, cyber insurance should be looked upon as a complement to sound, proactive information security programs, processes, policies and practices.

Who Needs Cyber Insurance?

The need for cyber liability insurance isn’t limited to large corporations like Target or Equifax. Small- and mid-sized organizations are also at great risk. In fact, most efforts in the cyber-crime arena are now specifically targeted at smaller organizations; they usually store one or more types of valuable data (payroll/online banking /credit card info, etc.) and, with small or no IT budget, are usually a lot more vulnerable (click here for a more in-depth discussion on why cybercriminals love small businesses). However, despite their high-risk status, most business owners are only now starting to educate themselves about their real risk level and potential exposure.

Types of Cyber Insurance Coverage

Cyber insurance coverages usually fall under two primary types, which can be categorized as either first-party cyber insurance or third-party cyber insurance. First-party coverage is for losses and damage to your own business like legal, forensic, notification, credit monitoring and business interruption costs.  Third-party coverage is for losses to an outside entity, such as your clients or members of the general public, due to an event for which you are liable. To get the right coverage for your operations, it’s VERY important to understand the difference between first- and third-party coverage as well as what the policy excludes. Work with an insurance professional who has a significant amount of experience in selling these policies and can explain coverage options AND EXCLUSIONS to you in plain English. It’s also extremely important to know when coverage begins and what the time period it covers, as most policies won’t cover incidents that took place prior to their effective date.

Buying Cyber Insurance

With growing demand and offerings, the cyber insurance market is still new, or a “soft market.” This means that prices vary and terms and exclusions in cyber coverage are not standardized across the industry. This means you’ll likely see variations in how different insurance companies underwrite, package, and categorize cyber risk exposures and coverages. Coverage costs can vary widely, depending on factors like the industry you’re in, the type and amount of records you store, your annual revenues, coverage limits you need, as well as the risks associated with your organization’s existing network security. 

Reducing the Cost of Cyber Insurance

Like all other insurance policies, the higher the risk involved, the higher the cost of your insurance premiums.

However, cybercrime is a different sort of risk, with a different and often more complicated remediation path than other business risks. So, it stands to reason that the application process for cyber insurance coverage is also fairly unique. Application forms can vary in length from a few pages to more than a dozen. But, regardless of what the application looks like, all insurers will assess your level of cyber risk by collecting information about your organization in three key areas: people, processes and technology/data. 

The “people” part of the application delves into your organizational structure around security. Insurance carriers want to know who in your organization is responsible for responding to a breach, if you have a response plan and whether regulatory or compliance frameworks are involved. They’ll also want to know whether (and how often) your employees are trained on evolving IT threats to your organization. They may also want to know who your vendors are, from Internet service to software technologies to credit card processors.

The “process” part of the application digs into your network and its services; your processes for actively managing your network including software, hardware, updates/patches, user account management, etc.; whether vulnerability assessments and remediation steps are done to mitigate critical vulnerabilities; and whether your systems are audited periodically to maintain data security. The focus here is trying to determine how secure your network and IT processes are, regardless of whether you’re handling these internally or through an outsourced provider.

The “technology/data” part of the application will ask about the systems and software you use, as well the types of records you retain, including:

  • Any client-owned information you may store, or systems you access/interface with
  • Any third-party vendor information you may store, or systems you access/interface with
  • Payment card information
  • Financial records and transactions
  • Employee records and benefits
  • Any other information that could be monetized by cyber criminals

In addition, carriers will want to know how long you archive this information on your systems. All of this data is used to determine risk.

Vulnerability Assessments:
Get Your Ducks in a Row

Before you’re quoted a policy, cyber insurance underwriters will want to know that, as an organization, you are proactively taking steps to minimize the ongoing opportunities for an attack (and subsequent claim). From an IT systems perspective, this means you’ll want to have certain network assessments performed before you start the application process. It’s important to perform both internal and external vulnerability testing, to ensure you get a more complete picture of your organization’s overall risk and exposure. Most organizations tend to focus on threats that come from outside their network; but internal network threats are equally as dangerous and usually harder to identify. Internal testing determines what vulnerabilities exist for systems that are accessible to authorized internal network connections (what someone with a legitimate user login ID can access). External testing (often called penetration or “pen” testing) helps identify vulnerabilities that exist for connections your organization has established that interface with the Internet. Once completed, these tests help you more accurately determine where your true risks lie, so you can make the necessary changes.

Part of a Bigger Plan

Although it may seem like a daunting process at first, securing the right cyber liability coverage can be a valuable part of a larger overall cyber response plan. The coverage can definitely be a conduit to services you’ll desperately need if the worst-case scenario does happen.

More importantly though, the goal is to prioritize the proactive security of your systems and information—and to always put that first. When it comes to cybersecurity, there is no substitute for a strong, active defense that includes the right layers of current technology along with 24/7 network monitoring, real-time threat detection and attack termination. For more information on how to significantly improve your network protection, meet compliance requirements and make better security decisions click here