A Brief Overview of Cyber Insurance

The question ‘Am I insured for a cyber incident?’ is vital to your organization.

When setting up new business operations you do not start selling services before getting insurance. The same applies with cyber insurance.

While cyber insurance is relatively new its need cannot be understated. There are different types of cyber coverage available, and your current insurance lines don’t necessarily include cyber coverage.

For instance, D&O (Directors and Officers) insurance, along with general insurance, will often not include cyber coverage. Even within a cyber policy there are optional coverage aspects. One example is that D&O cyber coverage is obtained separately from your standard cyber policy.

What should my cyber policy cover?

Cyber coverage is not one-size-fits-all, but there are some key components every business should consider.

Further importance should be given to annual policy reviews. Cyber threats are unique in that they are dynamic, and this non-static behaviour represents difficulty in quantification for both enterprises and insurers alike.

Providing additional complication to the situation are changing legal and regulatory requirements.  For the past several years, requirements have been in a constant state of flux as governance attempts to catch up with growing privacy concerns.  This is likely to continue into the foreseeable future giving organizations all the more reason to update and review their cyber insurance policies frequently.

There are eight important aspects that your cyber policy should cover:

  • Public relation expenses
  • Credit monitoring
  • Notification expenses
  • Legal expenses - Regulatory fines, Liability, and defense costs
  • Forensic expenses
  • Business interruption
  • Loss of intellectual property (IP)
  • Digital asset loss

First party and third party

The coverage options above are broken into two categories; first party and third party.

First party coverage covers expenses your organization incurs as a result of a cyber incident – forensic costs, notification costs, credit card monitoring. Network security coverage is provided as a result of damaged or lost customer data.

Third party coverage is in place due to legal action taken against the insured – claims, class action lawsuits, regulatory fines, etc.

What may not be covered by my cyber insurance policy?

Not all types of cyber incidents will be covered by your insurance policy and it’s important to be aware of exactly how far your coverage extends.

Examples of incidents that may not be covered:

  • Social engineering – Phishing, whaling or baiting attacks where employees are duped into giving credentials or funds to a threat actor, typically over email.
  • New hardware – Coverage is usually for digital assets not physical damage or replacements.
  • Software upgrades – Coverage will cover the software version in use at the time. An outdated computer running Windows Vista will not be replaced with Windows 10.
  • Third-party errors – Some coverage will extend to these providers, but it is important to review exactly what your policy provides.
  • Bodily injury – Bodily injury would be a worst-case scenario and thankfully is almost unheard of due to cyber attacks.
  • Intellectual property loss – Quantifying the value of IP is difficult but there is growing demand for this line of insurance which should increase the number of providers offering it.

What will my cyber insurer provide?

Your insurer, in the event of a serious breach, will have options available to you such as setting up call centres for customers, and aiding with notifications.  If you do not have a standing relationship with a cyber security provider or incident response team, your insurer will have security teams ready to fix your network issues.

Insurers will follow a three-step approach to incident response situations.

  • Advise: IR (Incident Response) teams will determine the extent of the incident and remedy the situation.
  • Manage: Coordinate Incident Response and review the scope of work and performance of the IR team. Ensure activities are within policy scope and notify when that changes.
  • Communicate: Provide central contact points for your organization, stakeholders, customers, etc.

When applying for cyber coverage it is important to know what type of data you process and store, as well as your current physical and digital assets and their associated security measures. You should also take stock of whether encryption is being used, what your backup systems are, and be aware of any other security measures you have in place.

This auditing process is similar to the steps you would take in setting up a security management plan. Whether you are renewing, adding coverage, or applying for the first time, the information gained through that auditing process is invaluable to understanding your cyber security maturity. The more knowledge an organization has about its cyber security the better ready it will be when an incident occurs.