The question ‘Am I insured for a cyber incident?’ is vital to your organization.
When setting up new business operations you do not start selling services before getting insurance. The same applies with cyber insurance.
While cyber insurance is relatively new its need cannot be understated. There are different types of cyber coverage available, and your current insurance lines don’t necessarily include cyber coverage.
For instance, D&O (Directors and Officers) insurance, along with general insurance, will often not include cyber coverage. Even within a cyber policy there are optional coverage aspects. One example is that D&O cyber coverage is obtained separately from your standard cyber policy.
What should my cyber policy cover?
Cyber coverage is not one-size-fits-all, but there are some key components every business should consider.
Further importance should be given to annual policy reviews. Cyber threats are unique in that they are dynamic, and this non-static behaviour represents difficulty in quantification for both enterprises and insurers alike.
Providing additional complication to the situation are changing legal and regulatory requirements. For the past several years, requirements have been in a constant state of flux as governance attempts to catch up with growing privacy concerns. This is likely to continue into the foreseeable future giving organizations all the more reason to update and review their cyber insurance policies frequently.
There are eight important aspects that your cyber policy should cover:
First party and third party
The coverage options above are broken into two categories; first party and third party.
First party coverage covers expenses your organization incurs as a result of a cyber incident – forensic costs, notification costs, credit card monitoring. Network security coverage is provided as a result of damaged or lost customer data.
Third party coverage is in place due to legal action taken against the insured – claims, class action lawsuits, regulatory fines, etc.
What may not be covered by my cyber insurance policy?
Not all types of cyber incidents will be covered by your insurance policy and it’s important to be aware of exactly how far your coverage extends.
Examples of incidents that may not be covered:
What will my cyber insurer provide?
Your insurer, in the event of a serious breach, will have options available to you such as setting up call centres for customers, and aiding with notifications. If you do not have a standing relationship with a cyber security provider or incident response team, your insurer will have security teams ready to fix your network issues.
Insurers will follow a three-step approach to incident response situations.
When applying for cyber coverage it is important to know what type of data you process and store, as well as your current physical and digital assets and their associated security measures. You should also take stock of whether encryption is being used, what your backup systems are, and be aware of any other security measures you have in place.
This auditing process is similar to the steps you would take in setting up a security management plan. Whether you are renewing, adding coverage, or applying for the first time, the information gained through that auditing process is invaluable to understanding your cyber security maturity. The more knowledge an organization has about its cyber security the better ready it will be when an incident occurs.