Cyber Insurance: Your Backstop in Your Cyber Incident Response
Cyber threats aren’t going away or becoming any easier to address. According to a recent study conducted by Hiscox Insurance in the past year, 72 percent of large companies in the U.S. have reported at least one attack. Sixty-eight percent of smaller U.S. companies during this same period reported at least one attack.
When it comes to your company’s cyber risk resiliency strategy, you must be ready to identify and assess the severity of incidents, have layered defenses that protect your borderless networks, and be able to respond and recover quickly when something goes wrong. Each interconnected element of your cyber risk management strategy is important and must be addressed concurrently. Getting started requires an understanding of the threat landscape, a foundational knowledge of cyber risk, and a good idea about what you are protecting. While cyber insurance is not your first line of defense, it serves a critically important role in every organization’s incident response and recovery strategy.
How cyber insurance helps you
The primary function of cyber insurance is to serve as a backstop to help you continue operations in the event of a cyber incident or breach — but what does this mean? A good way to think about cyber insurance is less about paying claims and more about providing essential services and support during a cyber incident. Most businesses know a cyber event could happen. A smaller number of companies have a well-defined and rehearsed incident response plan (IRP) in place that includes your internal team as well as external vendors, such as a data breach coach, cyber forensics expert, and public relations consultant to help protect your reputation. Cyber insurance will not build an IRP for you, but it will give you immediate access to a data breach coach, who will maintain attorney client privilege and quarterback the incident response process, including the activities of other experts. Cyber insurance is a backstop because it provides the resources to help prevent an unexpected cyber event from becoming a catastrophic disaster.
Beyond the incident response benefits, cyber insurance policies provide a variety of coverage components that are not available in your companies’ other business insurance policies. Cyber coverage that is bundled with other policies tends to be extremely limited in scope, so it is important to examine your existing policies closely. That will allow you to make sure your coverage includes all the components you need — or determine that there are components you need to add via a standalone cyber policy.
Navigating the evolving and confusing cyber insurance landscape
The current cyber insurance marketplace is crowded, and the options will only continue to increase as insurance companies develop more unique standalone cyber policies.
Cyber insurance policies available today protect against a number of exposures, but each policy uses unique wording and definitions, so in the end, they will cover cyber risks differently. When your organization is ready to consider adding or updating this type of coverage, it is important to work with an insurance partner that has experience helping businesses review their cyber risks, as well as the ability to compare and explain cyber insurance policies. While terms and definitions may vary, a good cyber insurance policy should allow you to select from the following coverage options:
- Liability to others (Third party)
- Cyber incident liability
- Data breach liability
- Content and media liability
- Regulatory proceedings
- Direct expenses and reimbursements (First party)
- Regulatory investigation expenses
- Fines and penalties
- Data breach notification and response costs
- Public relations expenses
- Business interruption and extra expense
- Contingent business interruption and extra expense
- Cyber crime and electronic theft
- Electronic theft
- Cyber extortion
- Identity theft
- Telephone hacking
- Phishing scams
- Deceptive funds transfer and social engineering
A cyber insurance policy generally provides financial resources in the event of an incident or data breach, but many policies offer additional proactive benefits as well. These will vary by carrier but may include access to online resource portals, pre-breach counselors and support, free access to or discounts for technical security controls, cyber risk assessment tools, training, and access to experts who can help you respond to a cyber event (data breach coach, cyber forensics experts, public relations consultants, and others).
Setting appropriate limits is another important factor to consider when purchasing cyber insurance. The value of cyber risk is driven by a variety of factors, so there’s no one-size-fits-all rule for setting policy limits — but in general, your policy limits should cover the estimated cyber exposure costs you are not willing to accept or are not able to mitigate with controls.
If you want to dive deeper into your cyber risk, you can use a process we presented in a previous installment of this series or work with an insurance advisor who is knowledgeable about cybersecurity. While there is no exact science to help you set policy limits, these tools and strategies can help you understand the financial impact a cyber event could have on your business. This process can be labor-intensive at first, but once you begin, it’s a little easier to update each year during the insurance renewal phase or on another interval.
Have questions about cyber insurance? Or need help building a comprehensive cyber resiliency strategy, contact me at firstname.lastname@example.org.