As digital dependency increases for businesses in all industries, so does their vulnerability to cyberattacks. From financial losses to reputational damage, the consequences of these incidents can be devastating. Implementing a robust risk management strategy can help mitigate the debilitating fallout of a cyber incident. This guide explains the key components of Cyber Policy Insurance and the two main types of coverage included. We’ll also take a look at how to assess your business’s risk and work with your advisor to choose the proper coverage.
Introduction to Cyber Policies
A cyberattack is a malicious attempt to gain access to a network or server to steal data, funds, files, or destroy or disable systems. Cyberattacks can take many forms, including phishing, ransomware, social engineering, and malware. As the frequency and severity of cyber incidents continues to increase, so does the need for insurance and a keen understanding of the ins and outs of cyber policies. Unfortunately, cyber policy language is not uniform, but below are some examples of coverages that may be available.
Third-party coverage protects a business against lawsuits or claims brought by third parties, entities that are not directly involved in a company’s operations, and the financial losses for which your business may be responsible. Third-party insuring agreements include:
- Privacy and Security Liability – provides coverage for defense costs and damages (settlement and judgements) suffered by a third party arising from a network security breach that exposes confidential personally identifiable or confidential corporate information or one that results in malware or a virus being transferred to a third party computer.
- Media Liability – provides coverage for defense costs and damages (settlement and judgements) suffered by a third party arising from personal injury and intellectual property infringement (not patent) claims arising from a business’s website or media content.
- Regulatory Fines and Penalties – provides coverage for defense costs, fines and penalties resulting from a privacy regulatory investigation or inquiry.
- Payment Card Industry Data Security Standards (PCI-DDS) – provides coverage for fines and penalties associated with an investigation by the Payment Card Industry alleging failure to comply with the PCI-DDS.
Examples of third parties include customers, suppliers, business partners, regulatory agencies, and law enforcement agencies. It’s important to know that specific parties involved can vary depending on the nature of the incident, the industry and applicable regulations.
First-party coverage protects a business from costs associated with responding to a cyber incident – the direct costs your business may incur. First-party insuring agreements include:
- Privacy Event Expenses – provides coverage for a business’s direct costs associated with responding to a breach, including legal, computer forensics, notification to impacted individuals, public relations, and credit monitoring services.
- Extortion – provides coverage for the investigation associated with an extortion or ransomware demand, and payment of the demand to release the data or network.
- Business Interruption (BI) and Extra Expense – provides coverage for lost revenue and extra expense arising from a computer breach that results in an interruption or degradation in service for the business. Dependent BI is similar, but the cyber incident occurs at a dependent business that the company relies upon to conduct their business.
- System Failure – provides coverage for lost revenue and extra expense arising from an error or mistake that results in an interruption or degradation in service for a business. This is similar to Business Interruption, but the trigger is simply a mistake or error as opposed to a cyberattack or incident.
- Data Recovery and Extra Expense provides coverage for the costs of retrieving or recreating data that was damaged or corrupted during a computer attack.
- Social Engineering/Cyber Crime – provides coverage for the theft of money through phishing schemes – whereas other cyber coverages are for the loss or theft of data.
- Costs incurred to notify affected individuals or regulators.
- Costs associated with implementing damage control and reputation management, such as hiring a public relations firm.
- Reimbursement for costs to provide identity theft protection services, such as credit monitoring or identity restoration, to affected individuals.
- Fees related to legal defense and any fines or penalties levied by regulators in connection with the breach.
Getting the Coverage You Need
Cyber Insurance policies differs in coverage limits, deductibles, and other policy terms. It is critical to carefully review and compare policy options to ensure you’re getting coverage that matches your business’s needs. An experienced advisor can help you navigate this process and streamline communication with insurance carriers.
Assessing Your Business’s Risk: Who Needs Cyber Insurance?
Whether it’s a startup or corporation, if a business uses technology, they are potentially at risk for a cyberattack or data breach. Based on claims data, the most vulnerable industries include healthcare, financial services, retail, and technology, but any type of organization can be affected.
Factors that may increase your business’s risk of a cyber incident include:
- Storing or collecting sensitive customer or employee data, such as credit card numbers or Social Security numbers
- Processing large volumes of transactions or handling large amounts of data
- Relying on third-party vendors or cloud services to store or process data
- Having a public-facing website or mobile app
How to Choose the Right Coverage for Your Business
When selecting a cyber policy, it’s important to consider the specific risks your business faces and the level of coverage you need. Some factors to consider when talking to your insurance advisor include:
- Coverage Limits: Ensure the policy provides adequate coverage limits to address the potential financial losses your business may face because of a breach or attack.
- Deductibles: Consider the policy’s deductible, which is the amount your business will be responsible for paying before the insurance coverage kicks in.
- Policy Exclusions: Carefully review the policy’s exclusions to ensure there are no gaps in coverage that could leave your business exposed to significant financial losses.
- Additional Coverages: Some policies may include additional coverages, such as business interruption or coverage for cyber extortion, which can provide added protection for your business.
Tips for Preventing and Managing Cyber Risks
While insurance is an important tool for managing the effects of a cyber incident, businesses should also take proactive steps to prevent one from occurring in the first place. Best practices for managing cyber risks include:
- Implementing strong security measures, such as firewalls, encryption, and multi-factor authentication
- Regularly updating software and hardware, including installing security patches and updates
- Conducting regular vulnerability assessments and penetration testing to identify potential weaknesses in your systems
- Developing a comprehensive incident response plan to guide your business’s plan of action in the event of a breach or attack
Importance of Employee Training and Awareness
One of the most effective ways to reduce your business’s risk of a cyber incident is through employee training and awareness. Educating employees about the warning signs of phishing emails, the importance of strong passwords, and other best practices for maintaining cybersecurity can help prevent incidents and minimize potential damage.
Consider offering regular training sessions and providing employees with resources, such as tip sheets or posters, to reinforce cybersecurity concepts. Additionally, establish clear policies and procedures for reporting potential security incidents, and encourage employees to report any suspicious activity or concerns.
Role of Technology in Protecting Your Business
Investing in advanced technology can help protect your business from cyber threats and minimize the potential impact of a breach or attack. Consider implementing these technologies:
- Encryption: Encrypting sensitive data, both at rest and in transit, can help protect it from unauthorized access.
- Intrusion Detection and Prevention Systems: These systems monitor your network for potential threats and can help prevent unauthorized access.
- Security Information and Event Management (SIEM) Tools: SIEM tools aggregate and analyze log data from various sources, helping to identify potential security incidents and providing valuable insights for improving your security posture.
Safeguarding Your Business in the Digital Age
Cyber threats are becoming increasingly common and sophisticated in this rapidly evolving digital age. A cyberattack can have devastating financial and reputational consequences for your business, but there are steps you can take to minimize the potential impact of a cyber incident.
Partnering with a team of experienced advisors can help you mitigate cyber risks and develop strategies to reduce catastrophic fallout in the event of a cyber incident. Our advisors consistently stay at the forefront of emerging technologies and market trends to help you mitigate the financial and reputational risks of a cyberattack.
Connect with one of our cyber insurance advisors to help you find the right tools and strategies to stay ahead of the ever-evolving cyber risk landscape.