Know Cyber Insurance and Why It Is Needed ~ Insurance Academy

Technology, social media, and transactions over the Internet play an important role in how most organizations do business and reach potential customers today. The media also serves as a gateway to cyberattacks. Whether carried out by hackers, criminals, insiders or even the state, cyber attacks are possible and can cause moderate to severe losses to organizations large and small. As part of the risk management plan, organizations must regularly decide which risks to avoid, accept, control or transfer. Risk transfer is where Cyber Insurance or Cyber Insurance plays its role.

What is Cyber Insurance?
A Cyber Insurance Policy, also referred to as Cyber Risk Insurance or Cyber Liability Insurance Coverage (CLIC), is designed to help organizations mitigate risks by offsetting the costs involved with recovering after a cyber-related security breach or similar event. With its roots in Errors and Omission Insurance (E&O Insurance), cyber insurance began to rise in 2005, with total premiums estimated to reach $7.5 billion by 2020. According to PwC, about a third of US companies currently purchase some type of Cyber Insurance. .

The facts show that organizations see a need for Cyber Insurance, but what is guaranteed? Cyber Insurance usually covers the costs associated with the first party as well as claims by the third party. While there is no standard to cover this policy, the following are common expenses that can be reimbursed:

Investigation: A forensic investigation is needed to determine what happened, how to repair the damage and how to prevent the same type of breach from happening in the future. Investigations may involve the services of a third-party security firm, as well as coordination with the police.
Business loss: Cyber Insurance policies may cover similar items covered by Error & Omissions policies (errors due to negligence and other reasons), as well as monetary losses suffered by network downtime, business interruption, data loss recovery, and costs involved in managing a crisis, which may involve costs to repair reputational damage.
Privacy and notice: This includes necessary data breach notices for customers and other affected parties, which is mandated by law in many jurisdictions, and credit monitoring for customers whose information is or may have been breached.
Lawsuits and blackmail: This includes legal fees related to the release of confidential information and intellectual property, legal settlements and regulatory fines. This may also include cyber extortion fees, such as from ransomware.

Keep in mind that Cyber Insurance is still evolving. Cyber/cyber risks change frequently, and organizations are less likely to report the full impact of a breach to avoid negative publicity and undermine customer trust. Thus, underwriters will have very limited data to determine the financial impact of cyber attacks. Fundamentally, the true risks of cyberattacks are not fully understood.

What Cyber Insurance Buyers Should Look For
In Indonesia, very few insurance companies offer cyber insurance policies. Insurance industry observers believe that clients will soon expect Cyber Insurance to become part of every insurance company’s product line. However, as with business insurance, Cyber Insurance coverage varies by insurance and policy.

When comparing policies between two insurers, find out if the insurance covers all of the items listed in the previous section and ask about the following special circumstances and limitations:

Does the insurance company offer one or more types of cyber insurance policies or is coverage simply an extension of an existing policy? In most cases, a stand-alone policy is best and is more comprehensive. Also find out if the policy can be customized for an organization.
What are the deductible or excess that is imposed? Be sure to compare deductibles closely between insurance companies, just as you would with health, vehicle and other insurance.
How wide of the guarantee and limit apply to first and third parties? For example, does the policy cover third party service providers? On that note, find out if your service provider has cyber insurance and how it affects your agreement.
Does the policy cover any attacks that cause an organization to become a victim or only targeted attacks against that organization?
Does the policy cover non-hazardous acts by employees? This is part of the E&O guarantee that applies to Cyber Insurance as well.
Does the policy cover social engineering as well as network attacks? Social engineering plays a role in all types of attacks, including phishing, spear phishing, and Advanced Persistent Threats (APT).
Since the APT lasts from time to time, which could be months to years, does the policy include a valid period?

Tips: Many insurance companies also offer comparisons of coverage to compare with their competitors. Use these ‘check lists’ to add to your list before starting your serious research.

What do insurance companies look for when deciding on coverage?

Insurance companies want to see that an organization has assessed its vulnerability to cyberattacks (created a cyber risk profile) and is following best practice by enabling defenses and controls to protect against as many attacks as possible. Employee education in the form of security awareness, especially for phishing and social engineering, should be part of the protection plan. Encouragement for best practice could include organizations that have conducted threat assessments (even if not required by regulation). It is wise to use threat intelligence services for up-to-date information on targeted and zero-day attacks, and to engage ethical hacker services to uncover security flaws.

Notes: Intelligence services and hacking services are hard to find or financially impossible for many small businesses. But investing in some kind of vulnerability assessment tool or using a penetration tester service to investigate external network defenses one time can go a long way in improving security when negotiating cyber insurance.

As Cyber Insurance coverage becomes more standardized, insurers may request an audit of organizational processes and governance as a condition of protection. And don’t be surprised if the insurance company agrees to provide coverage but at a level below (sometimes way below) what you feel you need. If so, keep interviewing insurance companies to find the best deal.

Creating a business case for cyber insurance
Any organization that stores and manages customer information or collects payment information online, or uses the cloud, should consider adding Cyber Insurance to its budget. Also consider adding devices now connected to the business network – consequently, there are more opportunities for bad guys to access organizational assets.

Attacks on all businesses are increasing. Small businesses tend to think they’re safe from exposure, but Symantec found that more than 30 percent of phishing attacks in 2015 were launched against organizations with fewer than 250 employees. The 2016 Symantec Internet Security Threats Report indicated that 43 percent of all attacks in 2015 were targeted at small businesses.

On a larger scale, the Center for Strategic and International Studies in 2014 estimated the annual cost to the global economy of cybercrime to be between $375 billion and $575 billion. Although sources differ, the average cost of a data breach incident for a large enterprise is over $3 million. Each organization must decide whether they can risk that amount of money, or if cyber insurance is needed to cover the costs for what might happen.

Remember, cyber insurance covers first-party losses and third-party claims, but General Liability insurance only covers property damage. Sony was caught in that situation after the 2011 PlayStation hacker breach, with costs running up to $171 million that Cyber Insurance could have offset had the company ensured it had been covered beforehand. During the court case, Zurich American Insurance Company said that Sony’s policy only covers physical property damage, not cyber damage.

Regarding costs, cyber insurance coverage and premiums are based on the organization’s industry, type of services provided, data risk and exposure, security posture, policies and annual gross income. For example, premiums can range from $800 to $1,200 for consultants, taxpayers and small organizations with incomes of $100,000 to $500,000, to $10,000 to over $100,000 for those with incomes in the millions.

Start Step One
A good first step is to create a cyber risk profile for your company, and make a list of the expenses you are willing to incur in the event of an incident. Then, you can determine the third party cost estimate. Many insurance companies overseas (in Indonesia there doesn’t seem to be one) that provide insurance calculators on their websites to help organizations list coverage and estimate costs. Then, you can start researching cyber insurance providers.

Excerpted from CIO
Image credit: StartupNation.com