Modern businesses are under near-constant threat from a variety of online attackers. From thieves looking to turn a profit, to political activists who want to make a statement, to government-backed actors who carry out acts of espionage, there is no shortage of potential threats to your business’ data security. Unfortunately, there is no way to stop 100% of all online attacks—which is why it’s important to create strategies for dealing with a cybersecurity breach.
One tool that is becoming increasingly popular for businesses dealing with cybersecurity breaches in recent years is cyber insurance. What is cyber insurance, and how can you find the insurance policy that’s the best fit for your business’ needs?
What is Cyber Insurance?
CIO has a pretty good definition of cyber insurance policies: “A cyber insurance policy, also referred to as cyber risk insurance or cyber liability insurance coverage (CLIC), is designed to help an organization mitigate risk exposure by offsetting costs involved with recovery after a cyber-related security breach or similar event.” Basically, it’s a kind of insurance for cybersecurity events that helps businesses cover the cost of recovering from said events.
Any business that stores and maintains customer information, collects online payment information, or uses the cloud should consider adding cybersecurity insurance to its budget.
Getting Started with Cyber Insurance
A good first step is to create a cyber risk profile for your company and to create a list of expenses you want to have covered in the event of an incident. Once you have this list, you can determine an estimate for third-party costs.
A risk profile ranks various risks based on probability of the risk happening. The progression is typically broken into three steps: unlikely, possible, and likely. Some examples of risks within a business would include:
- Death and bodily injury
- Cyber extortion
- Physical/asset damage
- Data/software damage
- IP theft
- Network security liability
- Network business interruption
- Reputational loss
- Privacy events (liability and incident response)
The level of risk for each of these items may change depending on the nature of your organization. For example, a data compromise event is unlikely to lead to death or bodily injury if it happens to a CPA, but a hospital or other critical care provider losing important records could inadvertently cause harm to a patient. To establish your specific level of risk, it’s important to consult with a cybersecurity expert.
Additionally, here are 10 commonsense tips that can help you translate your risk profile into a practical action plan:
- Identify the real risks (don’t get caught up in any hype).
- Work with your Management Committee to refine the overall risk appetite and where this fits.
- Understand what your most important information is and who really needs access to it.
- Look at the broader threat landscape to understand where you are the most vulnerable.
- Protect your most critical assets.
- Make everyone accountable and be a role model of cyber secure behavior.
- Ensure that cybersecurity remains an ongoing board-level priority.
- Establish Enterprise Cyber Security objectives and metrics.
- Take action at a portfolio level and not “by silos.” This means that you have to consolidate the requirements for all aspects of security (PCI, Audit, SOX, information, privacy, physical and BCP) to ensure consistent application of security at all levels of your organization.
- Partner with a cybersecurity service provider when it makes sense—such as when you need to add specific capabilities or need access to experienced cybersecurity staff.
Things That Different Types of Cybersecurity Insurance Can Cover
Many businesses aren't aware of this, but there are many reimbursable expenses that these insurance policies can cover, such as:
- Investigations into the Cause of the Breach
- Business Losses Arising from the Breach
- Privacy Protection and Breach Notification
- Lawsuits and Extortion
Cyber liability insurance is designed to cover many liabilities and property losses for businesses that may result from a cyberattack on a business’ assets. For example, when hackers collect data within a business’ internal electronic network to sell it on the internet, cyber insurance can cover the expenses related to protecting its customers’ identities—such as notifying customers and paying for identity theft protection services. This type of insurance can also cover destruction or loss of data, computer fraud, funds transfer/loss, and cyber extortion.
Another variation of cyber insurance is data compromise insurance. This type of insurance can assist businesses in: funding data breach investigations, notifying affected parties or individuals, and case management activities along with other helpful services that prevent identity theft and fraud following a breach of personally identifiable information (PII).
Questions to Ask When Looking for Cyber Insurance
The specific kinds of events and expenses that a cybersecurity insurance provider offers may vary from one provider to the next. When looking into different cyber insurance providers, it's a good idea to ask some questions to get a better understanding of what is covered and expected of you by the insurer.
Here are a few basic questions that are recommended in the aforementioned CIO article:
- Does the insurance company offer one or more types of cyber insurance policies, or is the coverage simply an extension to an existing policy? In most cases, a stand-alone policy is best and more comprehensive. Also find out if the policy is customizable to an organization.
- What are the deductibles? Be sure to compare deductibles closely among insurers, just like you do with health, vehicle, and facility policies.
- How do coverage and limits apply to both first and third parties? For example, does the policy cover third-party service providers? On that note, find out if your service providers have cyber insurance and how it affects your agreement.
- Does the policy cover any attack to which an organization falls victim or only targeted attacks against that organization in particular?
- Does the policy cover non-malicious actions taken by an employee? This is part of the E&O coverage that applies to cyber insurance as well.
- Does the policy cover social engineering as well as network attacks? Social engineering plays a role in all kinds of attacks, including phishing, spear phishing and advanced persistent threats (APTs).
- Because APTs take place over time, which can be months to years, does the policy include time frames within which coverage applies?
The idea is to understand exactly what the insurer does and doesn’t cover so you won’t be surprised later.
For most small businesses, it's recommended to acquire both cyber liability and data compromise insurance. On one side, data compromise insurance can help cover the costs for securing customer payment information. However, a business’ systems may also need to be restored after the breach, so having both types of coverage can be beneficial.
That being said, it takes more than having the right cyber insurance policy to recover from a data breach. You also need to have other tools and solutions to help you minimize the risk (and impact) of a breach as well as to speed along the recovery process. This includes things such as a layered cybersecurity architecture that provides defense-in-depth, remote backups of your most critical data, and security information and event management (SIEM) software that can help you collect data about security incidents so you can analyze it later to reduce your vulnerability to future attacks.
Need more help and information to protect your business from critical cybersecurity threats? Contact the experts on the Compuquip Cybersecurity team today or download our Cybersecurity Basics guide for more info.