Cyber insurance – a band-aid for a bullet hole? The devil is in the details.
Announcement posted by Cybernetic Global Intelligence 04 Dec 2015
Security breaches do not make for pleasant conversation topics, especially if your company has had to deal with one firsthand. Sadly, it often takes a breach to wholly comprehend the severity of the problem, and it comes as no surprise that sixty percent of small businesses close their doors within half a year of being victimised by cybercrime.
In response to the string of high-profile hacks and data breaches over the last couple of years, many companies have been in a rush to purchase cyber insurance to protect themselves from losses suffered due to data breaches and the costs of managing the ensuing crisis.
A useful tool in your toolbox
While not the answer to every problem, the right policy does have the potential to help with a myriad of costs associated with a breach. These can include forensics to analyse the incident and its origins, notifying the potentially harmed parties in accordance to state and federal law, legal costs, ongoing monitoring of credit charges for affected parties, fines for being in breach of regulations, rebuilding compromised security systems, and public relations to manage the brand’s reputation.
Buyer, beware of the fine print
While insurance may help mitigate some of the costs associated with a data breach, complexity of the policies and numerous fine-print exclusions can leave your business without the protection you think you’re paying for. Because cyber insurance is still a relatively new product, it lacks uniformity between policies. This means that different terms are often used for the same insurance products, and assuming a product is covered by a certain policy can lead to disaster.
Often, policies are so precisely worded that a business wanting to make a claim has limited grounds to do so. For example, if a computer system is defined as a computer system owned by the organisation, the organisation may not be covered for employee-owned devices that might be the cause of the breach.
Failing to read the fine print is not a mistake isolated to businesses without a legal team on standby. Back in 2011, after Sony’s earlier data breach, the company failed to receive reimbursement from Zurich American for the $171 million worth of damages caused by that breach, because the breach was caused by third-party hackers, and, apparently, its policy only covered actions taken by Sony. The 2013 Target data breach cost the company $252 million in expenses, only $90 million of which was covered by the company’s cyber policy. That left Target responsible for $162 million—more than 64 percent of the cost.
Understand and customise your policy
Current cyber insurance offerings vary widely with different coverage caveats, exemptions and limitations. There are also limitations on the amount of coverage. The amount of cyber insurance that a company can purchase will vary depending on a company’s financials, industry, operations, and risk exposures. There also may be sub-limits for different categories (such as forensics and notification breach costs, regulatory fines and penalties).
In choosing a cyber risk insurance policy, several factors must be considered. Most importantly, companies must understand what types of damages a policy actually covers. Cyber risk insurance policies can cover an assortment of services, tools and remediation techniques relating to data breaches and cybercrime.
Companies need to review their cyber risk policies carefully to ensure protection in each of these areas. Furthermore, while these may be the chief costs that companies associate with data breaches, they should consider other, morespecific forms of cyber risk insurance that may be necessary to cover additional damages resulting from cybercrime.
Types of cover
Data breach and privacy management coverage covers costs associated with managing and recovering from data breaches, including investigation, data subject notification, credit monitoring, and associated legal fees.
Extortion liability coverage covers damages incurred from extortion. This could be used in the case of Distributed Denial of Service (DDoS) attacks which demand ransoms, for example.
Network security liability covers costs associated with denial of service and third-party data theft.
Business Interruption This covers the loss of revenue due to network downtime because of a security breach.
Multimedia liability coverage covers defacement of websites, media, and intellectual property rights. Insurance providers also offer cyber risk products that insure against the loss of revenue due to data breaches orcybercrimes. Known as digital business income coverage, this product protects against income that is lost orunrealised because of security breaches, website failures or cybercrimes that inhibit or prevent a company from doing business digitally or online. Companies should consider whether digital business income coverage is a good fit for their business, as standard cyber risk policies may not include it. A company should not assume that lost revenue is included in a business interruption policy or even a basic cyber risk insurance policy. Discovering a lack of coverage in this area after a costly breach or cybercrime can be fatal to a company.
As more companies store information online in ‘the cloud’, and engage third party vendors to manage such data, insurance issues arise when that data is lost or stolen. Knowing whether a policy has sub-limits for specific risks, such as cloud-based data breaches, is an integral part of obtaining adequate protection from cyber risk.
Purchase adequate protection
Some industries have far higher risk profiles than others. At the very top of the tree are businesses that collect confidential information on clients, such as those in the banking, finance and health fields. However, any business that sells products to clients or charges them for services, and does so by collecting credit card and bank details, is at risk. It is therefore the responsibility of individual companies to understand their existing protection, assess their risks and work with their insurance providers to tailor a policy for their specific business needs. By doing so, a company increases the likelihood that it has adequate coverage, and that it is not paying for unnecessary, insufficient or redundant policies.
Have a good plan in place for when things go wrong
Look at all of your company’s preventative measures as well as its pre-planned response strategies to a hack or breach. If a thorough, organisation-wide breach response plan is in place then this is a good demonstration to the insurer that a lower premium is justified.
Make sure the disaster recovery plan is up-to-date and tested. It plan should take account of the business-criticality of the data and should be part of the general business continuity plan. Backups, archives, redundant databases, offsite storage – even printed reports that can be used to reconstruct information – should all have a place in this plan.
Implement a strong cybersecurity framework
The key thing to understand is that cyber insurance doesn’t eliminate the need to invest in cybersecurity. Like a home fire insurance policy or car insurance policy, a cyber insurance policy is not meant as a substitute for making cybersecurity investments and observing good cybersecurity practices. In fact, if the necessary investments and practices are not made, the organization may not even be eligible to obtain cyber- insurance.
To get insurance protection you need to have good demonstrable, documented and maintained security practices in place, such as ISO 27001 certification, as well as additional requirements (ISO 9001, ITIL, dedicated skilled security staff etc). If you do not have those security measures in place, or the measures you have do not meet the requirements set out by the insurance company, your costs to gain insurance will increase or you will not be offered insurance at all. In addition, any negligence on your part in protecting your data will mean that that the policies will fail to pay out and leave you stranded.