We recently talked to a client that experienced an IT nightmare – they got hit by ransomware, and had no way to protect themselves.
For some time, they had been considering investing in cyber insurance. You hear about it more and more these days – it’s essentially a policy that covers your costs of recovery after you get hit by malware.
However, it only works if you have it before you get hit. If you try to get a policy while you’re reeling from a ransomware attack, it’s essentially like trying to get health insurance with a pre-existing condition.
Needless to say, this client is sorry they waited to invest. They just kept assuming they’d have more time, that they could budget it in the next quarter, or the next year. Without warning, they got hit by ransomware, lost their data, and had to pay a ransom.
This is the kind of assumption a lot of businesses make – since they haven’t been hit yet, they never will.
Does that sound familiar to you? Then maybe you should start thinking about cyber insurance…
What Is Cyber Insurance?
Often referred to as cyber liability or data breach liability insurance, Cyber Insurance is a type of stand-alone coverage.
Cyber Insurance is designed to help businesses cover the recovery costs associated with any kind of cybersecurity incident including:
- Breach and event response coverage: A very general and high-level form of coverage, this covers a range of costs likely to be incurred in the fallout of a cybercrime event, such as forensic and investigative services; breach notification services (which could include legal fees, call center, mailing of materials, etc.); identity and fraud monitoring expenses; public relations and event management.
- Regulatory coverage: Given that a range of organizations (such as The Securities and Exchange Commission, the Federal Trade Commission, the Department of Homeland Security, and more) have a hand in regulating aspects of cyber risk in specific industries, there are usually costs that come with defending an action by regulators. This covers the costs associated with insufficient security or “human error” that may have led to a privacy breach. Examples may include an employee losing a laptop or e-mailing a sensitive document to the wrong person. However, this type of coverage is not just limited to governmental and healthcare-based privacy breaches. It can also be useful for nongovernmental regulations that intersect with the payment card industry and are subject to PCI standards.
- Liability coverage: This type of coverage protects the policyholder and any insured individuals from the risks of liabilities that are a result of lawsuits or similar claims. Put simply, if you’re sued for claims that come within the coverage of the insurance policy, then this type of coverage will protect you. There is a range of types of cyber insurance liability coverage, which include:
- Privacy liability: This applies to the costs of defense and liability when there has been a failure to stop unauthorized use/access of confidential information (which may also include the failure of others with whom you have entrusted data). Coverage can also extend to include personally identifiable information and confidential information of a third party.
- Security liability: On a higher level, this type of coverage applied to the costs of defense and liability for the failure of system security to prevent or mitigate a computer-based cyber attack, which may include the propagation of a virus or a denial of service. An important note – failure of system security also includes failure of written policies and procedures (or failure to write them in the first place) that address secure technology use.
- Multimedia liability: This type of coverage applies to the defense and liability for a range of illegal activities taking place in an online publication, such as libel, disparagement, misappropriation of name or likeness, plagiarism, copyright infringement, or negligence in content. This coverage extends to websites, e-mail, blogging, tweeting, and other similar media-based activities.
- Cyber extortion: This type of cybercrime event is generally a form of a ransomware attack, in which a cybercriminal keeps encrypted data inaccessible (or, alternatively, threatens to expose sensitive data) unless a ransom is paid. Coverage of this type addresses the costs of consultants and ransoms, including cryptocurrencies, for threats related to interrupting systems and releasing private information.
Cyber Insurance policies are offered by a variety of insurers and policy prices and exclusions vary widely among different providers.
Do You Actually Need Cyber Insurance?
Technically? Maybe not, in the strictest sense.
That is to say, you may not be required by the law – although certain compliance regulations, depending on the industry, do recommend it.
But otherwise, the decision is likely left up to you, and it’s a decision you’ve made before. Just as you, in theory, don’t have to go to the dentist, you know it’s smart to anyway, right?
It’s possible that you could take care of your teeth so well on your own that you never need help from a professional. But in reality? You’ll probably get a cavity or two, so it’s wise to get a checkup now and then.
The same reasoning applies to Cyber Insurance. Sure, it’s possible that you may never get hit with a data breach, or have an employee mistakenly send sensitive info to the wrong contact, etc.
But, odds are, it’s more likely you’ll need Cyber Insurance in one form or another at some point, which is why it’s wiser to invest now.
Like this article? Check out the following blogs to learn more: