Cyber insurance is an unconventional insurance product in the sense that most cyber products today are a combination of first- and third-party coverage, thereby crossing borders of multiple lines of business. It also makes it harder to understand and compare various products on the market.
Determining the appropriate cyber insurance coverage might be a tricky task though, and with the plethora of different cyber insurance products available with widely varying covers, terms and conditions, it can become downright daunting. In this article, I will explain some of the considerations every cyber insurance buyer should keep in mind.
It all starts with you!
Understanding your needs is where you always should start. All organisations are different, and what works for one company may not make any sense at all for another. Therefore, you should start by identifying what your crown jewels are: data, applications and processes that are business critical or sensitive, and therefore should be safeguarded.
Easier said than done, but without this knowledge, it’s impossible to protect yourself.. If you don’t even know what assets you have, you can also rest assured you don’t know how to protect them! Once you know what your weak points are, you should look into what the loss of these crown jewels would mean to you.
This understanding is also key input for the insurer. Insurers are much more likely to provide you with a reasonably priced cyber policy, if you can show that your organisation understands their strengths and weaknesses well and is adequately protected.
The bread and butter of today’s cyber policies are Incident Response, Restoration and Business Interruption covers. They would cover containment and mitigation of security incidents, as well as any loss of income caused by malicious and non-malicious cyber events, respectively.
Malicious cyber events caused by external entities are colloquially known as cyber attacks. These attacks may use a combination of tools ranging from malware, exploitation of unpatched vulnerabilities in target’s systems, to social engineering and phishing. The motive is usually to steal information or extort the target for money.
Of course, the malicious actor is not always an external party. According to some studies, more than 50% of all data breaches (and for instance Insider Threat Report 2019 by Verizon claims a whopping 57%) are carried out by malicious insiders. So, it is good to make sure that your policy would also respond to insider jobs in an expected manner.
The cover purchased should be driven by your needs. Ask yourself which of the cyber event consequences would have the biggest financial impact to your business. For many businesses, business interruption is the main concern therefore make sure you get this cover right.
Most cyber insurance products also contain one or more third-party covers for claims against your organisation. The most typical ones are
- Confidentiality Liability, indemnifying losses of confidential or personal information
- Network Security Liability, protecting you against claims from third parties for their losses caused by your network or security incidents
- Media Liability, that protects your online activities from liability claims (e.g. defamation, copyright infringements and privacy breach).
Another typical third-party cover is PCI-DSS, which should be considered whenever your business accepts payment card transactions. It will provide indemnification in case of failure to comply with PCI-DSS regulations, re-certification costs and so on.
As with most insurance offerings, the main feature of cyber insurance is obviously the financial indemnification in case of a loss. However, when choosing a cyber insurance for your organisation, the value of the add-on services might also be significant. The add-on services range from cybersecurity assessments, security consultancy or discounts from third-party services or products.
Also, the post-claim services, such as the expert help that you can get through the insurer in case something unexpected hits you can’t be underestimated. Even if your organisation is well enough resourced to deal with regular day-to-day security incidents, in case of a large-scale cyber incident – be it malicious or non-malicious in nature – may require considerably more resources than you are able to deploy in-house at a very short notice.
Most cyber insurance offerings will instantly give the insured access to various expert services ranging from legal help to reputation management consultants, but perhaps most importantly cybersecurity consultants that are experts in cyber incident containment, coordination and attribution. The service providers should be reputable names in your area and have the ability to deliver support when you need them.
You should also pay attention to the deductible applicable to using post-claim services. Some of the best services in the market will give you the first 24/48/72 hours of incident response with zero deductible, lowering the threshold to access these services. As a known fact, ‘time is of the essence’ in any incident response. Therefore, engaging these services early in the incident can potentially reduce the total impact immensely.