Data breaches are in the news … again. While there is no substitute for a strong cybersecurity framework and security controls, cyber insurance often serves as an organization’s last line of defense against the reputational and financial risks of a breach. Yet many organizations don’t have any idea where to begin.
So let’s start with the basics.
Cyber policies provide two main coverage components: party coverage and third-party coverage.
Party coverage protects an association from losses incurred due to a cyber attack. The coverage provides reimbursement for financial losses such as lost income, ransomware demands, required notification costs for those whose data was affected, and costs to restore networks or lost data.
Simply put, this is essentially balance sheet protection.
Third-party coverage is a broader coverage than party coverage. It extends protection to expenses related to other parties, such as attorney’s fees, damages, or lawsuit settlements. It can also cover an organization if it transmits a virus to another company or person, and can cover regulatory issues.
To research what policies may be available to you, contact your general liability coverage provider. A cyber policy can be added as a basic endorsement to an existing liability policy or can be written as a separate policy. A separate policy generally provides more coverage.
Contrary to popular belief, cyber insurance isn’t just a money pit.
The novelty of cyber insurance means that things are not yet standardized. This has led some insurers to hide behind vague policy language to avoid paying claims that would bankrupt them or set claim-paying precedents that might run them out of business in the future.
But, in many cases, the brunt of the issue arises due to not fully understanding what the organization’s policy covers and what it excludes.
So how can you get started assessing your current policy to ensure you’re not falling into the typical insurance traps?
You probably have a good sense of the current threats your organization is facing, but it’s also important to consider the industry as a whole.
Ask yourself “What threats and risks are others in my industry dealing with?” This may align with your original concerns for your own organization, but there may be a few others you haven’t truly identified.
Best practice: Run a Google search to confirm you have a full sense of the threat landscape. News articles, white papers, and industry trend reports are all good sources that may spark a new conversation around your association’s cyber risk.
Once you have a decent list of common threats, assign each of those a risk score (1-10) based on your organization’s exposure. Then, create a short list of the 3-5 threats that most concern you.
This will help you determine exactly what you need most from your insurance policy.
To determine how much insurance coverage you need, it’s important to have a reliable estimate of how much it may cost to remediate various incidents on your own.
The best way to do this is through a business impact analysis (BIA).
A BIA is an exercise used to help organizations understand their recovery and remediation costs. These assessments are often completed as part of a disaster recovery plan where IT security professionals set realistic recovery targets based on their current restoration capabilities and business requirements.
Because BIAs help project downtime losses and recovery costs, they can also ensure you understand just how much cyber insurance your organization needs.
Remember: Business input is important, but don’t let a lack of it delay your BIA. Complete your draft based on your current knowledge of the organization. It’s easier to edit estimates than start from scratch.
Cyber insurance comes in many forms. As such, policyholders must shop around and negotiate to find the coverage that best suits their needs.
Typical problems with cyber insurance are usually due to these 10 issues:
Policies typically offer both first- and third-party coverage for the organization itself and its partners. But some don't. Ensure your policy covers both.
Some policies only cover cases of data misuse (i.e. by a bad actor) and as such, cannot be used if data is only discovered to be lost.
But be aware that data loss is often enough cause for customers to take legal action regardless.
Costs other than the initial fine itself, such as legal costs, are not usually included in the coverage for regulatory infractions.
Make sure you understand your coverage limitations before a claim is made to avoid unnecessary headaches (and un-budgeted costs).
Insurance coverage typically kicks in the date the policy is signed. But some policies will cover incidents that occur within the previous year (or longer).
Try to negotiate to have the retroactive date set as far back as possible.
You will need to complete a self-assessment of your security posture. This needs the utmost accuracy, as any mistakes or forgotten information may be held against you during a claim.
Remember: in the future, it is up to you to update your insurer regarding any changes to the original security posture.
Most policies cover third-party support for legal or technical recovery support, but sometimes there is an approved list of options you must choose from.
Familiarize yourself with this clause before you need it.
Policies generally agree to cover your organization’s network, but the definition of “your network” is sometimes narrowly defined, potentially excluding remote work, mobile devices, or associated third parties.
If an incident arises from a malicious insider or vendor (i.e. parties you’ve authorized to use your network), your policy may not cover you.
Review your risk tolerance for these types of incidents and decide what coverage you need in place.
In these types of claims, an adjuster will be appointed by the insurer to calculate losses. This may not cover third parties.
Many policies will cap coverage for a given area (e.g. total policy coverage is $3M but only $1M can be used for ransomware). In other cases, a noted exclusion may significantly reduce the policy’s actual usefulness.
Before purchasing, confirm that these caps and exclusions will not interfere with your future claims and reimbursement.
Cyber insurance can be a great addition to an association’s cybersecurity toolbox, but it is only one piece of the puzzle. Other important features of a sound strategy include a plan for continuity of operations, disaster recovery, and active patching.
When procuring cyber insurance, you will likely need to attest to the strength of your full security plan through a self-assessment. As previously mentioned, if this state lapses or is otherwise inaccurate, your coverage may be denied and the policy rescinded due to a failure to maintain the conditions under which the insurer agreed to extend coverage.
Some insurers may provide reduced premiums for clients demonstrating mature security programs, but this discount is often small. As such, it’s usually not worth the risk to overstate your security protocols to receive said discount.
This will help you determine exactly what you need most from your insurance policy.
Thanks to the increase in need, blanket claim exclusions via conditions-precedent language are fairly uncommon, but it’s still something you should be mindful of before purchasing. Typical claim decisions are made case by case, so you should look ahead to see how your potential insurer handles various issues.
Let’s take a look at a few typical coverages and what you need to know.
War is typically excluded from many policies due to its widespread destruction, as this could potentially bankrupt insurers. Terrorism is sometimes covered, but it is not uncommon for it to be excluded if executed electronically.
And while you may not be worried about becoming a direct victim of either cyber warfare or terrorism, global cyber incidents (like 2017’s NotPetya) show just how quickly such attacks can proliferate beyond their intended target.
Moreover, cyber attacks are impersonal and their origins aren’t always clear. This creates a situation where one might argue that any widespread attack is an act of terrorism or war. Especially if there are indications that a government or government-sponsored group are involved.
Ransomware is one of the most popular reasons for acquiring cyber insurance. Which means your premium just went up. By as much as 25%. But new privacy regulations are also affecting premiums, as ransomware infections mean data has been exposed and/or exfiltrated outright.
Your insurance policy may need to cover, not only the ransom amount, but also the costs of recovery if the hackers fail to make good on unlocking the compromised systems.
Standard liability insurance covers cases where a third party sues an organization for some type of misfortune involving that organization (i.e. negligence).
Cyber liability insurance is used for the same reason (i.e. to cover third-party claims), but in cyber this usually applies to something regarding privacy or network security.
For example, an organization with a mature security program suffers a data breach and sensitive customer records are exfiltrated. The organization had appropriate controls in place, but the attack exploited an unknown security vulnerability.
The organization is liable, but it is not fair to say that negligence occurred, so cyber liability insurance, rather than standard liability insurance, would be used in such cases, as well as cases where malicious code was unintentionally sent to a third party.
Just like other types of insurance, it’s more than worth it to review your policy and your vendor needs at least once a year to ensure you are still covered against your biggest threats and that your coverage matches your recovery cost estimates.
But with all the information out there, it can feel overwhelming to figure out just what you need from your vendor. That’s why we’ve pulled together a short list of topics you should discuss with your potential vendors before making a final decision.
Once you’ve determined that data has been compromised, you’ll need to investigate what happened, how it happened, and what information was accessed, but this can take up a lot of your time and money. Luckily, some cyber risk policies will cover the expenses you may have when hiring an outside forensic team.
Be sure to ask if your policy covers forensic expenses, as the last thing you need when dealing with a breach is to realize you don’t have the budget to mitigate it.
In order to determine the scope of the federal and state notification requirements, you’ll need legal representation after a breach. You will also need legal counsel to defend you in the event a suit is brought against you.
Does your policy reimburse this? Some of it? None at all?
These expenses may include postage, paper, printing, call centers, etc., and while it may not seem like this would be worth a discussion, think again. They really do add up.
Out of compliance with even the smallest of applicable regulations? You better believe the government is coming for you, tooth and nail. Make sure both you and your vendor are aware of policies and regulations before you get started.
While not legally required, it’s generally agreed that seeking both credit monitoring and ID theft repair with your vendor can reduce potential legal liabilities. (It’s also best practice.)
How your breach is reported to the media is crucial. Both to restore your reputation and maintain your members, customers, vendors, business associates, and partners.
Make sure you check with your vendor to see if they cover some of these expenses. If not, ensure your budget has wiggle room.
It’s not uncommon for class-action lawsuits to be filed following a breach. You will need legal representation (either of your own choice or appointed by the carrier). Either way, coverage can be available for these costs. Check with your vendor.
No. While there have been a few cases where organizations have been able to successfully assert data breach insurance under their general liability policies, the short answer is that CGL policies typically don’t provide such coverage.
The cost of cyber insurance varies based on the types of coverage, data types, and record volume. At the low end simple endorsements may run at $400 per year. Broader independent policies may start at $1,000 per year, but they can be as high as $10,000 for extensive coverage.
Short answer? Yes. Everyone is at risk. 50 - 70% of breaches affect small and mid-sized associations.
Security and protection of your members’ data is still your responsibility. If and when a lawsuit occurs, multiple parties will be named.
Best practice: Ensure your cloud provider has their own insurance, but still ensure your own policies are in place.
Yes. Breaches do not solely target personal information.
Cyber insurance is as dynamic as the companies it protects and is consequently far from standardized. But that doesn’t mean you shouldn’t ensure you have an effective plan in place.
Start by assessing your current plan and adjusting your budget accordingly. Looking for next steps? Check out Cimatri’s security assessment here to get the information you need to effectively manage security risks and identify the best cyber insurance for your association.