Rick Bawcum, CEO, CIMATRI
Data breaches are in the news … again. While there is no substitute for a strong cybersecurity framework and security controls, cyber insurance often serves as an organization’s last line of defense against the reputational and financial risks of a breach. Yet many organizations don’t have any idea where to begin.
So let’s start with the basics.
What is Cyber Insurance?
Cyber risk insurance provides certain protections for recovering from cyber related events.
Data breaches and personal information theft are simply one segment of cyber risk.
Cyber policies provide two main coverage components:
- Party coverage
If the organization suffers financial damage, like lost income, an extortion demand, required notification costs (or credit monitoring costs), or network / data restoration costs, the insurer will reimburse the company for the damages sustained.
Simply put, this is essentially balance sheet protection.
- Third-party coverage
This coverage provides defense costs (i.e. attorney’s fees), damages, and settlements for claims and lawsuits resulting from errors and security failures, as well as other incidents, that result from employee or privacy violations, transmission of a virus to another party, or regulatory actions.
Cyber policies can either be purchased as a basic endorsement added onto a general liability policy, providing limited coverage, or as a stand-alone policy, which provides significantly broader coverage.
Types of claims covered:
- Extortion and ransomware attacks
- Virus infections of computer systems
- Distributed Denial Of Service (DDOS) attacks
- Data breaches and clerical errors
- Improper privacy policies
- Data collection practices
- Virus and malware transmissions
How Can I Assess My Current Policy?
Contrary to popular belief, cyber insurance isn’t just a money pit.
The novelty of cyber insurance means that things are not yet standardized. This has led some insurers to hide behind vague policy language to avoid paying claims that would bankrupt them or set claim-paying precedents that might run them out of business in the future.
But, in many cases, the brunt of the issue arises due to not fully understanding what the organization’s policy covers and what it excludes.
So how can you get started assessing your current policy to ensure you’re not falling into the typical insurance traps?
Start by assessing the threat landscape.
You probably have a good sense of the current threats your organization is facing, but it’s also important to consider the industry as a whole.
Ask yourself “What threats and risks are others in my industry dealing with?” This may align with your original concerns for your own organization, but there may be a few others you haven’t truly identified.
Best practice: Run a Google search to confirm you have a full sense of the threat landscape. News articles, whitepapers, and industry trend reports are all good sources that may spark a new conversation around your association’s cyber risk.
Once you have a decent list of common threats, assign each of those a risk score (1-10) based on your organization’s exposure. Then, create a short list of the 3-5 threats that most concern you.
This will help you determine exactly what you need most from your insurance policy.
Estimate the possible remediation costs.
To determine how much insurance coverage you need, it’s important to have a reliable estimate of how much it may cost to remediate various incidents on your own.
The best way to do this is through a business impact analysis (BIA).
A BIA is an exercise used to help organizations understand their recovery and remediation costs. These assessments are often completed as part of a disaster recovery plan where IT security professionals set realistic recovery targets based on their current restoration capabilities and business requirements.
Because BIAs help project downtime losses and recovery costs, they can also ensure you understand just how much cyber insurance your organization needs.
Remember: Business input is important, but don’t let a lack of it delay your BIA. Complete your draft based on your current knowledge of the organization. It’s easier to edit estimates than start from scratch.
Overcome typical insurance pitfalls.
Cyber insurance comes in many forms. As such, policyholders must shop around and negotiate to find the coverage that best suits their needs.
Typical problems with cyber insurance are usually due to these 10 issues:
- Unstandardized products
Policies typically offer both first- and third- party coverage for the organization itself and its partners. But some don’t. Ensure your policy covers both.
- Data loss isn’t the same as data misuse
Some policies only cover cases of data misuse (i.e. by a bad actor) and as such, cannot be used if data is only discovered to be lost.
But be aware that data loss is often enough cause for customers to take legal action regardless.
- Regulatory fines vs associated costs
Costs other than the initial fine itself, such as legal costs, are not usually included in the coverage for regulatory infractions.
Make sure you understand your coverage limitations before a claim is made to avoid unnecessary headaches (and un-budgeted costs).
- Know the retroactive date
Insurance coverage typically kicks in the date the policy is signed. But some policies will cover incidents that occur within the previous year (or longer).
Try to negotiate to have the retroactive date set as far back as possible.
- Errors and omissions
You will need to complete a self-assessment of your security posture. This needs the utmost accuracy, as any mistakes or forgotten information may be held against you during a claim.
Remember: in the future, it is up to you to update your insurer regarding any changes to the original security posture.
- Third-party stipulations
Most policies cover third-party support for legal or technical recovery support, but sometimes there is an approved list of options you must choose from.
Familiarize yourself with this clause before you need it.
- Mobile, third-parties, and the network
Policies generally agree to cover your organization’s network, but the definition of “your network” is sometimes narrowly defined, potentially excluding remote work, mobile devices, or associated third parties.
- Insider and vendor incidents
If an incident arises from a malicious insider or vendor (i.e. parties you’ve authorized to use your network), your policy may not cover you.
Review your risk tolerance for these types of incidents and decide what coverage you need in place.
- Business interruption coverage
In these types of claims, an adjuster will be appointed by the insurer to calculate losses. This may not cover third parties.
- Coverage caps
Many policies will cap coverage for a given area (e.g. total policy coverage is $3M but only $1M can be used for ransomware). In other cases, a noted exclusion may significantly reduce the policy’s actual usefulness.
Before purchasing, confirm that these caps and exclusions will not interfere with your future claims and reimbursement.
Remember insurance isn’t a get out of jail free card.
Cyber insurance can be a great addition to an association’s cybersecurity toolbox, but it is only one piece of the puzzle. Other important features of a sound strategy include a plan for continuity of operations, disaster recovery, and active patching.
When procuring cyber insurance, you will likely need to attest to the strength of your full security plan through a self-assessment. As previously mentioned, if this state lapses or is otherwise inaccurate, your coverage may be denied and the policy rescinded due to a failure to maintain the conditions under which the insurer agreed to extend coverage.
Some insurers may provide reduced premiums for clients demonstrating mature security programs, but this discount is often small. As such, it’s usually not worth the risk to overstate your security protocols to receive said discount.
What Types of Policies Are There?
Thanks to the increase in need, blanket claim exclusions via conditions-precedent language are fairly uncommon, but it’s still something you should be mindful of before purchasing. Typical claim decisions are made case by case, so you should look ahead to see how your potential insurer handles various issues.
Let’s take a look at a few typical coverages and what you need to know.
Cyber warfare and terrorism coverage
War is typically excluded from many policies due to its widespread destruction, as this could potentially bankrupt insurers. Terrorism is sometimes covered, but it is not uncommon for it to be excluded if executed electronically.
And while you may not be worried about becoming a direct victim of either cyber warfare or terrorism, global cyber incidents (like 2017’s NotPetya) show just how quickly such attacks can proliferate beyond their intended target.
Moreover, cyber attacks are impersonal and their origins aren’t always clear. This creates a situation where one might argue that any widespread attack is an act of terrorism or war. Especially if there are indications that a government or government-sponsored group are involved.
Ransomware is one of the most popular reasons for acquiring cyber insurance. Which means your premium just went up. By as much as 25%. But new privacy regulations are also affecting premiums, as ransomware infections mean data has been exposed and/or exfiltrated outright.
Your insurance policy may need to cover, not only the ransom amount, but also the costs of recovery if the hackers fail to make good on unlocking the compromised systems.
Cyber Liability Insurance
Standard liability insurance covers cases where a third party sues an organization for some type of misfortune involving that organization (i.e. negligence).
Cyber liability insurance is used for the same reason (i.e. to cover third-party claims), but in cyber this usually applies to something regarding privacy or network security.
For example, an organization with a mature security program suffers a data breach and sensitive customer records are exfiltrated. The organization had appropriate controls in place, but the attack exploited an unknown security vulnerability.
The organization is liable, but it is not fair to say that negligence occurred, so cyber liability insurance, rather than standard liability insurance, would be used in such cases, as well as cases where malicious code was unintentionally sent to a third party.
What Should I Look for in a Vendor?
Just like other types of insurance, it’s more than worth it to review your policy and your vendor needs at least once a year to ensure you are still covered against your biggest threats and that your coverage matches your recovery cost estimates.
But with all the information out there, it can feel overwhelming to figure out just what you need from your vendor. That’s why we’ve pulled together a short list of topics you should discuss with your potential vendors before making a final decision.
- Forensic expenses
Once you’ve determined that data has been compromised, you’ll need to investigate what happened, how it happened, and what information was accessed, but this can take up a lot of your time and money. Luckily, some cyber risk policies will cover the expenses you may have when hiring an outside forensic team.
Be sure to ask if your policy covers forensic expenses, as the last thing you need when dealing with a breach is to realize you don’t have the budget to mitigate it.
- Legal expenses
In order to determine the scope of the federal and state notification requirements, you’ll need legal representation after a breach. You will also need legal counsel to defend you in the event a suit is brought against you.
Does your policy reimburse this? Some of it? None at all?
- Notification expenses
These expenses may include postage, paper, printing, call centers, etc., and while it may not seem like this would be worth a discussion, think again. They really do add up.
- Regulatory fines and penalties
Out of compliance with even the smallest of applicable regulations? You better believe the government is coming for you, tooth and nail. Make sure both you and your vendor are aware of policies and regulations before you get started.
- Credit monitoring and ID theft repair
While not legally required, it’s generally agreed that seeking both credit monitoring and ID theft repair with your vendor can reduce potential legal liabilities. (It’s also best practice.)
- Public relations expenses
How your breach is reported to the media is crucial. Both to restore your reputation and maintain your members, customers, vendors, business associates, and partners.
Make sure you check with your vendor to see if they cover some of these expenses. If not, ensure your budget has wiggle room.
- Liability and defense costs
It’s not uncommon for class action lawsuits to be filed following a breach. You will need legal representation (either of your own choice or appointed by the carrier). Either way, coverage can be available for these costs. Check with your vendor.
Is cyber risk covered by general liability insurance?
No. While there have been a few cases where organizations have been able to successfully assert data breach insurance under their general liability policies, the short answer is that CGL policies typically don’t provide such coverage.
How much does cyber insurance cost?
It depends on the limits and coverage chosen, as well as the type of data and number of records, but it’s not as expensive as you may think. Simple endorsements can cost as little as $400 per year with broader stand-alone policies starting at $1K, working their way to over $10K depending on the risk profile.
Do breaches affect smaller organizations?
Short answer? Yes. Everyone is at risk. 50 – 70% of breaches affect small and mid-sized associations.
We use a third-party provider, do we need insurance?
Security and protection of your members’ data is still your responsibility. If and when a lawsuit occurs, multiple parties will be named.
Best practice: Ensure your cloud provider has their own insurance, but still ensure your own policies are in place.
We don’t store personal information, do we still need coverage?
Yes. Breaches do not solely target personal information.
The Wrap Up
Cyber insurance is as dynamic as the companies it protects and is consequently far from standardized. But that doesn’t mean you shouldn’t ensure you have an effective plan in place.
Start by assessing your current plan and adjusting your budget accordingly. Looking for next steps? Check out CIMATRI’s cyber risk assessment here.