With the increased penetration of the internet, digital banking transactions as well as social media, everyone – individuals and organizations are exposed to numerous cyber-attacks without knowing the same. Such instances can range from cyber stalking to data theft and even a misuse of your financial information. Hence, there is an ever increasing need of availing optimum protection against such potential cyber risks and threats.
While cyber insurance is unable to protect you from cybercrime, it keeps you and your business on a stable financial footing in the case of occurrence of any event related to cyber security. We must note that technology now plays an important role in how businesses are conducted by organizations and also in reaching out to customers.
Whether launched by nation states or run-of-the-mill criminals, hackers and insiders, cyber-attacks can cause severe losses to small as well as large organizations. It is decided by organizations on a routine basis whether to transfer, control, accept or avoid the risks as part of the risk management plan. Herein, cyber insurance comes into play as a means to transfer the risks.
Also referred to as the CLIC (cyber liability insurance coverage) or the cyber risk insurance, a cyber-insurance policy is designed such that it helps an organization mitigate the exposure to risk by offsetting the costs which are otherwise involved with recovery after an event related to breach of cyber security occurs. Rooted in the E & O (errors and omissions) insurance, it was in the year 2005 when cyber insurance actually began catching on and it was forecasted that by 2020, the total value of premiums may potentially reach $7.5 billion. Some types of cyber insurance is claimed by one third of the companies in the United States, according to the PwC data.
It is evident from the numbers that organizations are widely realizing the need for cyber insurance and seeking the same. But, the question arises, what does cyber insurance really cover? Typically, any expenses which may be related to the first parties involved or any claims made by third parties are covered by the same. Through there is not a set standard which is followed while writing these policies, the common expenses which can be reimbursed are listed below –
1. Investigation – It is necessary to carry out a forensic investigation in order to determine what occurred and how the damage may be repaired in addition to any measures which may be advised for prevention in the future, pertaining to a similar kind of breach. Such investigations may involve coordination with the cybercrime branch, the law enforcement authorities and the services or a third party security firm.
2. Business Losses – Items similar to those covered by an E&O policy (errors committed due to negligence or any other underlying reasons) as well as monetary losses which may be realized due to network downtime, interruption of business, costs involved in crisis management which may involve reputation damage repair and data recovery may be included in a cyber-insurance policy.
3. Extortion and Lawsuits – Legal expenses which may be realized due to the release of intellectual property and confidential information, regulatory fines and legal settlements are included herein. This may also be inclusive of costs related to cyber extortion for instance those due to ransom ware.
4. Privacy and Notification – This is inclusive of credit monitoring for customers whose data has or may have been breached, or data breach notifications to affected parties including customers, which is mandated in most jurisdictions, by law.
It must be noted that cyber insurance is still in an evolving phase. The risks related to cyber security frequently change and in order to avoid damaging the trust of customers as well as negative publicity, organizations often refrain from reporting the complete impact of the breach. Thus limited data is available to the underwriters on the basis of which the financial impact of such attacks is determined.
It is advised by experts that for better risk management, cyber insurance must be incorporated into every product line the business insurer has. However, similar to any other business insurance, the coverage provided by cyber insurance is limited by individual needs and hence varies by insurance and policy.
When comparing policies among insurers, you must find out whether or not all items listed in the list are covered and clarify whether or not the following limits and special circumstances are included.
Are one or more types of cyber insurance policies offered by the company, or is the coverage essentially a simple extension of an existing policy? In most cases a more comprehensive and better solution is provided by a standalone policy. Also inquire whether customized solutions are available as per the organization needs.
Ensure that the deductibles are compared by you, closely among insurers, similar to comparing any facility, vehicle and health policy.
How do the limits and coverage apply to the first as well as the third party involved? For instance, are third party service providers covered by the policy? On the same note, also inquire whether cyber insurance has been availed by the third party and how can the same affect your agreement.
Whether the policy covers only attacks targeted specifically against the organization or any attacks that the organization may fall victim too are also included?
Are an employee’s non-malicious actions taken into consideration by the policy? This applies to cyber insurance as well as it does to the E&O coverage.
Are the network attacks as well as social engineering covered by the policy? A role is played by social engineering in all kinds of attacks including APTs (advanced persistent threats), spear phishing, etc.
Is any time frame included within which the coverage applies? This is because APTs usually take place over time and the same can range from a few months to years.