How To Choose A Cyber Insurance Policy
There is a growing need for Cybersecurity Insurance to mitigate the effects of a cyber-attack. But what should you look for when choosing a policy?
Cybersecurity insurance is fast becoming a key part of an organization’s cybersecurity set up. This is in response to the growth in cyber-attacks, and particularly ransomware attacks—largely catalyzed by an increase in the availability of ransomware—with costs that can easily spiral into the millions.
In the face of these attacks, organizations are looking for assurance that they will be able to ride out the aftermath of a costly breach. Beside adding more tools to a security stack, cyber insurance is giving organizations the peace of mind they need.
Cyber insurance can cover many areas, including loss of profits, the cost of restoring damaged systems, and notifying customers. This financial reimbursement can be a lifeline to organizations who suffer an attack.
Beyond helping your organization economically, cybersecurity insurers will offer technical advice and expertise to ensure your organization is as protected as it can be, and to ensure they don’t need to pay out. Many insurers will also set cybersecurity requirements before they agree to insure you. This means that once you have an insurance policy, you will be doubly protected – less chance of being attacked, and reimbursement if an attack does occur.
So, what do you need to know – and what should you think about – before investing in a cybersecurity insurance solution?
Who Needs A Cybersecurity Insurance Solution?
There is a case to be made that every organization that has digital systems should have cybersecurity insurance. If you have physical premises, you will have property insurance, so why not cyber insurance to cover your digital assets? So, the simple answer is that all organizations should have cybersecurity insurance.
The more complicated answer requires us to ask a different question. Rather than asking who needs insurance (everyone), ask at what point you need insurance. If you are a new company with very few assets and little exposure, then cybersecurity insurance might not be at the top of your list. If you have a large network of customers and clients – with personal data that can be stolen – you should consider getting insurance. If your organization works with industry- or market-sensitive information, you should think about cybersecurity insurance.
The question you need to ask is: would your organization be able to recover from a cyber-attack without insurance?
If you do not think that your organization has the technical and economic resources to manage the fall out of a cyber-attack, cybersecurity insurance could be the solution to provide that confidence. If you think your organization can cope with a cyber-attack, I’d refer you to the fact that 83% of organizations have had more than one data breach, and that the average total cost of a breach in USD $4.35M. There are very few organizations able to ride this out.
What To Look For In A Cybersecurity Insurance Provider
Cybersecurity insurance is tailored to provide an appropriate fit for individual organizations. This means that whatever your size or industry, there will be a provider to suit you. It is important to identify what your organization’s exposure is, and the cover that you need. This ensures that you find a policy that is appropriate for you, and that you are paying for what you need.
However, there are some key considerations you should make when looking for an insurance provider:
1. Partnership
Rather than thinking of cybersecurity insurance as a standalone policy that you should incorporate into your setup, think of it as a partnership between your organization and the insurance provider. It is in both of your interests to prevent a cyber incident from occurring – for you, so that you don’t suffer a breach, lose data or money; and for your provider, so they don’t have to pay out.
By ensuring that your insurer understands your organization, you can be assured that their cover is appropriate for your organization, and that any vulnerabilities are covered. You can make the most of their in-house experts who will be able to advise you on how to best implement cybersecurity tools and develop best practice policies and playbooks for how to respond during an attack.
Through building a strong relationship, you will also ensure that you have cover in the right areas. For example, if you operate in the accounting sector, your organization may need cover regarding the Financial Accounting Standards Board (FASB) or Generally Accepted Accounting Principles (GAAP) regulation. And if you operate in Europe, or work with any partners or customers based in Europe, you may need cover in the event of a GDPR breach.
The level of in-house expertise that insurance providers have can be an invaluable resource for your organization – particularly if you don’t have an extensive cybersecurity or IT team. Insurers can inform you of recent cyber-attacks and suggest how specific tools should be implemented. This intelligence ensures that your organization is ready to respond to the latest threats and attack trends.
While the onus is on your organization to protect itself, implementing effective security measures is in the interests of your insurer, too. Through an ongoing conversation, you can ensure your organization is doing everything in its power to protect yourself from the latest threats.
The Bottom Line: cyber-security insurance is not just a policy that you take out, but is an ongoing relationship between organization and provider.
2. Coverage
Perhaps the most obvious, and most relevant, aspect of a cybersecurity insurance is the areas in which you will be insured. Depending on your organization, the areas where you will need cover, and the level of this cover, will differ. Common areas covered by insurance providers include:
- Business interruption caused by cyber-attack, human error, programming error or network security failure
- Data loss
- PR, cost of notification and reputation recovery
- Legal costs, this includes contractual indemnity
- Expenses incurred by regulatory investigations
- Network or data extortion / ransomware
- Liability due to personally identifiable information (PII) breach
Depending on the depth of your internal security infrastructure, you may require different levels of research and forensic investigation from your insurance. Ensuring that you, or your insurer, can investigate an attack and gain intelligence regarding attack pattern is essential – even for attacks that are successfully thwarted. This information will allow you to configure your security tools effectively and ensure you do not become the victim of a follow up attack. The battle against cybercrime is an ongoing one.
Organizations that hold customer data will need to check what cover their insurer provides. Some organizations have data on a large number of customers that could be an attractive target for attackers. Equally, organizations that have a deep level of information (such as healthcare or financial sectors) need enhanced protection too. There are often additional regulations for these sectors, with some insurers providing cover for any fines or penalties, and court costs associated with this. Essentially, any organization that holds PII could come under pressure in the aftermath of an attack.
It is also worth considering whether your organization requires first-party or third-party coverage, or both. This depends on your organization, your sector, and the threats that your network faces. Broadly, first party insurance covers the costs that affect your organization directly – forensic investigation, cyber extortion, PR and notification – while third-party covers legal costs in defending yourself in the aftermath of a security breach.
The Bottom Line: make sure your insurer provides coverage for the things you need.
3. Qualification
Cybersecurity insurance providers will not automatically insure every organization that looks for cover, but will expect them to have a minimum level of existing cybersecurity infrastructure. Before providing cover, insurers will conduct a risk assessment to identify attack surface, vulnerabilities, and exposure. This will inform the providers decision to insure your organization, the value of cover, and the cost of premiums.
In this risk assessment, insurance providers will want to ensure that your organization takes cybersecurity seriously. They will want to see that you have a broad range of cybersecurity tools that effectively secure your network and reduce any vulnerabilities. Your security tools will need to be effectively integrated and configured, to ensure that remediation can happen effectively and efficiently, thereby reducing attack remediation time (dwell time).
To learn more about how to qualify for cybersecurity insurance, we’ve written an article dedicated to that topic:
How To Qualify For Cybersecurity Insurance
As well as having the technical infrastructure to secure your network, insurers will want to ensure that your organization has relevant logical policies in place. In the aftermath of an attack, it is important that you have procedures in place so that your response can be effective and accurate – this extends from technical response to media management and customer notification. Insurance providers will be able to advise on this – another reason why building a good partnership is important.
Some insurance providers will have established relationships with cybersecurity providers and tools. In these instances, if you have already invested in an alternative solution, that does not mean you cannot be covered, but you will need to prove that the feature-set is matched. It is worth checking with various insurers to ensure the application procedure is as streamlined as possible.
Before you commit to a cybersecurity provider, it is worth understanding what an insurer expects from you. Do you already have the relevant cybersecurity tools in place, or will your organization need to invest significantly in new infrastructure? Does the insurer specialize in any particular area or sector?
The Bottom Line: the best thing that you can do to qualify for cybersecurity insurance is to prove to insurers that you have thought about the potential risks, and taken steps to mitigate this.
4. Premiums
How much is this insurance going to cost you each month? While the cost of a premium is unlikely to dissuade you from investing in a cyber insurance, it might dissuade you from investing in a particular one.
As cybersecurity insurance is a relatively new market, there is a degree of instability and change around the cost of premiums. Q3 in 2022 saw an average price increase of 66%, down from a 102% year-on-year increase in Q1. This indicates that cost of insurance is beginning to flatten, even if the increases are still large. It is worth factoring the possibility of future increases into your yearly plans.
Before deciding on an insurer, you’ll need to find the balance between cost per month, probability of being attacked, and the compensation value post attack, for your organization. This is a decision that only you can make, and is completely dependent on your sector, your organization, and its needs. It is worth speaking with several insurance providers to see how their premiums and coverage affects this balance.
We have already touched on the expectations that insurers place on your organization before offering coverage. Some cybersecurity insurance providers will offer lower premiums for organizations that can demonstrate they are less likely to suffer an attack. By ensuring that you enforce MFA on all accounts, that employees complete security awareness training, and your endpoints are protected, you can improve your security posture drastically.
It is not about finding an insurer who offers the lowest premiums – they need to offer premiums that represent good value for money. If the premium is low, but so too is the value of coverage, isn’t not an effective investment. You want to ensure that your cybersecurity insurance policy is an asset, rather than being a necessary “tick-box” exercise.
The Bottom Line: cybersecurity insurance premiums can be expensive, so look for ways to decrease this amount, and ensure you get good value from your investment.
5. First-Party Or Third-Party Or Both
First-party cybersecurity insurance covers your organization’s assets. Where your organization loses money directly, or indirectly, this types of insurance can provide economic compensation. Common areas covered by first-party insurance include:
- Loss of earnings or data
- Intellectual property
- Business downtime
- Reputational damages
- Customer notification
Third-party cybersecurity insurance (also known as cyber liability insurance) covers the assets of others. In instances where vendor, supplier or customer data is stolen from your organization, third-party insurance will cover the legal costs of resolution. This may include:
- Investigation costs
- Legal defence
- Civil damages
- Compensation
The Bottom Line: ensure your cybersecurity insurance policy covers the things you need it to cover.
Summary
Whenever you add a new component to your security set up, it’s important to take the decision seriously, and consider how good a fit it is for your organization. We’ve considered some of the key things to think about in this article, but now it’s up to you. Ask yourself what risks your organization faces, what is already being done to mitigate them, and what more can be done.
Ultimately, if you can concisely explain why your organization needs cybersecurity insurance, you are well on the way to finding a solution that suits your business.