Cybersecurity: Cyber Insurance

Posted on 05.08.17

Cybersecurity: Cyber Insurance

Cyber-insurance is a relatively new type of insurance to help companies mitigate the risk of financial loss originating from a cyber-attack.  A cyber-attack can cause financial loss in a number of ways, most of which are insurable.  Some, however, are generally not.

Although cyber-insurance has existed in some form for over a decade, it lacks the standardization that consumers have come to expect in many insurance products.  As a result, it is critical to consult a knowledgeable broker who will take time understand your business and technology risks so a properly tailored policy can be crafted with the types and amounts of coverage you need.  A broker who is eager to quote you a price without taking the time to understand your needs is probably the wrong broker.

Examples of Types of Loss from Cyber-Attacks

Source of Loss Insurable?
Ransoms paid Yes
Lost revenue due to downtime Yes
Cost of hired consultants to manage restore systems Yes
Attorney’s fees Yes
Cost of credit monitoring services purchased Yes
Legal settlements or court ordered damages Yes
Crisis Management Consultants Yes
Funds stolen through a wire fraud Yes
Funds stolen through compromised accounts Yes
Lost revenue due to lost customer confidence No
Lost revenue due to the loss of key sales people No
Reduced business value due to brand damage No

 

Many insurance policies use language that has very specific meanings.  It is therefore also important to retain a cybersecurity attorney to review your policy and be your advocate as you negotiate specific items in your policy.  Without an attorney’s assistance during the formation of your policy, you may find yourself facing off with your insurance company in a losing legal battle.

For example, an attorney will make sure your policy adequately features both 1st party coverage and 3rd party coverage. 1st party claims cover your costs associated with responding and recovering from the breach.  3rd party claims are generally the costs incurred when you are sued as a result of a breach.  For any breach, you are almost certain to directly incur damages and therefore have a 1st party claim.  You are less likely to be sued as a result of a breach than incur damages; however, the cost from being sued is potentially much greater than direct damages.

An attorney can also help you establish a retroactive date for your policy effectiveness.  This policy feature can help account for the situation where a breach has occurred, and you have not yet discovered it.  Some policy holders request this feature with appreciation of the fact that attacks are sometimes not discovered until well after they occur and the thieves have absconded with and sold the data. Merchants, such as hotels and fast food restaurants, frequently don’t realize they’ve been hacked until they are notified by the credit card companies who have performed forensic analysis of fraud reports of card charges.

Last, it is incredibly important to comply with the terms of your coverage.  When you obtain a cyber-insurance policy, you are likely to make representations to the insurance company about the state of your cyber defenses, including such functions as having an incident response plan, using strong passwords, or keeping software up-to-date.  If you suffer a breach, and the insurance company discovers you misrepresented the cyber defenses you have in place, they may deny your claim, as happened to Cottage Health System.[1]

Actionable Steps

  • Identify a trustworthy broker who will take time to understand your needs and has cyber-insurance experience.
  • Identify a competent attorney who can review your policy and help negotiate language and coverage with the broker.
  • Comply with the terms of your policy.
  • Try to establish a 1 year retroactive date.

The content in this article covers just one aspect that small to mid-size businesses need to address for Cybersecurity. Download the entire whitepaper below to access additional Cybersecurity suggestions.

Download Whitepaper

…………………..

The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.

Posted by: Christopher Moschella, CPA, CISA

Chris is a Senior Manager in Keiter’s Risk Advisory Services. Chris has a strong combination of IT skills, which range from IT audit and internal control assessments, including general computer controls and application controls, to full stack web development. Most recently, Chris developed a Cybersecurity web application that assesses an organization’s resistance to social engineering attacks. Chris shares his cybersecurity insights on our blog