Cybersecurity: Cyber Insurance
Posted on 05.08.17
Cyber-insurance is a relatively new type of insurance to help companies mitigate the risk of financial loss originating from a cyber-attack. A cyber-attack can cause financial loss in a number of ways, most of which are insurable. Some, however, are generally not.
Although cyber-insurance has existed in some form for over a decade, it lacks the standardization that consumers have come to expect in many insurance products. As a result, it is critical to consult a knowledgeable broker who will take time understand your business and technology risks so a properly tailored policy can be crafted with the types and amounts of coverage you need. A broker who is eager to quote you a price without taking the time to understand your needs is probably the wrong broker.
Examples of Types of Loss from Cyber-Attacks
|Source of Loss||Insurable?|
|Lost revenue due to downtime||Yes|
|Cost of hired consultants to manage restore systems||Yes|
|Cost of credit monitoring services purchased||Yes|
|Legal settlements or court ordered damages||Yes|
|Crisis Management Consultants||Yes|
|Funds stolen through a wire fraud||Yes|
|Funds stolen through compromised accounts||Yes|
|Lost revenue due to lost customer confidence||No|
|Lost revenue due to the loss of key sales people||No|
|Reduced business value due to brand damage||No|
Many insurance policies use language that has very specific meanings. It is therefore also important to retain a cybersecurity attorney to review your policy and be your advocate as you negotiate specific items in your policy. Without an attorney’s assistance during the formation of your policy, you may find yourself facing off with your insurance company in a losing legal battle.
For example, an attorney will make sure your policy adequately features both 1st party coverage and 3rd party coverage. 1st party claims cover your costs associated with responding and recovering from the breach. 3rd party claims are generally the costs incurred when you are sued as a result of a breach. For any breach, you are almost certain to directly incur damages and therefore have a 1st party claim. You are less likely to be sued as a result of a breach than incur damages; however, the cost from being sued is potentially much greater than direct damages.
An attorney can also help you establish a retroactive date for your policy effectiveness. This policy feature can help account for the situation where a breach has occurred, and you have not yet discovered it. Some policy holders request this feature with appreciation of the fact that attacks are sometimes not discovered until well after they occur and the thieves have absconded with and sold the data. Merchants, such as hotels and fast food restaurants, frequently don’t realize they’ve been hacked until they are notified by the credit card companies who have performed forensic analysis of fraud reports of card charges.
Last, it is incredibly important to comply with the terms of your coverage. When you obtain a cyber-insurance policy, you are likely to make representations to the insurance company about the state of your cyber defenses, including such functions as having an incident response plan, using strong passwords, or keeping software up-to-date. If you suffer a breach, and the insurance company discovers you misrepresented the cyber defenses you have in place, they may deny your claim, as happened to Cottage Health System.
- Identify a trustworthy broker who will take time to understand your needs and has cyber-insurance experience.
- Identify a competent attorney who can review your policy and help negotiate language and coverage with the broker.
- Comply with the terms of your policy.
- Try to establish a 1 year retroactive date.
The content in this article covers just one aspect that small to mid-size businesses need to address for Cybersecurity. Download the entire whitepaper below to access additional Cybersecurity suggestions.