The Increased Importance of Cyber Security Insurance

Author:  Zac Blanco, CPA, CFE | Business Assurance & Advisory Services Manager | Emerging Business Team

For decades, businesses have been protecting themselves with insurance that has traditionally been focused on commercial general liability policies.  When cyber security breaches occur, policyholders instinctively turn to their commercial general liability policy and expect coverage.  Insurers, however, have taken the position that these policies do not cover cyber-attacks and the courts tend to agree.  With the new age of cyber threats, companies have been forced to shift their focus to cyber security insurance policies.  These policies protect companies from internet-based risks relating to information technology infrastructure and information assets that the traditional commercial general liability and worker’s compensation policies do not cover.  With the highly publicized cyber breaches during 2014 and 2015, executives and boards are finally realizing how deeply these breaches can impact an organization.

Companies are becoming increasingly dependent on their informational assets, while at the same time these assets are becoming the primary target of attack.  According to the Identity Theft Resource Center, as of June 23, 2015, 380 reported cyber breaches in the U.S. resulted in the exposure of 117.4 million records. The majority of these breaches targeted smaller companies who are often more vulnerable to attacks due to these companies not investing in employee training or company policies for cyber protection. Symantec reported in its 2014 Internet Security Threat Report that small (250 employees or fewer) to mid-sized (251 to 2,500 employees) businesses have seen huge spikes in cyber attacks.

“the human factor” remains “the weakest link
in relation to [cyber] security.”

In a 2012 study on cyber security mistakes, KPMG found that “the human factor” remains “the weakest link in relation to [cyber] security.” Hackers readily overcome firewalls and other safeguards largely by focusing their efforts on employees who are not educated on the risks.

One of the ways companies mitigate the fallout from these attacks is cyber liability insurance.  In the probable event that business data is destroyed, stolen, hacked, extorted, or compromised, cyber insurance benefits aid in minimizing and indemnifying companies for losses to others.

Purchasing proper insurance coverage requires a thorough understanding of the organization’s risk factors such as, number of customers and transactions, industry regulations, value of intellectual property, and potential for lawsuits.  These factors can be analyzed internally or can be provided during a security audit by a third party or the insurance company holding the policy.  Typical policy benefits include post incident public relations, customer credit monitoring services, investigative expenses, and criminal reward funds.  What companies need to realize is that they may still incur damages from the long term effects such as loss of customers, lawsuits, and damage to their brand and reputation.

Two standard insurance policy coverage variations are:

• First-party insurance coverage, which typically covers damage to digital assets, business interruptions, forensic investigations, customer notification, credit monitoring, public relations, criminal reward funds, and sometimes, reputational harm.
• Third-party insurance coverage, which typically covers liability and the costs of legal defense, settlements, damages, judgments related to the breach, and regulatory fines.

Cyber security threats are so broad that the cost of protecting against them all would be excessive. A recommended approach is to identify and secure the company’s primary and critical digital assets, then quantify and insure the remaining risk.

Unfortunately, some organizations, especially small and midsize business gain a false sense of security from cyber insurance and fail to implement the technology, process, and training components essential to a comprehensive cyber security program. Cyber insurance is only one factor in managing and mitigating risk.  Companies still need to implement a strong security program with continuous monitoring to compliment these cyber insurance policies.  The cost of these programs plus purchasing insurance is still going to be significantly less expensive than putting out fires after a lax security program resulted in a breach.