Cyber Insurance: Risk vs Reward

Oliver Sears

Technology, social media and business transactions over the internet are key for the success of most organizations in terms of conducting day-to-day business and reaching out to prospective customers. As well as facilitating business they also serve as gateways to cyberattacks. Regardless of who launches them, these attacks can cause huge reputational and monetary damage. As part of a risk management plan, organizations must now decide which risks to avoid, accept, control or transfer. Transferring risk is where cyber insurance comes into play.

So, what is Cyber Insurance?

Cyber liability insurance coverage, or CLIC, is designed to offset the costs involved with recovery after a cyber-related security breach or hack. Cyber insurance typically covers expenses related to first parties as well as claims by third parties. A few examples of common reimbursable expenses are:

  1. Business losses
  2. Investigation
  3. Lawsuits and Extortion

These are usually bundled into 4 different areas of cyber insurance:

  • Data breach and privacy management coverage, which covers the costs for managing and recovering from data breaches
  • Multimedia liability coverage, which covers defacement of websites, media and intellectual property rights
  • Extortion liability coverage, which covers the damages incurred from extortion
  • Network security liability coverage, which covers theft and DDoS attacks

The policies have both advantages and disadvantages, and each organization must decide whether they suit their needs and are worth the investment.

  1. Your current policy won’t cover you – traditional insurance policies do not explicitly cover first-party breach notification costs. This could leave an organization exposed to the full costs of a data loss event. Cyber insurance was designed to cover these extra potential costs.
  2. Data Breaches are very costly – data breaches are difficult to budget for due how much it can vary in the size, scope and complexity of each breach.  Cyber insurance helps businesses cope with the unexpected expenses of the data breach, its notification and the repercussions.
  3. Assistance with a Data Breach Response – Many policies include the provision of a variety of resources to help companies facing a data breach. This can include legal, PR and technical advice.  This may either be included or may be through a referral at a discounted rate. This means you don’t have to shop around for the best provider/rate at a critical time.

As with all types of insurance, cyber liability insurance has limits:

1. Coverage
You may not be covered if the breach is caused not by you, the data “owner”, but rather by a third-party, such as a cloud provider. In some industries, the data owners of sensitive information are often liable for a breach of protected information caused by their services suppliers.

The policy may only cover you for what is legally required rather than what is best practice.

The source of a breach may also affect the validity of the policy.  Some will only cover “technical breaches” such as the loss of a device or unauthorized access of a company’s systems.

Regulated industries may impose their own fines for data breaches, so the policy may not cover these extra costs.

2. Response
The terms of a cyber insurance policy may dictate how an organization has to respond to a data breach, and you will have to abide by these restrictions.

3. Suppliers
Although recommending certain suppliers can be useful, it may also mean that you HAVE to use a specific supplier when you already have an approved provider you would rather use.  These limitations can impact the quality of a data breach response, particularly if you are in a specialist industry.

4. You Still Need Data Protection and Data Security
No insurance policy removes the need for companies to have adequate internal privacy and security measures. Ultimately, prevention is still the best form of insurance against a data breach. All organizations should regularly assess their privacy and security risks to ensure they have sufficient measures in place.

Additionally all organizations need to have a plan that provides an effective, cost-efficient means to deal with data breaches.

Given the increasing complexity and likelihood of data breaches, more and more organizations are taking cyber insurance as an additional measure of security.

As with all types of insurance organizations need to thoroughly research all their options before deciding to invest in cyber insurance or other means of data breach prevention.

To find out more about the services we can provide, please see our Network Security and DDoS Testing solutions