5 Questions to Ask Before Buying a Cyber Insurance Policy
As a business owner, you understand the importance of insurance. It is one more way to keep your employees, infrastructure, intellectual property, and investments safe. And as data breaches have become an unfortunate, near constant fixture in the news, there has been an uptick in preventative strategies including Cyber Liability Insurance Coverage (CLIC). Marketed as a kind of cure-all, cyber insurance is still an incredibly nuanced fortification, with approval hinging upon lengthy digital assessment. Furthermore, and this can't be emphasized enough, a cyber insurance policy is only as effective as your IT infrastructure. So, before you begin implementing a cyber insurance policy, make sure your company is asking the right questions.
A $7.5 Billion Market
Cyber insurance isn't, strictly speaking, a new concept. These policies grew out of Errors and Omissions (E&O) insurance, around 2005. However, they have exploded in the last couple years as cyber threats such as NotPetya and WannaCry crippled businesses around the world. Current estimates reveal that cybercrime costs the global economy upwards of $400 billion annually. In response, the cyber insurance market is predicted to reach $7.5 billion by 2020, and $29 billion by 2025.
- Recovering compromised data
- Legal settlements and regulatory fines
- Hiring experts to identify and repair damage
- Notifying customers, and providing identity and credit monitoring
- Business interruption, network downtime, and lost employee productivity
These policies should provide coverage for both first and third party claimants. First party coverage includes losses to the organization or individual affected, while third party coverage addresses legal action taken by customers or partners. These policies can vary in terms of coverage and premiums, but typically account for organization type, service provided, data risk and exposure, and current security policy.
Cyber Insurance Done Right
In an Ovum report, it was found that 50% of U.S.-based firms do not currently have cyber risk insurance. Of those companies sampled, a further 27% reported no plans to acquire cyber insurance, though 61% anticipate an increase in data breaches over the next year. If your business is in the early stages of adopting a cyber insurance policy, make sure you ask potential cyber insurance providers the following:
- Is their cyber insurance coverage created in a new plan? Or, is it an extension of an existing policy? Many cyber insurance providers will provide customizable policies, that allow for the most cost-efficient option.
- Does coverage include both first and third parties, as well as third-party service providers? Third party vendors can provide an unfortunate alleyway into sensitive company data, so ensure they are included in your cyber insurance policy.
- Will coverage still apply if the event was cause by non-malicious employee activity? Or social engineering attacks including spear phishing and advance persistent threats (APT)?
- Given that some of these threats take time to discover, will the cyber insurance policy include time frames during which coverage is in effect? Or will there be limits?
- Does the policy only apply to targeted attacks, or does it cover any security event to which an organization is subjected?
Another factor to consider is that most cyber insurance providers require a thorough cybersecurity assessment before approving applications. This is done to ensure that businesses are implementing proactive steps to reduce their vulnerability, before cyber insurance is part of the strategy. Ultimately, there is little sense in insuring a company that is unwilling to engage in routine cyber hygiene via threat assessments, continued employee education, and an independent audit of third-party vendor security. Fortunately, iCorps' technicians are experts in identifying, diagnosing, and remediating IT threats. For more information on how a security assessment can better prepare your business for cyber insurance, contact us here.