For so many organizations, the threat of cyberattacks is not a far-off fantasy. It is not a matter of if; it is a matter of when and this means that having a plan in place for mitigating the fallout of an attack becomes a crucial part of managing an organization’s risk. Part of that plan should be considering cyber insurance.
Recently, we spoke with the professionals at Bozzuto & Associates Insurance Services about what cyber insurance is, how it is used, and what it covers. Here, we break down the basics for you:
What is cyber insurance?
Cyber insurance, which can also be known as cyber liability insurance, helps cover a business’ liability as it relates to cybersecurity risks. This kind of insurance is “designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage,” according to the Cybersecurity Infrastructure Security Agency (CISA).
While cyber insurance has become more mainstream over the last several years, its history dates to the dot-com days as a form of covering data exposures related to online content or software errors in the data processing. In the 2000s, it evolved to include unauthorized access to information technology systems, network security, data loss, and virus-related claims.
The California Security Breach Information Act, which went into effect in 2003, took it a step further to mandate businesses and state agencies to notify residents when their data was acquired by an unauthorized person. The data, which is considered personal, identifiable information (PII), is that which can be used to identify you, such as your name and address or your name and phone number.
What are the types of cyber insurance?
More current-day cyber insurance policies have evolved to include a broad array of coverage and services aimed at responding to the ever-changing landscape of cybersecurity. That said, there are two types:
First party: centered around your organization and ensuring you can recover from an incident. This kind of coverage provides damages to your organization associated with a claim, such as the costs associated with ransomware, a brand management team, lost income, a forensic team, a breach coach, or data restoration. As a kind of first-party coverage, cybercrime coverages are designed to reimburse an organization that lost funds in a cybercrime. It covers the costs associated with regulatory penalties, media liability, payment card losses, and liability associated with the unauthorized disclosure of PII (caused by computer fraud, social engineering, or funds transfer fraud).
Third-party. Protects your business when a data breach occurs on a third party’s network or systems. Some of these include:
- Cyber liability: a failure in Network Security on your network allows a hacker to send malicious code through your network to other computer systems. The owner(s) of the newly infected computers file a complaint against you for failure to prevent transmission of a virus, for example.
- Payment card loss: Coverage for covered lawsuits and for fraud recovery and reissuing cards as a result of a hack.
- Media liability: A third party files suit against you for hosting a website or other copyrighted material on your site without their approval.
- Regulatory costs: A cyber policy will cover regulatory fees levied against your organization for unauthorized disclosure of protected information (i.e., HIPAA) or compliance fines (i.e, PCI).
The goal of cyber insurance is to restore your business from data corruption or loss. However, your business needs to specify with your carrier that you want both first- and third-party coverages as part of your policy, as these are two distinct and important coverages.
What does cyber insurance cover?
This depends on the coverage level you opt for and the carrier you choose, but in general, cyber insurance covers the costs that arise when your business falls prey to a cyberattack, such as cyber liability costs, payment card loss, media liability, or regulatory costs. Policies are designed to cover the costs of failures in security that result in data loss and the potential lawsuits that may arise from the same loss. Many of them also cover the cost of investigations into where the fault lies or for brand management if a breach is particularly damaging (or even the cost of providing identity theft alerts for a year for people who may have been affected).
There are also policies that may even provide money to cover the cost of a ransomware attack by paying the ransom. (However, “paying the ransom will not ensure your data is decrypted or that your systems or data will no longer be compromised,” according to CISA, which does NOT recommend paying the ransom.) At times, an insurance company may investigate how much the ransom is versus how much it would take to investigate and mitigate the damage from a breach and pay the ransom.
Who should be covered?
The short answer is everyone. But more importantly, if your business sends or stores electronic data – or relies on online components – it’s a good idea to invest in cyber insurance. It’s important to note that phones, laptops, and even paper files can be “attacked,” resulting in a breach. For example, someone could steal employee files that contain PII.
What are some common claim scenarios that can happen where cyber insurance would come in handy?
While there are several ways that cyber insurance can be used, here are some examples:
- Social engineering: One of your vendors reaches out to you to update their banking information. After making payments, you receive a call from the vendor and find out the new banking information does not belong to them. This means that you’ve been a victim of social engineering that has resulted in ACH fraud, loss of income for your client, and a breach of their financial information.
- Cyber extortion: Your system cryptolocked. The hackers demand a ransom payment and threaten to leak/delete all your system data if a payment isn’t received within a certain timeframe. This means that your system was infected by ransomware, which is a form of malware that is installed that encrypts files on a device to thwart access.
- Reputational harm, loss of income: A recent compromise of your system brings your network down for several days, freezing all business activities. After recovering from the attack, your sales team informs you that some clients are terminating their contract with you, citing the unreliability of your services. In this scenario, the loss of income from a brand reputation that has become tarnished because of an attack would be covered by cyber insurance.
What should I ask my carrier?
- Does this include first-party coverage?
- Does this include cybercrime coverage?
- Are personal devices included in my network?
- What services are included with this policy?
- Is social engineering covered?
How is cybersecurity risk addressed?
When a cyber incident occurs, 45% of companies increase spending on employee training and crisis management, according to the 2020 Hiscox Cyber Readiness Report. Another 20% responded by purchasing or increasing coverage for cyber insurance. But one thing is for sure: prevention is crucial and should be facilitated as a multi-tiered approach.
Staff education and testing. Educating staff on best practices for establishing a security-first mindset should be top of mind when putting together a cybersecurity risk management plan. Part of this training and education can be provided by a third party, such as KnowBe4, which provides security awareness training (and ongoing testing) and can highlight the kinds of attacks that are common so your employees know what to look for.
Security-first mindset. Safety culture is something that should be implemented throughout the company from the moment an employee is onboarded. In addition to security awareness training, there should be ongoing training for employees at every level on the proper usage of technology, data management, and network protection. Every person within the organization needs to be aware and living/breathing security.
Establish rules for finance. With ACH phishing schemes, like the scenario mentioned above, there are steps that must be required to make changes to client or vendor accounts, which are rooted in training and awareness. Best practices such as calling the client directly to validate changes or requiring more identifiable information is a critical step in the process.
Multi-factor authentication (MFA). One of the best ways to protect both personal and professional accounts is by adopting the best practice of establishing MFA for each and every account. MFA is a process for authenticating the identity of a person through two or more methods before allowing access to certain applications or accounts.
Establish an incidence response plan. Unfortunately for every organization, the likelihood of some kind of breach taking place is high, which means that no matter how strong your security posture is, there’s a need for every company to have an incident response plan in place. Know the steps to take, who you’re going to talk to, what communications should look like, and how you will effectively respond.
Partner with the experts. Part of a strong response is partnering with the experts on an ongoing basis to provide tests of your system, monitor ongoing threats, and provide information around changes in security standards for your company. Cybersecurity protocols and best practices change constantly and so do the threats, so choosing a partner that is knowledgeable, trustworthy, and provides you with best practices and standards adherence is crucial to help manage your risk.
How can I engage in cybersecurity risk management?
Prevention is crucial to managing risk for your organization: educating staff on best practices, fostering a security-first mindset, and setting up a cyber insurance policy will go a long way in ensuring you’re not an easy target in today’s threat landscape. Contact us to learn more about managing your risk and providing an assessment of your network.