The internet has become an unlimited source of information for just about any subject today, including the more confidential ones. You can easily find many kinds of material on just about anything within a matter of minutes and at the click of a button. It therefore wouldn’t be an exaggeration to say that no content is completely safe and secure, thanks to the internet. Unfortunately, this medium has also played a significant role in certain types of crimes.The digital world has offered numerous opportunities to cyber crooks everywhere. Moreover, networking has accelerated the speed at which security can be breached, files can be transferred, sites can be hacked and information can be compromised.
A businesses or a government body could suffer a huge loss if their data falls into the wrong hands. Fortunately, cyber authorities around the globe have starting monitoring internet activity to some extent. A number of laws have also been put into place to safeguard as well as protect private and confidential information. Nevertheless, a few firms and even some individuals have started opting for cyber insurance in order to mitigate any financial risks that could result from the compromise of their data. However, not a lot of people are fully aware of this facility and how it works.
Many expat entrepreneurs know they have a need for this kind of insurance but are clueless about where they should start. Before you bring out your credit card details to sign up for cover, you need to understand what cyber insurance is and then ask yourself if you really need it.
What Is Cyber Insurance?
Cyber Insurance, also commonly referred to as Cyber Liability Insurance Coverage (CLIC) or Cyber Risk Insurance, is a plan that has been designed to help companies reduce risk exposure by offsetting the costs involved with recovery of information after an online security breach or another similar event. It has its roots in Errors and Omission (E&O) Insurance. Since 2005, cyber insurance has been gaining momentum and the total value of its premiums have been forecasted to reach US $ 7.5 billion by the year 2020. According to a report published by PWC, nearly one-third of the companies in the US are investing in at least some kind of cyber insurance. You can find more details here.
Who Needs Cyber Insurance?
An organization that maintains customer information, collects payment information online, or stores critical information on the cloud should definitely sign up for cyber insurance. In fact, the proliferation of devices that allow you to connect to business networks could increase the threat to your confidential information and business as it makes your organization’s data assets more accessible.
It is unfortunate that attacks against most businesses are increasing, regardless of their size and location. While small firms often believe that they are not likely to be targeted, a study conducted by Symantec showed that more than 30% of all phishing attacks carried out in 2015 were against companies that had no more than 250 employees. According to the 2016 Internet Security Threat Report, also published by Symantec, 43% of all the cyberattacks in the previous year were aimed at small businesses. For more information on the findings of this report, go to Symantec’s website.
The Center for Strategic and International Studies reported that in 2014, the estimated annual cost to the world economy arising out of cybercrime was between US $ 375 and US $ 575 billion. While the sources may differ, the average cost of a small data breach incident to a large firm is around US $ 3 million. It is up to you to assess whether you can risk that kind of money or if insurance is needed to defray the cost that could arise.
What Does Cyber Insurance Cover?
It is evident that firms do see the need for this facility but most of them are still not clear about what it includes. Typically, cyber insurance covers expenses that are related to first-party claims as well as third-party ones. While there is no set standard for policies, the most commonly reimbursable expenses are:
Investigation – In order to determine the problem and understand how it occurred, a detailed forensic inquiry will have to be conducted. This will also help the authorities find out how the damage should be repaired and avoided in the future. The investigation may also require the services of a third-party firm as well as coordination with law enforcement.
Business losses – Some of the items covered by cyber insurance are quite similar to those that fall under an E&O policy (errors caused by negligence and other similar factors). Other risks, like monetary losses caused by network downtime, interruption of business and crisis management are also general included in this plan. Expenses incurred in repairing reputation damage due to cyber-related problems are regarded as business losses too.
Privacy and notification – In many jurisdictions, the law requires that data breach notifications be sent to customers and other affected stakeholders. This includes credit monitoring for all the customers whose information has been breached.
Lawsuits and extortion – Companies usually incur legal expenses associated with the release of intellectual property, regulatory fines and lawful settlements. This could also apply to the expenses of cyber extortion, like from some ransomware.
It is essential to bear in mind that cyber insurance is still in its evolving phase. The risks change frequently and many of the organizations don’t really report the full impact of the breaches to avoid negative publicity and damage to the trust of their customers. Most of the underwriters therefore have only limited data, through which they cannot determine the exact financial implication of an attack. In truth, the full risk of a real cyberattack is hard to completely understand.
When looking for a cyber insurance plan, try to opt for organizations that have an excellent reputation around the globe. Speculators claim that most corporate clients will soon expect protection against cyber losses to be a key part of every provider’s product line. Of course the extent of coverage and reimbursement will definitely vary, as per the insurer and the policy. Before signing up with a provider, it is therefore important to compare at least a few policies and check if the 4 main items listed above have been included. At the same time, find out about a few special circumstances and limitations, by asking the following questions.
– Is the company offering its customers one or more kinds of cyber insurance policies, or is their coverage nothing more than an extension of an existing policy? In many cases, a standalone policy is more comprehensive and therefore works best. Also find out if the policy can be customized for your business.
– What will be the deductibles? Run a close comparison of the deductibles among various insurers. Most of us already do this when signing up for health, vehicle or home cover.
– In what way will the coverage and limits apply to the first party and the third party? For example, will the policy cover a third party service provider?
– On a similar note, ask your current business insurance providers if they have a cyber cover and how it will affect your agreement if you sign up with them.
– Will the policy cover any attack in general to which your organization falls victim, or does it only include targeted attacks against your firm in particular?
– Does the policy you are considering also include any non-malicious actions taken by an employee? This point falls under the E&O coverage, which applies to cyber insurance as well.
– Are aspects such as social engineering and network attacks also taken care of by the policy? Social engineering often plays a major role in many different types of attacks, like phishing, spear phishing and Advanced Persistent Threats (APTs).
– Is the time frame within which the coverage applies included in the policy? This step is important because APTs often take place over a fairly long period of time, which could range from a few months to years.
The bigger players in the insurance industry usually offer perspective clients a checklist of all their covered items that can be compared against their competitors. Make sure to go through this list with a fine tooth comb during the course of your research.
While you are assessing various insurance companies to suit your needs, do keep in mind that they will also want to check how vulnerable your firm is to cyberattacks and whether best practices are followed, by enabling certain defense mechanisms that will protect the company against an attack as far as possible. You will also be expected to educate your employees by spelling out the information security ground rules and increasing awareness about phishing and social engineering among the workforce. In fact, these measures will probably be a part of your protection plan. It is a good idea to use threat intelligence services for the most up to date information on zero-day and targeted attacks. You could also engage the services of ethical hackers to reveal any weaknesses in your security.
For a small business, hiring a threat intelligence service or an ethical hacker may not be financially feasible. However, it is important to invest in at least some kind of vulnerability assessment tool or at least engage the services of a tester, who can check external network defenses. This could go a long way towards improving security when you are negotiating your cyber insurance contract. As the coverage gets more standardized, your insurer may ask for an audit of a firm’s governance and processes as one of the criteria of the policy. It therefore should not come as a surprise if your insurer provider offers you coverage, but at a much lower level than you think you need.
Paying For And Claiming Cyber Insurance
The premium amount you pay for cyber insurance will depend upon your industry, nature of business, the risks involved, security measures, policies, revenue and the cover you are asking for. A smaller business with a turnover of US $ 100,000 to US $ 500,000 is likely to pay between US $ 800 and US $ 1,200; however, companies with revenues in the millions could pay up to US $ 100,000 for cyber insurance. Of course, the amount will also vary from one provider to another.
It is essential to remember that cyber insurance companies cover first-party losses as well as third-party claims, but the general liability only involves around property damage.
How To Get Started
The first step in signing up for insurance against digital loss is creating a cyber risk profile for your business. After that, prepare a list of expenses that you would like to have covered. Next, work out an estimate of third-party costs. Several providers have an online calculator on their website that will crunch the numbers for you and give you a rough estimate. Once that is done, you could start your quest for the most competitive provider, maintaining a balance of costs and services offered. Finally, get someone from your legal team to go through the terms and conditions before signing on the dotted line.
If there is no legal department in the organization, it may be a good idea to hire an attorney for this deal. Alternately, you could look for agents that specialize in cyber insurance by getting in touch with the brokers’ association in your area.
Trade Associations for each industry are a valuable resource when it comes to cyber insurance plans. The Chamber of Commerce may also have a significant amount of input to share with you.