The costs of security incidents and data breaches are rising as well. The average cost per lost record increased from $148 in 2018 to $150 in 2019, with the average cost of a breach going from to $3.86 million to $3.93 million, according to annual reports on data breach costs by the Ponemon Institute and IBM. For some organizations, the results are devastating. In the last couple of years, we saw several companies shutting down or declaring bankruptcy as a result of a major data breach. One example was American Medical Collection Agency, whose breach led to compromised patient records at LabCorp, Quest Diagnostic and other healthcare providers. Given these kinds of implications, it would seem prudent to turn to cybersecurity insurance to mitigate risk. Especially since the data-driven economy will continue to push the boundaries for how information systems connect and interact with each other — and with that, the risk will compound. Buying cyber insurance, however, is more challenging than other commercial policies. Below are some basic things to consider.
What is cybersecurity insurance?
A 2018 J.D. Power survey found that two-thirds of businesses combine their cyber-risk insurance with other policies rather than buying stand-alone coverage. However, don’t count on a general liability policy to cover your cyber risk. These policies typically exclude losses related to electronic data because data is not considered physical property. The market for standalone policies is small (estimated at $2.5–$3.5 billion in the United States versus $275 billion for commercial property and casualty) but growing. A relatively new offering, policies vary widely from one insurer to the next and there are no standard terms. Some typical categories to look for include:
Security and privacy liability: Damages typically related to data breaches that affect a third party Regulatory defense: Covers fines and penalties, as well as defense costs, when a regulatory agency investigates an incident Data recovery: The costs of restoring or recreating damaged or stolen data Crisis services: Such as computer forensics, breach notification, credit monitoring and public relations necessary after a suspected or confirmed breach Business interruption: Covers loss of business income due to a cyberattack Cyberextortion: For attacks such as ransomware
These categories are examples of what a core policy may include, but some insurers may provide them on an add-on basis instead.
What do you need to know before you buy?
Cyber insurance typically doesn’t pay for physical losses that result from a cyberattack. That’s where property/casualty or general liability insurance comes in. In addition to understanding what a policy does — and does not — cover, there are many variables to consider. These are some of the questions to ask when comparing policies:
Are there any policy conditions? For example, some carriers impose minimum standards and will deny a claim if you don’t meet the standard practices you listed on your application What are the exclusions? Some insurers have extensive exclusions that could range from negligence (like unpatched systems) to chargebacks (when credit card numbers are stolen) and even social engineering. Many also don’t cover employee fraud and other criminal activities Are prior acts covered? This refers to incidents that you didn’t know about yet when you purchased your policy — a typical situation, since some attacks go undiscovered for months and even years Can I use my own experts? Some carriers require you to use a pre-approved panel of experts for services such as forensics and data recovery, and you may not be able to use a vendor you already have What’s the jurisdiction? Since state laws are different, the jurisdiction will impact aspects like damage payouts if you have to take the company to court
Several recent lawsuits illustrate why it’s important to understand what you’re buying. One company sued AIG over an incident that was classified as a criminal act, which the carrier said was not covered. In another case, carrier Zurich refused to cover damages resulting from the NotPetya ransomware attack because it considered it an act of cyber war, which was an exclusion.
How much coverage do you need?
The J.D. Power survey found that 97% of businesses that were hacked and had cyber-risk insurance found their coverage adequate. However, determining how much coverage may be adequate for your situation is challenging. Financial company Fundera recommends considering factors such as:
How many and what type of records do you store and where? How much would it cost you to replace affected hardware and software? What measures will be needed for notifying stakeholders such as customers in case of a breach? Will you need to hire an outside team to remediate, engage in public relations and so forth?
Managing risk holistically
A risk assessment, including an inventory of your data and other assets, is an important step before buying insurance. Carriers are likely to require you to mitigate risks by having good cyber defenses in place, and your cybersecurity posture may also impact your rates. Insurance is a way to transfer some of your risk, but it’s not a stand-alone measure. Nor is it a replacement for a security program. A policy may help you recover financial losses, but it won’t help you bounce back from reputational damage and other negative impacts. (Note: This article is presented for informational purposes only and is not intended as legal or risk-management advice.)
Sources
Allianz Risk Barometer: Top Business Risks for 2019, Allianz Allianz Risk Barometer: Top Business Risks for 2018, Allianz Cost of a Data Breach Report 2019, IBM Security/Ponemon AMCA parent company files for bankruptcy amid data breach fallout, Cyberscoop Small business, big risk: Lack of cyber insurance is a serious threat, J.D. Power/Insurance Information Institute Are insurers adequately balancing cyber risk and opportunity?, PwC Global Commercial Insurance Market to Grow $170B in P/C Premium By 2021, Insurance Journal Property Insurance, Cyber Insurance, Coverage and War: Losses From Malware May Not Be Covered Due To Your Policy’s Hostile Acts Exclusion, National Law Review AIG Case Highlights Complexities of Covering Cyber-Related Losses, CPO Magazine Cyber Insurance Not Valid in Case of Cyber War, Says Major Insurance Company, CPO Magazine What Is Cyber Liability Insurance, and Do You Need It?, Fundera
