Over the years insurance and its products have evolved dramatically. This change has primarily occurred due to the socio-economic changes that are happening in the society. In the olden days, only those who had money could afford insurance. But that is not true anymore. Most insurance has become mandatory while some are still optional. Today, the world over business is conducted on computer systems that are connected to each other through different servers. Countless hours of work and information along with other necessary data is stored on them. As a result, an attack on these systems can lead to potentially great losses and set back the company or individual drastically.
Maliciousness in the form of cyber attacks is increasing day-by-day. Data theft and tampering with the systems has become a common occurrence. As a part of managing risk, all companies are now investing in cyber insurance products as per their individual capacity and requirements. This helps them to mitigate the financial risk in the most effective manner. However, let us be clear about one thing, cyber insurance will only help you cover part of the expected financial loss and not the whole of it.
Defining Cyber Insurance
According to Wikipedia, “Cyber-insurance is an insurance product used to protect businesses and individuals from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities”[i]. In other words, cyber insurance helps a business to survive the data breaches and cyber attacks by covering the recovery expenses and ensuring continuity of business.
Let us understand this concept of cyber insurance further. When criminals that lurk the cyber world gain access to a network, get hold of sensitive data and/or hold data captive, the company that they steal from can have to face serious repercussions. The said company can be held legally responsible for the incident. This is where Cyber Insurance comes into play. If you have the right insurance plan then it can pay for customer announcements, credit scrutinizing, legal fees, and fines etc., after the business suffers a breach.
What Does It Cover
There are two types of insurance covers that can be taken by any business with respect to handling the internet based risks. These fall into two categories each of which is discussed below:
- First Party Cyber Liability Insurance – This coverage comes to your aid when either your network is hacked or the data is stolen. It helps by covering expenses like:
- Business interruption expenses that include costs for extra manpower required, equipment rented or leased, or making use of services provided by third parties.
- Expenses incurred to notify the customers and employees that are affected.
- Public relations and crisis management expenses to educate the customers about the said breach and rebuilding the reputation of your brand.
- Expenses incurred to determine the extent of breach and support with regulatory compliance.
- Cyber extortion repayment for credible terrorization to introduce malicious code so as to pharm and phish client frameworks, or to corrupt your PC framework.
- Third Party Defense And Liability – The third party cyber insurance cover comes to your assistance when you get sued by a customer or partner for letting the data breach happen. It provides coverage for:
- Expenses that you are legally compelled to pay after the data breach like civil awards, settlements etc.
- Electronic media liability that includes violation of copyright, trademark, trade name, domain name or slogan on either internet or intranet site.
- Probable coverage for network security and privacy liability as well as employee privacy liability.
What It Does Not Cover
No two industries have the same expectations when it comes to looking for the most effective cyber insurance policy. As such, you cannot commit the mistake of purchasing an off-the-shelf policy. This difference of expectations arises primarily due to the different kinds of risks involved.
There are no outright exclusions. But there are many hidden caveats which include:
- Some policies deny coverage to companies who failed to take adequate steps to protect their computer systems. These steps might include failing to install software updates and most recent releases, strengthening firewalls by applying security patches etc.
- There are often sub-limits that are hidden in the policies. For example, your insurance limit might be high but for breach notification and forensic investigation, a lower limit might be mentioned that would restrict you financially.
- Most policies fail to provide cover for the loss of intellectual property and trade secrets. This is mainly because there is no standard way to evaluate these financially.
- Erratic outages and interruptions that occur due to downtime for one reason or the other tend to delay projects and keep workers from productivity. These interruptions are not covered.
- The financial damage caused to the brand is not covered.
- Damages caused due to the company’s own and employee negligence are also excluded.
- Sometimes cyber attacks that are deemed a part of a terrorist attack are barred from coverage.
- Mostly, the cost of remedial measures undertaken to strengthen cybersecurity post a breach is also kept out of the scope.
Components Of A Good Cyber Insurance Policy
As already stated above each industry has its own specific set of risks for which they need insurance. Financially, as well these risks tend to differ. Hence, to identify the most suitable cyber insurance policy you need to begin by creating a cyber risk profile for your company.
For any and every company some coverage’s are required each and every time. These include:
- Ransomware – Increasingly hackers are resorting to the use of holding data captive until some ransom is paid. This situation is essentially very unpredictable because the amount of ransom or extortion fees can range from a few hundred to millions of dollars. Such an expense for any company is unexpected, sudden and above all, a heavy financial burden.
- Forensic Investigation – Once a breach has occurred, the story does not end there. There are many incidental expenses that shall arise, the most important of which is a forensic investigation. This is done to assimilate the extent of damage that the company has suffered due to a cyber attack. Herein, the experts try to figure out what happened, how it happened and how extensive is the damage.
- Breach Notification – All affected parties have to be informed once a breach has occurred. For a company, sending out such a notification is an additional expense. It can occur in the form of additional postage, paper, and printing costs. It would also include the call center expenses like additional man-hours spent in processing notifications, telephone costs etc.
- Business Interruption – When it comes to business every hour counts. Hence, downtime of any kind means loss of income. Off late, the frequency and intensity of cyber attacks have increased tenfold. As a result, each interruption of business causes tremendous losses to the said company. Therefore, it is better to be safe than sorry. It is better to include a business interruption clause that can help you recover without suffering a major setback.
- Legal Fees & Defence Costs – Usually, customers tend to file a lawsuit against the company in which data breach has happened. Again, the legal fees and representation costs are very high in such cases. Also, cases like these tend to run longer. This results in increasing the additional financial burden. To mitigate this risk it is best advised to ensure that your cyber insurance policy covers this aspect to your satisfaction.
Now, that you understand the criticality of cyber insurance, it is the best time to review your own policy. Sit down with experts to understand the vulnerabilities of your business and get a cyber insurance policy tailor-made to meet your specific set of requirements.