As the rise of ransomware and cyberattacks increases daily, companies have looked to multiple tools to protect their most valuable assets – their data. From network security firewalls to endpoint protection for all BYOT devices, business leaders today are faced with an untold number of options when researching cybersecurity tools. One additional resource that has gained popularity over the last couple of years is the growing demand for Cybersecurity Insurance.

When evaluating Cybersecurity insurance options, business leaders are presented with an ever-growing list of requirements to secure a policy. For example, a simple ransomware policy with coverage could be secured with a proof of anti-virus coverage. However, with the increase in today’s cybersecurity threats growing at an exponential rate, policymakers are requiring more sophisticated and holistic cybersecurity strategies.

What is Cybersecurity Insurance?

Let’s start at the beginning: Many business leaders today ask, “What is Cybersecurity Insurance or Cyber Insurance?” To put it simply, cybersecurity insurance is a policy guarantee that protects a company’s assets in the event of a cybersecurity breach or other malicious cybercrime. Similar to an auto insurance policy, the amount of coverage – and what is not covered, depends on several factors and requirements on the part of the policyholder.

Cybersecurity insurance is also referred to as cyber insurance, cyber liability coverage and data breach insurance. This insurance covers financial losses your business incurs following a cyber event or a data breach. Cybersecurity insurance policies often include some automatic coverage and other supplemental coverage at your discretion.

First-party coverages apply to costs your company incurs directly due to a cyber event, while third-party coverages protect against claims made by companies or consumers affected by your action or inaction following the cyber event. For example, first-party coverage would cover the costs to inform your customers about a data breach. Third-party coverage would cover your expenses for a lawsuit if a customer sues your company for negligence after a hacker steals their personal data.

What Are the Types of Cyber Insurance Coverage?

Companies of every size are vulnerable to cyberattacks. Your information, privacy, and operations are all at risk, and cybersecurity insurance can protect your business from these risks through privacy liability coverage, network security coverage, errors and omissions coverage, media liability coverage, and network business interruption coverage.

1. Privacy Liability Coverage

For companies with privacy risks or information risks, privacy liability coverage is essential. Employee and customer information is highly sensitive, and data breaches that expose this data threaten the security of your customers and employees and leave your company vulnerable to liability.

In the event of a privacy law violation or a cyber incident, your company will be protected from liabilities under privacy liability coverage. You may incur these third-party costs if you face liabilities from a contractual obligation or liabilities from regulatory investigations.

Some examples include protecting your company against consumer class action litigation, along with funding a settlement after a data breach or cyber incident. In a regulatory investigation performed by law enforcement or government, privacy liability coverage may also cover legal expenses, penalties, and fines.

Include privacy liability coverage in your cybersecurity insurance policy to protect the information and privacy of your business.

2. Network Security Coverage

If you want to protect your company’s privacy and information, you should have network security coverage. If your network security fails, this type of cyber insurance will cover your company.

Network security failures include:

  • Business email compromises
  • Cyber extortion demands
  • Data breaches
  • Malware infections
  • Ransomware

Your first-party costs will be covered by network security coverage. For network coverage, first-party costs include:

  • Breach notification to customers
  • Credit monitoring
  • Data restoration
  • Establishing a call center
  • Expertise in public relations
  • Identity restoration
  • IT forensics
  • Legal expenses
  • Payment and negotiation costs from a ransomware demand

Include network security coverage in your cybersecurity insurance policy to protect your company in the event of a network security failure.

3. Errors and Omissions Coverage

Errors and omissions (E&O) coverage protects you from cyber events that keep you from delivering your services to customers and fulfilling contractual obligations. Claims about errors or performance failures in your services are covered by E&O coverage, such as software or consulting services, or traditional professional services rendered by engineers, doctors or lawyers.

This coverage also protects against breaches of contract or allegations of negligence, including legal defense costs from a lawsuit or a dispute with a customer.

Include E&O coverage in your cybersecurity insurance policy to protect your company against losses due to errors and omissions in your services.

4. Media Liability Coverage

Media liability coverage protects you from intellectual property infringement, except for patent infringement. This coverage typically applies to both printed advertising and online advertising, including your company’s social media posts.

Include media liability coverage in your cybersecurity insurance policy to protect the intellectual property of your company.

5. Network Business Interruption Coverage

If your business is dependent on technology to stay in operation, you’ll want to include network business interruption coverage in your cybersecurity insurance policy to protect your business from operational cyber risk.

When your network or your provider’s network goes down, you can use this coverage to cover fixed expenses, lost profits, and extra costs during the time that your company was impacted while the network was down. Coverage also applies to security failures from events like cyberattacks, and system failures like human errors or failed software patches.

Include network business interruption coverage in your cybersecurity insurance policy if the successful operation of your business depends on technology.

What does Cyber Insurance Do?

The next question often asked is, “What does Cyber Insurance Do?” As previously mentioned, cybersecurity insurance (aka cyber insurance) provides protection and recovery for an organization in the event of a cyber-attack. Often a company is not able to recover their data, and the cyber insurance policy provides monetary relief to the organization following the breach.

For many organizations, there are multiple benefits of securing cybersecurity insurance. Many government and publicly-traded companies require a certain level of cybersecurity insurance in order to partner or conduct business with them. As a level of protection for organizations, many require cybersecurity insurance of their vendors as well. Some organizations are required to carry cyber insurance to meet regulatory requirements.

Questions to Ask Your Broker

When was the last time you talked to your Broker about your policy and coverage? With all the changes that are happening with cyber insurance, be sure you are clear on what you’re getting and what is missing from your cyber insurance policy.

Here are a few questions to start the discussion with your broker or agent regarding your cyber insurance policy:

  1. What does my policy actually cover?
    Make sure your policy covers all your bases. Some insurance plans cover a broad range of cyber risk losses, while some plans have additional coverage for physical damage to hardware or business income loss. You need to know what exactly is in your cyber insurance policy, what it will/will not cover before you commit to it.
  2. What are the exemptions in my policy?
    Not every policy is written the same. There may be exemptions in a cyber insurance policy. So, as well as finding out what it does cover, find out what it does not cover! You should know this ahead of time, so you are prepared in case something does happen.
  3. Are there any gaps in my policy?
    If you currently have a cyber insurance policy in place, you should review it with your agent. You will want to talk about any potential gaps in your coverage and the best way to address them.
  4. If the company experiences a cyber incident, how will it affect my premiums?
    You’ve heard the expression, hope for the best, plan for the worst. Even the best controls can fail and if they do and a data breach occurs, you need to know what will happen to your policy and premiums.

What does a cybersecurity insurance policy include?

Cybersecurity insurance policy coverage varies greatly, and the type of coverage your organization needs can vary based on size, revenue risk, regulatory requirements and other factors.

Costs depend on several factors, including the organization’s chosen coverage. Every insurance company offers its own packages and policies, and insurance agents will send quotes for coverage options with different costs. Business owners can shop around for coverage and choose from a list of policies.

Generally, cyber insurance covers:

  • Loss of data and associated recovery.
  • Loss of revenue due to business interruptions from a cybersecurity event.
  • Loss of transferred funds from events such as fraud and social engineering.
  • Loss of funds from computer fraud and extortion.

The above list covers the actual cyber-event. Many insurance policies also cover the aftermath and follow-up events associated with a data breach.

After suffering from a data breach, a cyber insurance policy will likely cover:

  • Notification costs. Costs associated with identifying victims and sending notices so that they are aware of the breach. This is often a compliance mandate.
  • Credit monitoring. Costs associated with victim (customer) credit monitoring after data loss and identity theft.
  • Civil litigation. Costs associated with lawsuits and reimbursing affected customers.
  • Forensics. Costs to hire consultants and forensics experts so that damage and the root causes can be analyzed.
  • Brand damage. Costs associated with public relations to repair damage to the organization’s reputation.

Organizations should check with the insurance company for cost coverage to help stop attacks before they happen. An insurance company might help with prevention training against phishing and social engineering.

Why General Insurance Liability Won’t Cover Cyber Crimes

For many insurance policies, cybersecurity events are explicitly excluded in coverage. General insurance liability typically excludes cyber-attacks and other digital data theft. That means organizations usually must buy cyber insurance separately. (Every business should check their policy for their specific coverage.)

Just one cybersecurity incident can cost tens of thousands of dollars, making it too costly for insurers to cover in general liability policies. Also, the volume of risks is a large factor in insurance premiums. That makes actuarial calculations difficult, especially as organizations grow and add more infrastructure to their environment.

What Attacks Result in Cyber Insurance Claims?

After a cybersecurity incident, the organization must cover costs for subsequent remediation actions. These include:

  • Incident response
  • Containment
  • Forensics and investigations
  • Litigation
  • Compliance audits
  • New security infrastructure and policy changes

Any cyber event that results in data loss, investigations and cost-related consequences could be covered in an insurance policy. But coverage depends on the cyber insurance company and the type of coverage the organization chooses. The type of coverage determines policy premiums, so cost is often a factor in the organization’s policy choice. Most policies cover costs associated with credential theft, phishing, ransomware, malware and insider threats.

Organizations should check with the insurance company for cost coverage to help stop attacks before they happen. An insurance company might help with prevention training against phishing and social engineering.

What Does Cyber Insurance Not Cover?

As with any insurance policy, there are exclusions in cybersecurity insurance worth noting for potential policyholders. Generally, a cybersecurity insurance policy doesn’t cover the following:

  • Costs for improving your internal technology systems following a cyber event
  • Loss of value caused by the theft of intellectual property from your company
  • Potential lost profits in the future

In addition, acts of war from foreign attackers are not usually covered, and any costs associated with building cybersecurity infrastructure before and after the breach might not be covered. As usual, check with the insurance company and the policy to find any exclusions to coverage.

Though these losses or costs may not be included in the standard cyber insurance requirements, obtaining cybersecurity insurance is essential if you want to protect your business from cyberattacks.

Cybersecurity insurance, while at first viewed as a niche tool, is now considered a requirement for every company’s risk management system. And, fortunately, along with the sophistication of cybercrime, cybersecurity insurance, too, has come a long way since its early days.

Though cybersecurity insurance coverage is now essential, many businesses remain unaware that cyber risk is insurable, let alone what exactly cybersecurity insurance covers. Fortunately, cyber risk is insurable, and the coverage options available today are flexible enough to meet the needs of your company.

Though rates for cyber insurance have increased globally by 32 percent year-over-year, this coverage remains an essential part of a company’s cybersecurity strategy. Let’s learn more about this important way to protect your enterprise.

Coverage on Cybersecurity Events

In 2017, several major cybersecurity events destroyed data for large organizations and government entities across the globe. WannaCry, Petya and NotPetya were a few of the ransomware attacks affecting small and large organizations. It would seem like cyber insurance would cover the damage from these ransomware attacks. But forensics experts suggested that the attacks could be targeting specific countries.

As mentioned above, “acts of war” are not covered in most cyber insurance policies. After numerous ransomware attacks in 2017, some insurance companies claimed that they did not need to pay for ransomware damage because it was considered an act of war. This left several organizations left to cover the expenses after ransomware damage—one of today’s most expensive attacks.

The FBI’s Internet Crime Complaint Center (IC3) annual report showed a 69 percent increase in the number of cybercrime reports it received in 2020 compared to 2019. On average, the FBI received 2,000 cybercrime reports per day in 2020. Due to all the data breaches, ransomware attacks, and supply chain hacks, cyber insurers are taking a beating. When insurance companies have to pay more claims than anticipated, they tend to look back to see how they can do things differently. Insurance companies are masters of statistics and actuarial tables, so for most ‘knowable’ scenarios, they can tell within a certain +/-% what the costs involved will be and the likelihood of claims resulting from that scenario; given the recent threat landscape, that’s not been the case for cybersecurity incidents and their associated claims. Insurance companies do not have a consistent way to know which threat actor or nation state is going to attack a company, how long it will last, how impactful it will be, and how long it will take to contain and remediate it. There are metrics for the cost of the breach, but those are calculated long after insurance has paid a claim.

Why Isn’t Cyber Insurance Meant to Replace a Security Strategy?

It might seem like cyber insurance is the magic bullet for a data breach. But it should be used only as a supplemental addition to your cybersecurity strategy—never the entire strategy. It’s important to read the cyber insurance policy to ensure that all terms and conditions are met, including a plan that covers infrastructure necessary to protect data.

A data breach is expensive. Cyber insurance does not cover future revenue from newly released products and business growth. This lost revenue from brand damage and costs associated with a data breach can permanently dampen future revenue. For an organization to sustain, it must have a cybersecurity strategy that helps reduce risk and avoid a compromise.

How Do You Prepare for a More Complex Review Process?

As cyber insurance offerings mature, the requirements are going to become more complex. Unless you are a very small organization, you need to make sure the relevant stakeholders are involved in the review process and on the same page regarding the language and ability to meet the requirements.

  • Have you incorporated Legal, Risk Management, Security, and IT into the policy selection and review process?
  • Do all relevant stakeholders understand the expectations for the organization?
  • Do you understand the language used by your broker (e.g., EDR, IPS/IDS, SIEM) and do you, or your IT team, understand the technical depth that your broker expects you to have?
  • Do you understand your current cybersecurity posture’s impact on your coverage limits and premiums? In many cases, immature security programs may disqualify an organization from coverage eligibility at all. On the converse, conducting a cyber risk assessment and putting a remediation plan in place may significantly lower premiums.

As requirements become more detailed, make sure they are clearly communicated to the key stakeholders and teams that implement and support them.

When cybersecurity insurance was first offered, the questions the carriers asked were a little too simple, such as, “do you have a firewall”, “do you have antivirus installed”, with a little checkbox next to the questions. They didn’t go on to ask if the firewall was installed AND properly configured in alignment with an industry accepted benchmark. I’ve heard many stories about cybersecurity insurance questionnaires over the past year. One company was told they needed a firewall, so they bought one. The problem was that was all they did. They didn’t install, configure, and tweak it, and when asked if they had a firewall, they said “yes we do, it’s right here sitting on the floor in the original box.” The lack of understanding a requirement and the intent behind it leads to all kinds of issues. If you need help shifting boardroom conversations and considerations around cybersecurity and insurance, read our blog Cybersecurity in the Boardroom to learn more.

What Do You Need to Acquire a Cyber Insurance Policy?

The first step towards acquiring cyber insurance is to audit your infrastructure and document your cybersecurity policies and systems. To determine coverage and costs, a cyber insurance company will want to know what cyber defenses are in place. As with any insurance company, a cyber insurance company will not cover an organization with no cybersecurity strategy and infrastructure in place. Such an organization is sure to be a victim of a data breach, if not multiple breaches.

After an audit of cybersecurity infrastructure, it’s time to shop for a policy by contacting various insurance companies. Every company will have their own policy standards, exceptions and costs, so be sure to read the policy terms and conditions before agreeing to a policy. An insurance company will review current cybersecurity strategies to determine your level of risk and decide whether they are willing to write a policy for you.

What Changes Should You Expect for Cyber Insurance Policies?

What does this mean for you and your company? Well, whether you have an existing policy or not, here are some things that are happening or likely to happen soon:

  • Expect it to be more challenging to maintain, and/or acquire, a cyber insurance policy.
  • Capacity is shrinking, so you might not be able to get as much coverage as you want or what past companies have obtained.
  • Expect premium increases to go up by double digit percentages (or higher)
  • Expect to see questions around systems that were recently in the news because of a breach (e.g., Kaseya, SolarWinds, Microsoft Exchange, Citrix) or questions based on gaps identified in recent security incidents.
  • Expect new requirements, sometimes called critical controls, to be specified, such as:
    • Multi-factor authentication (MFA) is enabled:
      • At all ingress points into the network (e.g., VPN, VDI, Citrix)
      • In place for privileged/sensitive applications
      • Service Accounts
    • Disabled RDP, VNC and any other remote tools that are commonly used/abused in attacks or expect to provide an explanation of the compensating controls around those tools.
    • Segregated, or offline, backups that are regularly tested.
    • A vulnerability management (patch management) process/program and a requirement that you demonstrate you consistently patch your environment
    • Experienced, well-staffed IT management team
  • Prepare for the two worst-case scenarios:
    • Your current cyber coverage provider exits the cyber insurance market
    • Your current provider drops your cyber coverage.

To learn more about cyber insurance coverage changes, watch this webinar: The Cyber Risk Allocation Paradigm is Changing: Cyber Insurance’s Evolving Issues presented by Baker Donelson.

How Much Does Cybersecurity Insurance Cost?

Data breach insurance costs vary depending on the size of your company and how much coverage your business needs. If you have a smaller company, you may not need as much coverage, and thus, your premiums will be lower than a larger company with many areas that need protection.

Does Cyber Insurance Include a Deductible?

Just like any other insurance policy, cyber insurance has a deductible, but you can choose the deductible when the policy is written. Insurance companies will give organizations a deductible choice, and the deductible price will determine the insurance premiums. The lower the deductible, the more an organization will pay for their premiums.

How can LBMC help with Cybersecurity Insurance?

Cybersecurity insurance should never replace an organization’s cybersecurity program. You can start with a Risk Assessment to understand if there are any gaps in your organization’s security posture and practices that could expose it to unnecessary risk. This risk assessment often results in cyber insurance premium savings that are greater than the cost of the assessment itself. LBMC’s team of cybersecurity professionals and our broad industry experience helps you uncover risks in your organization, which can help reduce the likelihood of either losing cyber insurance or not being able to acquire it and can reduce your premium costs as well. Without understanding your risk as well as your risk tolerance, your insurance buying decision will likely be driven more by what seems affordable than what you might need.

Our vCIO team can help your business source the coverage and institute any software or solution requirements for your business.

If you would like more information on cyber insurance or to discuss a risk assessment for your organization, contact us today.