What is Cyber Insurance?
What is cyber insurance? Get a definition, learn why it's important, how it works, best practices, and more in this week's Data Protection 101, our series on the fundamentals of information security.
One way to protect your company against damages of data breaches and other cybersecurity incidents is through cyber insurance. In this article, we’ll discuss what cyber insurance is, what it covers, and how to choose a plan for your company.
Definition of Cyber Insurance
Cyber insurance is a form of insurance designed to protect a company against damages caused by cybersecurity threats. Among these threats are data breaches, hacks, DDoS, malware, and ransomware. Cyber insurance is also referred to as cyber risk insurance, cyber liability insurance, or cybersecurity insurance.
Why is Cyber Insurance Important?
Cyber insurance is just like insurance against natural calamities, business losses, or accidents. Only this time, the insurance is for damages from cyber risks. Thus, any company that uses or stores electronic data should consider getting a cyber insurance policy.
According to PwC, a third of US-based companies have cyber insurance. Companies need as many resources as possible to deal with a data breach or cyber attack. This is where cyber insurance is helpful, especially for smaller companies. It provides support to mitigate the devastating financial impacts of a cybersecurity event.
To get an idea of how expensive a data breach is, here are two examples. According to NetDiligence’s 2015 Cyber Claims Study, the average cost of a lost record (like a credit card number or customer information) is a whopping $964.31. In 2019, the average cost of a single data breach ranged from $1.25 million to $8.19 million, depending on the country and the company’s industry.
While it helps companies cope with cyber-related damages, cyber insurance cannot replace a system with tools, policies, and practices. It can't prevent cybersecurity incidents from happening. However, cyber insurance helps stabilize the company and adds strength to a cybersecurity strategy.
Cyber Insurance vs. General Liability Insurance
General liability insurance applies to bodily injuries and property damage. Data breaches and other cybersecurity incidents don’t cause such injuries and damages, so general liability insurance rarely covers these attacks.
Cyber insurance is different. The damages it covers are often excluded in a general liability insurance policy. This form of insurance would cover a company’s liability whenever there’s a cybersecurity event, like hacking or leaks of personally identifiable information (PII).
How Does Cyber Insurance Work?
Cyber insurance policies offered by insurance companies will vary in coverage. However, most will have coverage for both first-party losses and third-party claims. Here is the difference between first-party and third-party coverage:
- First-party coverage: applies to damages sustained by the company. Hacking, data destruction, data theft, cyber extortion, malware, or DDoS attacks could cause such losses. Under first-party coverage, the usual reimbursable expenses include the cost of forensic investigation, monetary losses, and legal fees.
- Third-party coverage: applies to damages, settlements, and the cost of defending the company against claims made by customers or those affected by a cybersecurity incident.
What does cyber insurance not cover? Like general liability insurance policies, a cyber insurance policy also has exclusions. Generally, it does not cover the potential loss of profits, loss of value because of intellectual property theft, and the cost of improving the security system.
Best Practices for Choosing a Cyber Insurance Policy
Like any insurance, cyber insurance coverage will vary per insurance company and policy. Therefore, getting and selecting a cyber insurance policy is something your company should not take lightly.
There are many factors to consider. The following guidelines from CIO will help you know what to look for in cyber insurance coverage:
- Does the insurer offer one or more policy types? Is the policy an extension to an existing one? A stand-alone policy is an excellent choice here as it’s more comprehensive. If the cyber insurance policy can be customized, that would be much better.
- What are the deductible expenses? It will help if you know how an insurer’s cyber insurance calculator works.
- What are the limits of the first- and third-party coverage under the policy?
- Does the insurance policy cover attacks that directly target your company or any attack on which your company is a victim?
- Does the policy cover social engineering (e.g., phishing) and network attacks?
Apart from the five factors cited above, your company should also consider what information needs protection and what coverage is required to protect the information. Consider also if losses incurred from customer notifications, data destruction, business interruption, regulatory fines, and legal fees apply to your company. Check out this article to learn more about other considerations.
Cyber insurance is quickly becoming an essential component of overall cyber defense programs for companies of all sizes. With regulations like GDPR the California Consumer Privacy Act, and HIPAA carrying stiff penalties and fines for non-compliance, it’s even more crucial for companies subject to regulations to have cyber insurance to protect the company’s financial stability in the event of an attack.