What does cyber security insurance cover?

Cyber-security insurance is quickly becoming an important consideration for modern businesses, regardless of industry. 

The fact is, cyber-attacks happen every day. Many organizations are not following best practices for keeping their clients’ data safe, and many do not have reliable contingencies in place in the event of an attack.  

We have all heard about high-profile data breaches that have happened to major organizations like SolarWinds, but what about all the other activities out there that we don’t hear about? 

These days, it has never been easier for a hacker to get their hands on everything they need to carry out an attack. Many organizations are unaware that their sensitive data may already be out there for sale on the dark web. 

By and large, small to medium-sized businesses are unprepared for how to deal with a cyber-attack. The general sentiment is that cyber-breaches only happen to high-profile organizations, but that’s just not true. 

Knowing this, what should we do about it?

What is a cyber insurance policy?

“Cyber insurance” is a term that’s been associated with the protection of digital information, but it doesn’t tell the whole story. The real plan is called “Network Security and Privacy Breach Coverage”, which explains more clearly what the coverage includes. 

Generally, most businesses carry standard general liability and if they are in the business of providing professional services then they may carry a professional liability policy. However, these policies do not generally cover network or data breaches, or may offer some limited coverage depending on the insurer.

On the property side, a plan may cover physical assets, but it will not cover any of the data contained within those networks. So that’s where the network security and privacy breach comes in to fill that gap. These days, client and customer data need to be considered as critical as (if not more than) the physical property the business owns.  

Have you rated your organization’s cyber-risk?

Benson Kearley released our cyber-risk scorecard as a means for organizations to “rate” themselves on how prepared they are in the event of a cyber-attack.

Although it’s not possible to completely prevent cyber-attacks, there are steps you can take to mitigate the damage they can cause. The first is to prevent an attack by ensuring that your network security control practices are strong, and the second is to mitigate the damage caused by an attack through the purchase of a comprehensive cyber insurance policy.  Any insurance company will want to conduct a review  of your internal processes to make sure you adhere to a minimum level of data protection standards. The cyber-risk scorecard allows you to self-identify the areas where your organization may have weaknesses or vulnerabilities. 

These practices include: 

• Are you using a Virtual Private Network (VPN)? 
• Do you have security firewalls in place?
• Are the firewalls patched and updated regularly?
• Do you have strong passwords? 
• Are you regularly changing password controls?
• How do you control access to your sensitive information? 
• What are your system and data backup processes? 
• Do you have data backups going to an offsite location that’s not connected to the network?

Unfortunately, prevention of cyber-attacks is deprioritized for businesses where data is not the focal point of their revenue model. However, if you are gathering client data that involves more than simply their name and email, then you need to seriously consider how you are collecting and protecting that information. 

Who is a cyber-insurance policy for?

There isn’t a business out there that doesn’t have some kind of web-facing activity. Any company that has a network containing information they want to protect is vulnerable. 

According to HashedOut in their article 15 Small Business Cyber Security Statistics That You Need to Know, “Despite nearly one-in-five (18.5%) small businesses experiencing cyber attacks or data breaches, 60% of those surveyed SMB owners think their businesses aren’t a likely target of cybercriminals.”

As Benson Kearley has written about before, research by the National CyberSecurity Alliance shows that at least half of all cyber-attacks now target small businesses, defined as those with fewer than 250 employees. These days, it is not a matter of considering whether an attack will happen, it’s about considering what your organization’s response will be when it happens. 

So, in essence, Network Security and Privacy Breach Coverage applies to any modern business. 

What exactly is covered in a cyber insurance policy?

These policies tend to have two elements. The first is third-party liability. For example, if your activity somehow caused a third party to suffer a breach, and that breach resulted in financial damages to them, they may want to bring a claim against you for their losses if they deem that you’re responsible. The policy would cover those types of liability claims.

The second element pertains to the vast majority of claims, which never go outside the organization. These are known as ‘First Party’ losses and the biggest area of claims right now is “ransomware”. We’re likely all familiar with the term “Trojan virus”. Ransomware is a Trojan virus in the form of an infected file that is introduced into a network, which encrypts data sets until a ransom is paid to have a decryption key applied. 

If an organization suffers a ransomware claim, the insurer will completely manage the incident including the costs for the breach coach, forensic investigation, and even the ransom costs. They cover the cost for the  forensic investigation into the network and data breach to figure out what’s been attacked, what files have been corrupted and whether any data has been taken. In many cases, no data is taken, the hackers just want the ransom paid. 

However, if a breach is deemed significant enough, the company is sometimes required to notify everyone whose information was affected. Depending on the breach, some cases involve credit monitoring for the affected people who have had their personal data compromised.. Usually, the bad actors who have the information are looking to exploit it for financial gain. The government imposed the cost onto the companies to notify anybody whose information was breached. In many cases, that could mean hundreds or even thousands of records that require notification and  credit monitoring. In these cases, the policy coverage can assist with these expenses, depending on certain factors. 

Some data breaches can cause significant hardware damage to the point that servers and network equipment may need to be replaced. Even though these cases are rarer, they can happen. The policy coverage can assist with these expenses as well, of course, depending on certain factors. 

Now may be the time for Network Security and Privacy Breach Coverage

The reality is, having cyber insurance is not going to negate the possibility of a cyber-attack. What it can do, however, is ensure there is a process in place for an organization’s response if an attack takes place. 

If you have Network Security and Privacy Breach Coverage, it means that you take the possibility of an attack seriously and that you have a plan in place for dealing with a data breach. It means that you have also applied the required standards to be considered for coverage. This will give customers and clients peace of mind when dealing with your organization. 

If you have more specific questions about Network Security and Privacy Breach Coverage and how it affects your organization, please reach out to us. We are here to help!