In 2021, cyber-crime is projected to cost the world an incredible 6 trillion dollars. If cyber-crime were a country, it would have the third-largest economy in the world, after the U.S. and China. Even to those who have experienced a cybersecurity attack, this is shocking. But what is not shocking is how draining these incidents are, some with the ability to wipe out a business entirely. According to the Insurance Information Institute, “insurance experts now consider the risk of cyber liability losses to exceed the risk of fraud or threat.” This increasing sophistication and confidence of hackers has in return, increased the demand for cyber insurance.
Many organizations are under the impression that traditional insurance coverage, like General Liability, Property or Crime, will protect their assets in the event of a cyber-attack. More often than not, this is not the case. Many of these policies contain exclusions for cyber incidents, leaving insureds exposed and they need to obtain standalone cyber insurance for the protection they need.
Cyber insurance is a critical component of a comprehensive cyber risk management strategy. It is designed to assist insureds when responding and recovering from a cyber incident. Cyber insurance coverage affords incident response services, particularly legal, forensics, and public relations, as well as financial risk transfer which compensates for revenue loss and expenses you may incur to resume operations.
Let’s take a closer look at the following groups of coverages that are available in standard cyber insurance policies.
When vetting cyber insurance, the first thing to consider is the incident response aspect of the policy. Upon notification of an incident, insurance adjusters assign a “Breach Coach.” Also called a privacy attorney, a Breach Coach oversees and guides incident response and compliance efforts. By engaging a Breach Coach, organizations secure the protection of attorney-client privilege.
A Breach Coach will be party to an agreement with an IT forensics firm that partners with your IT department to triage, contain, and remediate an incident. The goal of all parties involved is to minimize the financial impact of the attack and the downtime the organization experiences. If the incident triggers a media response, or notification to individuals whose personal data may have been compromised, the insurance carrier can provide resources for public relations support and compliance with privacy law notification requirements.
The incident response aspects of a cyber insurance policy provide coverage for these aforementioned areas: IT forensics, legal (Breach Coach), public relations, and notification costs.
If your business is investigated by a government agency or other regulatory group, like the FTC, PCI, HIPAA, or a state or federal body, cyber insurance may be able to cover your legal defense and any subsequent fines and penalties that are assessed, as long as they are insurable by law. It is important to have broad coverage in this area to ensure protection under the changing legal and compliance landscape as it relates to data privacy.
Cyber-crime coverage is an important piece of a cyber insurance policy as it covers extortion demands resulting from a ransomware attack, phishing, funds transfer fraud, and social engineering. A ransomware attack occurs when hackers breach software, encrypt information/data, and hold it captive until the victim pays a fee. They often result in system downtime.
Ransomware attacks have spiked recently, not least of all due to the pandemic which drove so many people to work remotely, away from the safety of the corporate network. 2020 saw 65,000 attacks alone! It may feel like a victory when an organization can resume operations in the face of an attack, but you may still be at risk of extortion if the hackers have your data in their possession.
Cyber insurance is similar to property insurance as they both protect assets. If your building, a physical asset, burns down, property insurance provides business income and extra expense coverage until your building is repaired and operational.
The same logic applies to business interruption coverage on the cyber insurance policy for a digital asset. When your network goes down due to a cyber incident, your operations, and subsequently your ability to generate revenue, are impacted. Basic cyber insurance will offer financial support until operations are resumed during a cyber incident, but broader policies protect against other incidents that result from less nefarious issues. For example, a broader policy will provide assistance when you experience a generic network failure or if a partner, like a cloud service provider, has a problem that in turn creates downtime for your organization.
Broader policies will also provide revenue compensation for reputational harm resulting from a cyber incident after operations are restored. Reputational harm may seem to be a small risk, but it should not be taken lightly. In a recent survey by the Cyber and Privacy Institute, 87% of consumers said they would take their business elsewhere in the event of a data breach.
First and Third-Party Coverages
Cyber Insurance is unique relative to other types of insurance in that it includes both First and Third-Party coverages. First party coverages are for those damages that you incur as an organization (the Incident Response, Cyber Crime, and Business Interruption). Third party coverages are included as well, covering not only the Regulatory liability aspect, but also in the event you are responsible for causing a cyber incident to another organization and are liable to indemnify them for your negligence or error. This also includes identity theft damages that an individual may incur as a result of your data breach.
Cybercriminal activity is here to stay, but fortunately so are we! Cyber brokers like the team here at JKJ work tirelessly to monitor and manage the increasingly sophisticated hacking technologies and tactics that pose risks to your business. Our goal is to provide comprehensive cyber insurance protection, aligned to the risk profile of your organization.