cybersecurity insurance

Understanding
Cybersecurity Insurance

Business owners need to hear a simple, clear message when it come to cybersecurity insurance. Companies that invest in cybersecurity will have an easier time getting insurance and their premiums will be less expensive. The opposite holds true for companies that fail to take cybersecurity seriously.

Why does Your Business Need Cybersecurity Insurance?

Businesses that create, store, manage, and handle any data electronically should be carrying cybersecurity insurance. Cybersecurity insurance can help minimize downtime and therefore loss of revenue after an attack. To demonstrate the importance of Cybersecurity Insurance, let's look at some examples. 

Soon after Sony launched the PlayStation 3, their online network was breached by hackers who exposed information relating to 77 million user accounts as well as taking the service down for 23 days. This hack cost Sony $178 million in lost profits and resulted in a class action lawsuit brought against them for $2 billion! Unfortunately for Sony, their insurance policy only covered physical property damage, not cyber damages. Sony’s insurer argued that Sony’s policy did not cover cyber breaches. This hack had huge ramifications for the company moving forward. Namely, increasing their security measures and igniting their need for true cyber insurance. 

In 2017, Equifax, a credit reporting agency suffered a data breach concerning 147 million consumers. As a result, Equifax agreed to pay $700 million to the US FTC (Federal Trade Commission) to cover reimbursements, identity theft recovery, restoration services, and their inability to secure 147 million records. Equifax did have a cyber insurance policy in place and maintained $125 million of cybersecurity insurance coverage, above a $7.5 million deductible. However, this did not help with ballooning costs because of damage claims and continued identity theft recovery for victims in both the US and UK. Whilst Equifax received financial support, they did not demonstrate a high enough level of cyber security measures for a maximum pay-out.  

The US experienced a 39% increase in cybercrime during the height of the pandemic between 2020 and 2021. Data from Hiscox revealed that businesses with 50 to 249 employees see an average cost of $150,000, whilst companies with 250 to 999 employees see an average cost of $520,000. 

The examples above show that half measures lead to full fallout. The more secure and robust your cyber culture and policies, the more likely you are to qualify for insurance and the smaller the impact will be from a potential hack/breach. According to Spiceworks data, 38% of organizations are now covered with some sort of cyber insurance plan, with 71% of them purchasing a policy for precautionary reasons and ‘peace of mind’.  

 
Public Work Space

What Should Your Cyber Insurance Policy Cover?

Make sure your policy includes coverage for:

  • Data breaches (like incidents involving theft of personal information)

  • Cyber attacks that occur anywhere in the world (not only in the United States)

  • Cyber attacks on your data held by vendors and other third parties

  • Cyber attacks (like breaches of your network)

  • Terrorist acts

Also, consider whether your cyber insurance provider will:

  • Defend you in a lawsuit or regulatory investigation (look for “duty to defend” wording)

  • Provide coverage in excess of any other applicable insurance you have

  • Offer a breach hotline that’s available every day of the year at all times

Companies that have not made the cybersecurity improvements deemed necessary by underwriters are still facing challenges to secure coverage, and when they do this tends to be significantly more expensive and subject to more restrictive terms and conditions, such as co-insurance, restricted ransomware and contingent business interruption coverage, and sub-limited or excluded coverage" - Marsh, broker - Insurance Journal July 18, 2022

1657970831848_0B90A5DE-A062-42B2-90BE-7D7C4E7E930A.jpeg

What does cyber insurance cover? 

Before we get to why companies are rejected for insurance, let us break down what cyber insurance is. There are usually two types of cybersecurity insurance policies available to organizations.  

The primary one is called ‘First-party’ coverage and covers your company from expenses related to data breaches or hacks. The secondary one is called ‘Third-party’ coverage and provides protection when a customer, vendor, or partner sues you for allowing a data breach.  

You can elect to have one or both coverages in your policy. 

The Main Reasons Companies are Denied Cybersecurity Insurance Claims

Low level of cybersecurity awareness and training 

95% of security breaches are caused by human error. In cybersecurity, human error refers to anything from clicking a suspect link to inadvertently downloading malware or using weak passwords. Even with the most secure and expensive security hardware and software in place if your employees are not properly trained in security policies and procedures, your company is at risk. It is not surprising that companies with poor levels of cybersecurity awareness and training are struggling to qualify for cyber insurance. Your company must be able to prove that employees have been comprehensively trained.  

Weak supply chain/third party protocols 

Companies also need to be aware that the status of their supply chain line and third-party relationships are vital in their bid for cyber insurance. If a company is truly trying to protect itself from cybersecurity attacks, the level of security inside your organization will also be replicated outside of it. Cyber attackers target companies via their contractors and third-party providers to access internal systems and confidential data. If the cybersecurity of your supply chain is not up to standard, your insurance claim will not be successful. 

Overlooked endpoint security 

To qualify for cyber insurance, companies must show that their security plan is holistic and with good coverage. This means implementing healthy endpoint security. Endpoint security refers to the process of protecting IoT (Internet of Things) devices such as IP cameras, VOIP phones, smart devices, desktops, laptops mobiles and tablets from cyber threats and attacks. Endpoint security software protects employees when they are connected to online networks and cloud services. If your company has not implemented smart endpoint security with subsequent incident response protocols, you will have your insurance claim denied.  

No preventative security campaign or culture 

If your company has no preventative security measures in place or fails to demonstrate the existence of any security training, you will have your insurance claim denied. This does not mean your company needs to internally build a whole new security plan. You can also demonstrate preventative security measures through third-party security awareness providers and training. Once again, if you have no security plan and the related documentation in place, it simply is not worth a cyber insurance company’s time to work with your organization, as the risks far outweigh the benefits of the relationship. 

Inability to prove existence of a security culture 

The most frustrating reason companies are rejected by cyber insurance agencies is their inability to demonstrate that security measures are actually in place and being followed. When assessing your claim, insurance agencies will request evidence to prove that networks are sufficiently protected, and employees are aware of threats and risks in the cyber space. Unfortunately, many companies fail to do this because they are either operating internally and not aware of the ever-changing threats in the cyber space, or do not have a mechanism in place to quantify employee security awareness. Network-iQ offers comprehensive tecnhologies and expertise  to build a security culture can provide detailed assessment reports and research surveys to highlight the security strength of a workforce. 

Network-iQ Can Help you Qualify for Cybersecurity Insurance, and Ensure your Company Meets the Requirements in the Event of a Claim. 

Cyber insurance coverage requirements.

In order to determine your premium, coverage limits and whether you will qualify for cyber insurance,  most providers will carry out a cyber insurance risk assessment as part of their underwriting process. Depending on the size of your company, this process can range from a questionnaire to a detailed analysis carried out over multiple weeks by a cyber security firm. Regular check-ups and reassessments are also possible.
To keep risks at an acceptable level, policyholders are required to meet basic IT security standards in order to qualify for cyber insurance. At a minimum, a company interested in buying cyber insurance must have the following safety measures in place: