Cyber insurance and why you need it
No one likes seeing a chunk of their hard-earned income disappear at the end or start of every month to something many only see as a fear-peddled waste: insurance.
But, whether you like or dislike insurance, support it or don't, every human on the planet likes theft, loss and damage a whole lot less. You could say insurance is the lesser of two evils. But, as with any insurance, cyber insurance included, one big benefit is the peace of mind that comes with having it.
What is cyber insurance and why do you need it?
Cyber insurance is a sub-category of general insurance that covers businesses and individuals against Internet-based liability and risks. Technology, social media and transactions over the Internet play key roles in how most individuals and organisations conduct business.
Those vehicles also serve as gateways to cyber attacks. Whether launched by run-of-the-mill hackers, criminals, insiders or even nation states, cyber attacks are likely to occur and can cause moderate to severe losses for individuals and organisations large and small. As part of a risk management plan, organisations routinely must decide which risks to avoid, accept, control or transfer. Transferring risk is where cyber insurance comes into play.
Cyber insurance has been around for more than a decade. Market research firm Progressive Markets projects the global cyber insurance market to hit more than $29 billion by 2025, while PwC estimates it will reach $7.5 billion as soon as 2020. Cyber insurance can't protect you from cyber crime, but it can keep you and your business financially stable should a significant security event occur.
There are generally two levels of cyber insurance coverage: first-party and third-party. First-party coverage encompasses direct losses to an organisation or individual, whereas third-party coverage extends to claims and legal action taken by customers or partners.
Coverage differs by provider, but common coverage areas include data breaches, identity theft and personal data theft. This coverage has expanded more recently to scenarios like data damage, network failure leading to business interruption, cyber extortion, the failure of outsourced cloud service providers and forensic investigation costs, meaning the costs associated with uncovering the cause and impact of an attack.
There are also the hefty legal fees, fines and costs associated with recovering compromised data, repairing systems, restoring the personal identities of affected customers, and notifying customers of breaches. The core idea behind cyber insurance is to help you recover from a data breach or cyber attack by mitigating all the costs that crop up in the aftermath.
What is generally covered?
* Data liability: covering the damages and defence costs associated with a breach of personal or corporate data.
* Data security: damage resulting from any breach of duty that ends in:
* Contamination by malicious code of third-party data;
* Improper or wrongful denial of access by an authorised third party to data;
* The theft of an access code from premises, computer system, or employees;
* The destruction, modification, corruption, damage or deletion of data stored on any computer system due to a breach of data security;
* The physical theft of hardware; or
* Data disclosure due to a breach of data security.
* Data administrative investigation: provides costs and expenses for legal advice and representation in connection with a formal investigation by a data protection authority or other regulator.
* Data administrative fines: insurable fines and penalties obligated to pay to a government authority, regulator or data protection authority for a breach of data protection laws or regulations.
* Notification and monitoring costs: provides costs and expenses of the data user for the legally required disclosure to data subjects.
* Repair of the company's and individual's reputation: reimbursement of costs incurred in relation to reputational damage due to a claim covered by this policy.
How to get coverage
There's a laundry list of cyber insurance plans out there offered by traditional providers and security-specific companies. Here are four popular global plans and providers, and what the liability coverage entails as an example:
AXIS Capital: Business cyber liability coverage, including not only the basics: data breaches, extortion and loss, data recovery, third-party defence, etc, but also factors such as intellectual property infringement, employee fraud, DDOS attacks, and introduction of malicious code into a company's system.
AIG: According to credit rating agency Fitch's latest "Cyber Insurance Market Share and Performance" report, insurance giant AIG is one of the top three cyber insurers on the market. AIG offers a number of different cyber insurance plans, including personal identity coverage and its CyberEdge plan for businesses covering first- and third-party recovery, loss prevention, extortion and more. There's also a CyberEdge Plus plan that covers bodily injury or property damage associated with a cyber attack, as well as business interruption costs and product liability.
Chubb: Another top insurer, according to Fitch, Chubb offers a wide array of cyber insurance products and services, including loss mitigation and incident response, and customisable risk management policies covering privacy, network breaches, media, and claims related to errors and omissions.
Travelers: Travelers Insurance offers a number of different plans and related services. The plans include a CyberEssentials package for SMEs, CyberFirst plans for tech companies and public entities, and CyberRisk plans for larger businesses. The insurer also has so-called "cyber coaches" plus an online academy and risk hub, and offers pre-breach services such as assessments and training through a partnership with Symantec.
Is it worth it?
Once again, cyber insurance is not a replacement for cyber security. It's not a tech solution. Cyber insurance coverage is your personal or professional fail-safe for if and when a breach or cyber attack occurs, and you're left with a mountain of costs to restore your business, deal with customer lawsuits, or reclaim your digital and financial identity. You should still have a comprehensive suite of security tools in place, including anti-virus and ransomware protection, as well as encryption software, not forgetting password managers and two-factor authentication (2FA) to protect against identity theft.
As for whether buying cyber insurance is worth it or not, it's all about peace of mind. Do potentially high premiums for insurance mean you may not need offset the risk of having your identity stolen or your company's infrastructure breached and data stolen? If you choose the right policy that protects exactly the coverage areas and attack vectors you need, it may be worth the money, as cyber security incidents increase in frequency and severity across the Web.
At the same time, it's worth asking whether insurers can even afford the skyrocketing risk. As breaches and identity thefts continue and providers are saddled with the cleanup costs, is cyber insurance yet another bubble waiting to burst? I think we'll save that discussion for another article.
CybACADEMY courses powered by GoldPhish educate employees on cyber risk and help build a more secure organisation with awareness training.
Our free campaign is aimed at helping smaller businesses get one step ahead of the cyber criminals with free awareness training.