Cyber insurance unpacked

In the event of a data breach, how will cyber/data breach insurance respond? asks Ryan van de Coolwijk, director at CyGeist.

Pretoria, 31 Aug 2015
Read time 5min 50sec

In light of recent high-profile data breaches, and as more organisations begin contemplating the potential impact of a data or privacy breach, the purchase of cyber insurance is becoming more commonplace. A lingering question, however, remains: What exactly does cyber insurance cover and how does the policy respond in the event of a breach?

"While called cyber insurance, the cover is potentially best thought of as information or data breach insurance," says Ryan van de Coolwijk, director at CyGeist, a specialist cyber insurance provider.

A cyber insurance policy provides cover for the following potential costs associated with responding to a network security/privacy breach:

* Expenses of security specialists, attorneys, forensic investigators and loss adjusters to contain, manage and recover from an incident;
* Crisis management expenses, including:
* Public relations (PR) specialists and campaigns to minimise reputational harm;
* Notifications to affected parties;
* Provision of remediation services, ie, credit monitoring to affected parties;
* Ensuing litigation;
* Data and services recovery;
* Business interruption; and
* Potential fines and penalties to the extent insurable by law.

"The breach response process starts even before an incident has occurred. Upon signing up a policyholder, we define their breach response team with them, this helps reduce later delays in deploying the team. Effectiveness and efficiency of the breach response process is critical in limiting the potential damage that may be suffered by a policyholder as well as those whose data was compromised. In responding to an incident, time is of the essence, and even the slightest delays can prove costly," says Van de Coolwijk.

Cyber insurance seeks to eliminate delays and provide policyholders with access to, as well as pick up the costs of, experienced specialists, to aid in the breach response process and limit potential damages that may be suffered.

Unfortunately, breaches tend to differ and there is no one-size-fits-all approach that can be adopted. This is where the use of experienced, best-of-breed service providers is paramount.

Running through a typical network security breach response scenario to provide context; on identifying a suspected or actual breach, the policyholder contacts the emergency number provided by the insurer. Policyholders are urged to provide notification of an incident as soon as possible.

Depending on the cover modules purchased, the following costs and services are typically covered under a cyber insurance policy:

Legal experts (breach response advisor):

To provide guidance on required actions and notifications to be taken in order to ensure adherence to regulatory requirements, make representations to regulatory bodies, ie, the information regulator once established, and assist with defence and settlement of later liability claims. Legal experts are typically involved in an advisory capacity throughout the breach response process.

IT security specialists:

To contain the incident, prevent further loss of data, as well as bring operations back online, all the while taking care not to jeopardise forensic evidence.

Forensic investigators:

To confirm the breach, determine its cause as well as the nature and extent of data compromised. This insight plays a vital role in guiding further breach response actions, including who to notify and which remediation services to offer affected parties. There is little need in notifying an entire client base if only a small subset is affected.

Increased cost of working:

Reasonable increased cost of working, ie, hiring an alternative processing facility, hiring of equipment and staff overtime to restore operations.

Crisis communications/public relations specialists:

Assist with developing and implementing a PR campaign to limit reputational damage; the costs of the PR campaign would also be covered.

Notifications to affected parties:

Depending on regulatory requirements and client preferences, notifications may be distributed to affected parties. CyGeist does not require that policyholders be legally obligated to notify affected parties. Assistance by legal and PR specialists with notification wordings and call centre scripts is also covered.

Once implemented, POPI will require mandatory notifications to the information regulator and affected parties.

Affected party support and remediation services:

Depending on the nature of the compromised information, affected parties may be given the offer to register for remediation services such as credit and identity theft monitoring. Using credit monitoring as an example, affected parties who take up credit monitoring services are registered with the relevant service provider. They will then be provided with regular reports and alerts, should there be any activity on their credit record, ie, opening of a fraudulent account in their name.

Additional services that may be provided include the provision of dark Web sites and call centres to assist with dealing with queries from concerned and affected parties.

Business interruption:

Costs to restore/recover data and operations, or costs incurred until such point in time where it is established that data can't be recovered/restored.

Cover is also provided for the loss of net business income as a result of the network security breach.

Ensuing litigation, liability claims:

Should there be any ensuing litigation resulting from the compromised data, cover is provided for legal defence and settlement of the ensuing liability claims.

It is important for a policyholder to identify an internal representative, typically a high ranking individual, who will work closely with the breach response team leader and act as the bridge between the breach response team and organisation itself. Throughout the process, regular feedback sessions and reports should be provided to the policyholders to keep them updated and involved in the process.

There is a common misconception that traditional insurance policies provide cover for the above costs. While some traditional coverage options might have cyber crime extensions, the cover provided by cyber insurance is significantly broader and has been tailored to assist organisations in responding to a breach.

As opposed to just covering the insured for direct financial losses, cyber insurance policies cover the resultant expenses of a breach. Furthermore, the product not only provides cover for breaches resulting from cyber crimes committed by external parties, but also breaches as a result of malicious or negligent acts carried out by employees.

CyGeist underwrites on behalf of GuardRisk insurance company (AA+ Fitch rating). For more information, please visit or speak to your insurance broker.

While this article provides a summary of the cover provided by cyber insurance, it does not replace the full terms and conditions of a policy contract.

Editorial contacts
CyGeist Natalie van de Coolwijk (+27) 12 364 0835
See also