Tip

Cyber insurance explained, from selection to post-purchase

Before you sign on the dotted line, make sure you understand what cyber insurance can and can't do -- and what type of policy will do the most for you.

"There are only two types of companies: those that have been hacked and those that will be," then-FBI director Robert S. Mueller told attendees of the RSA conference a few years back. Much like fire and floods, cybersecurity disasters can hit any organization. Damage can include financial loss, reputational impacts, operational outages and more.

Cyber insurance has become a key tool for transferring risk to third parties and ensuring that you have access to a qualified incident response team during a cybersecurity crisis. What's more, certain types of cyber insurance can provide you with free or discounted access to valuable security resources that can reduce your risk.

Not all cyber insurance is created equal. Read on to learn about the types of cyber insurance, how to select your coverage and key steps to take after you have cyber insurance in place.

Cyber insurance explained: Start with coverage questions

Unlike auto insurance, there is no standard form of cyber insurance. Insurers offer a wide variety of products, and often the fine print makes a big difference in your coverage.

Common types of cyber coverage include the following:

  • Remediation services cover the costs of responding to a potential breach, including forensic services, legal fees (for a "breach coach"), call center services, PR services, notification costs, credit monitoring services and more. In some cases, the insurer will actually provide a response team, rather than simply cover the costs. This service can be invaluable, particularly for smaller organizations that do not have a dedicated cybersecurity team.
  • Information security and privacy liability protects you from claims and damages resulting from a data breach or cybersecurity failure. This may include coverage for your legal defense and investigative expenses, in addition to claims and damages payable as a result of a data breach or violation of security or privacy-related laws.
  • Regulatory defense and penalties cover costs associated with regulatory action, including fines, penalties, legal fees, investigative costs and more.
  • Business interruption covers lost revenue, expenses for minimizing the impact of the disruption, and services to regain full operability in the event of an operational outage due to a cybersecurity incident. Note: Usually, there is a waiting period before the lost revenue coverage is triggered. Business interruption insurance typically provides coverage when your own infrastructure is impacted, but it may not provide coverage when you experience an outage due to a cloud provider or other third-party vendor.
  • Media liability protects you against claims related to copyright infringement, plagiarism, libel, defamation and other negligent actions resulting from media publication.
  • Cyber extortion typically covers costs such as the ransom negotiation and payment, data decryption and recovery, investigation and more in cases of ransomware and "exposure extortion," in which criminals threaten to publish your stolen data unless you pay a fee.

What's excluded?

Cyber insurance policies normally have a list of exclusions, such as claims resulting from certain conditions:

  • terrorism, acts of war, invasions, riots, revolutions and so on;
  • failure to maintain a reasonable level of security;
  • prior acts that occurred before your policy was in effect (or your "retroactive date");
  • breach of contractual obligations such as the PCI DSS; or
  • damage to physical property.

If your data is in the cloud, make sure you understand how that affects your insurance coverage. Your policy may limit coverage of incidents involving data in the cloud, and typically cloud providers' contracts limit their liability, too.

Selecting your coverage

The purpose of obtaining cyber insurance is to transfer cybersecurity risks to a third party. However, most organizations simply tick the "cyber" checkbox and don't carefully consider what risks they actually need to transfer.

Every organization is different. Even once the ins and outs of cyber insurance are explained and make sense, the next and most important step remains: making sure you get the coverage your organization really needs. This requires a methodical selection and review process. Here are some tips:

  • Involve the right people. To select the right coverage, you need input from people with a variety of skills. This may include legal counsel, IT management, risk management and an experienced cybersecurity professional. Your leadership team (typically top executives and/or board of directors) will ultimately decide what level of risk to accept, and therefore what insurance is appropriate to purchase.
  • Inventory your data. In order to select the right amount and type of insurance coverage, you need to first understand how much sensitive data you have, what laws and regulations apply, whether you have any contractual obligations and so forth.
  • Understand your high-risk scenarios. Ideally, it is best to conduct a formal risk assessment at least annually, in which your cybersecurity risks are enumerated and prioritized. Then, develop a risk management plan and determine what risks you intend to transfer.
  • Review your existing coverage. It's important to harmonize your cyber coverage with your existing policies. You want to avoid issues of dual coverage or gaps in coverage whenever possible.
  • Research insurers. Cyber insurance providers are not all created equal. Research factors such as:
    • Claim denials and lawsuits. Some insurers are more likely to deny claims than others. You may also want to check public records to see if the insurer has a history of court battles.
    • Supplemental resources. Often, cyber insurers offer a portal that includes training videos, policy templates, incident response planning guides and other valuable materials. You may also qualify for discounts on proactive cybersecurity services, such as vulnerability scanning or multifactor authentication.
    • Panel. Review the list of cybersecurity attorneys, forensics firms and other vendors on the insurer's panel. Make sure you are happy with your options or ask to add your preferred providers to the approved vendor list for your policy.
  • Obtain quotes. Once you have done the groundwork, obtain quotes to evaluate. Your insurance agent may have specific recommendations.
  • Compare and select. Compare your options. It often may feel like you are comparing apples to oranges -- or perhaps even apples to squids. An experienced cybersecurity professional, working in conjunction with your insurance agent, can help you select the best option. Make sure to review your chosen policy in depth prior to purchasing so there are no surprises.
  • Review and adjust. Your risks will change over time. Establish a routine in which you regularly review and adjust your cyber insurance coverage if needed, at least annually.

Next steps: After buying cyber insurance, explained

Once you sign up for a policy, your work isn't done! Carefully review your new policy so that you understand the insurer's process and requirements for filing a claim. For example, you may be required to report incidents within a certain period of time to qualify for coverage. Update your incident response playbook to include important details relating to your cyber insurance policy.

Train your cybersecurity responders so that they know when and how to bring in your insurer. Depending on your coverage type, you may want to meet with your cyber insurance contacts proactively.

Finally, take advantage of your insurer's resources, whether it is a cybersecurity portal, training opportunities or other options. Share access to these resources within your company so that you are maximizing the value of your policy. Often, these resources will help you reduce your risk of a cybersecurity incident, which is a win-win for you and your insurer.

In that same speech at the 2012 RSA conference, Robert Mueller said he could foresee cases converging so that eventually all companies would fall into one category: "companies that have been hacked and will be hacked again." It seems those days are upon us, and most -- if not all -- organizations should be looking into what cyber insurance coverage they require.

Dig Deeper on Security operations and management