With cyberattacks increasing in number and sophistication, more and more organizations are turning to cyber insurance to mitigate the risks and offset the costs of cyber attacks and other Internet- and IT-related liabilities. In the United States alone, the market is expected to grow from $2 billion to $15 billion in the next decade.
If you are considering purchasing cyber insurance for your business, here are five things to keep in mind:
- Cyber Insurance Is Continually Evolving
Cyber insurance is not new. Its roots are in errors and omissions (E&O) insurance policies. Around 20 years ago, add-ons were attached to tech companies’ E&O policies. These add-ons covered incidents such as a tech company’s software program bringing down another company’s network. Eventually, the add-ons evolved into separate policies that covered a wider array of incidents (e.g., data breaches). As the kinds of coverages increased, so did the interest in these policies by companies outside the tech industry.
Nowadays, there are many different types of cyber insurance policies being purchased by many different kinds of businesses. As the Internet, cyber crime, and IT systems evolve in the future, so too will the cyber insurance policies.
- Comparing Policies Can Be Challenging
Cyber insurance policies can be hard to compare because there is no set standard for underwriting this type of insurance. It is up to each insurance company to decide what it will cover and how to market that coverage. As a result, you might find that:
Some insurance companies simply add cyber insurance extensions to existing insurance policies. Most insurers, though, have separate cyber insurance policies. Stand-alone policies are usually more comprehensive than extensions, according to experts.
Some insurance companies put different types of coverages into separate policies. For instance, they might have a policy covering just data breaches and a policy covering cyber liability. In contrast, other companies offer one policy in which they include all their coverages (e.g., one policy covering both data breaches and cyber liability).
A few insurance companies offer different cyber insurance policies for different types of organizations. For instance, they might have separate policies for small businesses, tech companies, and public sector entities.
Like other types of insurance, the cost of the cyber insurance depends on many factors beyond the type of coverage provided. For instance, a business’s gross revenue, industry, and data risks are factored into the cost.
- Types of Expenses That Are Commonly Covered
Although there is no standard for underwriting cyber insurance policies, they cover many of the same types of expenses. Insurance companies typically cover cyber incidents caused by both internal actors (e.g., errors and omissions by employees) and external actors (e.g., cyber attacks by hackers). Examples of items usually covered include:
- Lost revenue due to network downtime or a business interruption resulting from a cyber incident
- Cyber extortion costs (e.g., ransomware payment)
- The expenses incurred from a forensics investigation of a cyber attack
- The costs incurred to restore data and systems after an attack
- The expenses associated with notifying customers and other parties about a cyber incident
- The cost of hiring a PR firm to minimize a cyber incident’s impact on a company’s reputation
- Regulatory fines
Defence costs to handle lawsuits levied by individuals or businesses adversely affected by a cyber incident or a lawsuit imposed by a government entity.
- Legal settlements from lawsuits
As this list shows, cyber insurance usually covers expenses incurred by the insured business as well as third parties adversely affected by the cyber incident. This is referred to as first-party coverage and third-party coverage, respectively.
- What Is Usually Not Covered
There are some costs and types of incidents that are not typically covered in cyber insurance policies. They include the loss of future revenue due to a cyber incident, costs to improve internal IT systems, bodily injury, and property damage.
In addition, it is important to know that a claim can be denied if a company misrepresents its security measures. Businesses are usually required to fill out an application that includes questions about the security measures they have in place. If a company submits a claim and the insurer can prove that the business did not have the specified security measures in place, the insurer can deny the claim.
Where to Start If You Want to Get Cyber Insurance for Your Business
Before shopping for cyber insurance, experts recommend that you start by identifying the following for your business:
- The types and sensitivity of the data used in your business
- The kinds of cyber threats your company faces
- How susceptible your business’s operations are to a network interruption and how much revenue you would lose every day if a cyber incident brought down your operations
- Whether your business must adhere to any cyber-related laws or regulations (e.g., The Personal Information Protection and Electronic Documents Act (PIPEDA), European Union’s General Data Protection Regulation (GDPR), and the cost of non-compliance
- The contracts you have with suppliers and other business associates and what data they are able to access through joint business operations
With this information, you can get an idea of the types and amount of coverage needed.
MicroAge is not an insurance expert. We strongly recommend speaking with insurance experts to get appropriate advice. MicroAge can help you gather the information and align your technology to help you get the right cyber insurance for your business. Contact your local MicroAge today.