Cyber Security Insurance: What It Is, And Why It Should Be Scrutinized
It’s a story we’ve heard all too many times. “Company A has been hacked — change your passwords now!” Normally, that simply results in some bad press and perhaps a loss in the number of users, but sometimes it goes a little above and beyond that. When something like that happens, companies generally lose money, and that’s a risk that’s sometimes just too risky to take.
The answer? Apparently, it’s cyber security insurance.
Thanks to breaches like the monstrous breach of Sony Entertainment, in which business data, employee information, and customer information were all compromised, cyber security is of utmost important. Companies are becoming desperate to guard their online data, and swooping in to save the day in case something does happen are cyber security insurance companies.
“Cybersecurity insurance (also known as “cyber risk,” and “media liability” coverage) is designed to alleviate losses from various cyber incidents, including data breaches, damage to networks, and any interruptions to business operations,” said Senthil Rajamanickam, information manager at Infogix, in an email with PCMech.
In fact, according to Rajamanickam, cyber incidents account for as much as 40 percent of business disruption.
Of course, businesses have been protecting themselves with insurance for a long time. Whether it be general liability insurance, workers compensation insurance, or another form of insurance, companies don’t want to be stuck in a situation that ends up costing them too much money. Cyber security insurance works in a similar way as other forms of insurance, protecting the company’s online assets, whether they be infrastructure or data-related.
Cyber Security Insurance Isn’t Anything New
You might be surprised to find out that cyber security insurance has its roots way back in the mid 90s. At the time, it wasn’t uncommon for a company to purchase ‘errors and omissions insurance,’ which, as time went on, covered things like software bringing down another network, destruction of data, or even viruses affecting a customer. Often times, an add-on was available as part of this insurance for ‘network security’ or ‘internet liability.’
Eventually, these insurance policies expanded to cover privacy breaches, which helped companies out in case customer information was stolen through the internet. That was, of course, a nice add-on for companies who held consumer data, but didn’t have enough technology-based services to warrant the purchase of a full errors and omissions insurance. Those companies needed a standalone insurance policy that would cover only data breaches — and thus the cyber security insurance policy was born.
The Cyber Security Insurance Policy
Unfortunately, it’s becoming increasingly likely that a company will suffer some sort of data loss at some point in time. In the likely event that happens, whether it be a hack or a data theft or some other data-related problem, cyber security insurance is there to minimize the cost that issue creates for companies.
A typical policy will include coverage for a number of different things related to the internet. Here’s an outline of what a cyber security insurance policy might cover:
- Errors and Omissions: E&O basically covers claims that might pop up from any errors in your service. In other words, if you as a company make a technological error, this will cover your bases.
- Media liability: Media liability covers advertising claims, such as those related to copyright infringement, and even slander.
- Network Security: This is the main one people think of when they think of cyber security — it covers things like data breaches, viruses, and other security-related issues. An interesting thing about network security is that it covers both first-party and third-party costs — that means that if legal defense is needed, it will help cover the costs associated with that.
- Privacy: A privacy breach may not necessarily involve a security breach as well. For example, it could involve something like medical records being physically found in a dumpster, or something similar. Privacy coverage also normally covers third-party costs.
Of course, there are some things that are not normally covered by cyber security insurance. These include things like reputational harm, loss of revenue that would be made in the future, costs required to improve networks and network security, and the lost value of your intellectual property should someone else infringe on your copyright.
Sounds Like A Pretty Standard Insurance Policy To Me. What’s The Big Deal?
Cyber security insurance is a great solution for many companies, but it’s not without its drawbacks. In fact, many of those drawbacks can be somewhat hidden. According to Rajamanickam, the biggest risk when it comes to cyber security insurance is underwriting, or determining the risks associated with particular clients. Why is that such a problem? Well, cyber security insurance is a somewhat untraditional form of insurance, and as such liability underwriting becomes not just harder to do, but a lot harder to do accurately.
“Non-traditional insurance like cyber liability underwriting becomes challenging due to a lack of actuarial quantitative data that is so easily identified in commercial insurance policies,” said Rajamanickam. “With complex assessment points that are difficult to underwrite, insurers need a thorough approach to estimate data asset value. In fact, because data is intangible and not a typical asset to which value can be assigned, few insurers have direct insights, knowledge or understanding into the cyber liabilities of these digital assets.”
Why is it so challenging to underwrite an insurance client? Well, the problem is that an insurance provider has to think about the personal information and the nature of that information for each and every customer after a hack — that includes the credit cards that might have been stolen in a hack and the things that might have been bought with that stolen credit card information. On top of that, the insurer might need to consider the cost associated with credit card monitoring after the incident has taken place. And, if this is on a large scale as many data breaches are, it can turn into a pretty pricey situation.
Of course, underwriting isn’t the only problem associated with cyber insurance. For many businesses, patents are a big part of how the business operates. Patent related issues that might arise when a breach happens, and these issues could lead to a ton of lawsuits and long legal battles.
“If a hacker breaks into a file storage system and obtains information on new technology being built, it can compromise an entire organization. Its things like that need to be considered during the underwriting,” continued Rajamanickam.
Another problem associated with cyber insurance is the fact that many companies actually don’t even have the tools to detect when a breach happens. Because of that, the risks associated with a breach can change the longer the breach goes undetected, which, in the end, impacts the insurer.
“Even when a breach occurs, it’s worth noting that many organizations do not have the tools necessary to detect a breach and provide the direct real-time awareness necessary to calculate risks of the insured digital assets stored by cloud service providers or enterprise networks,” said Rajamanickam.
Some Things To Keep In Mind
Whether or not you think cyber security insurance is the best thing for your business, there are a few things to keep in mind. For example, things are going to be a little different in the U.S. compared to in Europe. In the U.S., the cyber security market seems to be a little more mature than that in Europe, which likely has something to do with the fact that data breaches must be disclosed under U.S. law. Third party insurance, which, as mentioned, covers things like forensic investigations and lawyers, is more common in the U.S., while first-party insurance, which is more focused on data losses themselves and the impact they have on the companies, is more common in Europe. For large businesses, that might mean that different insurance policies will be needed in different regions.
It’s also important to make sure that you understand the insurance policy you’re getting, and along with that comes making sure that the wording of the policy is as clear as possible. It’s vital to investigate the types of things that are covered in the insurance you’re getting before buying said insurance. Otherwise, you could be stuck with something that doesn’t meet your needs as a business, leaving out out to dry in the case of a data breach.
Of course, it’s also important to keep in mind that cyber insurance probably isn’t going to cover certain things — like intellectual property theft or reputational damage. Cyber insurance isn’t going to completely save your company in the event of a data breach — it’s more aimed at providing financial relief. For that reason, it’s important to not rely on insurance, and make sure that your company’s security is as tight as possible.
And, last but not least, cyber security insurance isn’t something to be taken lightly. While its history does date back pretty far, the cyber security market, as it is today, is still very much in its infancy. Not only that, but the insurance plans provided have rooms for improvement. Ideally, cyber insurance should encourage your business to become better when it comes to security — not only will that help reduce the insurance’s premium, but it will also, obviously, ensure that you don’t ever need that insurance.
There are a ton of companies that offer cyber security insurance, and while their coverage may often by limited, that doesn’t mean that it’s not helpful. Still, there are some important things to keep in mind when it comes to cyber security insurance. The concept is not perfect — not by a long shot. It evolves over time, becoming more helpful for businesses as those businesses grow and the risks associated with their security become heightened.
While getting cyber security insurance may be a good choice for your company, it quite likely is not the right choice for all companies. It’s important to keep in mind that cyber security insurance is not designed to save your company in the case of a major data breach — it’s designed to alleviate things financially. If you suffer a major data breach, your company’s image is likely going to suffer — and you should make sure your company’s security is as tight as possible to avoid that.
It’s likely that cyber security insurance will continue to evolve over the next few years and as more data breaches occur, and the market will continue to be an interesting space to keep an eye on.
Header image and image of money courtesy of: CheapFullCoverageAutoInsurance.com