The pandemic changed our lives in many ways, some good and some bad. However, one impact has been that that cyber-attacks are more prevalent than ever before. Every organization across all industry sectors is now a target of cyber-crime. It seems like every day another cyber-security incident is reported in the press. Phishing emails, triplets, ransomware, SMS with embedded malware are now threatening organizations daily. These threats have put the spotlight on cyber-insurance.
Having a cyber insurance policy in place is now a must for a wide range of organizations, but there are many questions around this topic, such as: what is covered in a cyber insurance policy? Can my organization insure against cyber risk? Can we obtain protection against theft of private data? These questions can be answered because cyber risk is measurable and therefore it is insurable.
There is an option for every organization
Regardless of their size, every organization faces risks. Moreover, cybersecurity is not just about the organization itself, there are many actors involved in cyber risks. Recent events have highlighted the importance of the risks created by supply chains and the importance of managing and monitoring these.
Cyber insurances might cover first and third-party costs. Usually, a policy will be created according to the organization’s specific needs based on size, operational risks, and their specific vulnerabilities. When obtaining cyber insurance, organizations must check what is covered by the policy for various eventualities such as a network security failure, ransomware, email compromise or data breach. In addition, it is important to keep in mind the liability for privacy breaches, which is vital where the organization holds personal data (PII) and this should also include contractual obligations. If sensitive information is exposed, the organization could face litigation and legal expenses, and providing the insurance policy covers this, the service would be a major benefit for the company.
In a similar vein, there are other important details to consider, such as, business interruption, human errors, or risks on the company’s media channels. The best cyber insurance policy will be based on the organization needs; thus, it would be very hard to find a one-size-fits-all policy. The price will also vary according to any additional coverage added. Even though it sounds good to have, there are certain aspects that an insurance policy would not cover, for example:
- Internal fraud: if there is a criminal act inside the organization, the insurance would not normally cover damages.
- Loss of profits due to reputational damage: naturally, a cyber-attack impact on the organization’s reputation, which could lead to the loss of customers and contracts.
- Failure to maintain security controls: organizations must ensure they maintain the security controls agreed in the contract for and an insurance claim to be approved. The organization may also have to submit an audit of their controls as part of the application process for the policy.
- Loss of intellectual property: may cause additional costs as well as reduced profits, typically this is not typically covered by insurance policies.
These points mentioned above are part of what is known as “Silent Cyber”. This refers to the risks that are neither expressly covered nor excluded in the cyber insurance policies. In general, due to the sophistication of attacks which were not foreseen in the original policy, there may be exclusions. However, clarity is the key in this case. Reviewing what is covered and not covered is important to avoid the possibility of a disappointing surprise. It is vital to avoid any kind of misunderstanding or confusion.
Is it worth to have a cyber-insurance policy?
The first thing we should understand is that cyber insurability does not eliminate the risk of becoming a target of cyber-crime, it is intended to mitigate the negative impact when one occurs. Although organizations may be concerned about Silent Cyber, in fact that most insurers have responded positively to incidents suffered by their policy holders.
However, in the face of an unprecedent number of attacks, insurers have had to increase higher policy prices, demand greater scrutiny of the security controls of their policy holders. We must keep in mind that the pandemic has changed the world: entire workforces migrated from working onsite, where cybersecurity was monitored and controlled, to working from home which increases vulnerability to cyber-attacks.
Finding the best insurance is not an easy task. The best approach is to understand the important business risks to the organization and to check that these risks are covered in the policy. Hiring a third-party like KuppingerCole Analysts could help organizations to measure these risks and to review the terms and conditions in their cyber insurance policies. Identifying your organization’s weakest points has two main advantages: it clarifies the must haves for an insurance policy to address all aspects of your cyber risks as well as the extras that you need.
To sum up, the only thing needed to be the target of a cyber-attack is to be online and having a cyber insurance policy can help to reduce the impact after a cybercrime through supporting legal assistance, crisis communication and covering financial losses. The main goal of insurers is to offer long-term protection through encouraging their customers to increase their resilience and manage their cyber-security supply chain risk. In the light of the current events, it can be expected that the market for cyber insurance will grow and become an essential component for protecting the modern digital economy.