A cyber risk refers to the risk of financial harm that is done to an organization and is a result of a failure or disruption of its computer systems. It may also be a risk that a company faces from the way they handle their data or rely on technology in their everyday operations.
But it isn’t just businesses that have to deal with cybercrime. Any large organization, such as a college or university, that has a culture of openness and sharing is highly susceptible to cyber risk.
Some data breaches are not noticeable right away, while others can cause huge disruptions in operation and a leak of valuable personal and business information.
Cyber Insurance what is it?
Cyber insurance is a product that helps protect organizations from cyber and information technology risks. Although this is still a growing field, the following are some of the most common types of coverage that you can expect on offer:
Breach and Event Response Coverage
This type of coverage covers common costs that are a result of a privacy breach, such as:
- Forensics and investigative services
- Breach notification services such as legal fees, call center and mailing of materials
- Identity and fraud monitoring expenses
- Public relations and event management
This type of coverage reimburses the costs to defend an action by regulations due to a privacy breach. However, there is no limitation as to what caused the privacy breach. For example, this type of coverage could apply to a failure of security on the part of the company which resulted in a privacy breach, such as someone losing a laptop or emailing a document to the wrong person.
This type of insurance protects the policyholder and other insured individuals from the risk of liabilities that may come from lawsuits or similar claims. Liability coverage has mostly to do with financial support should you find yourself in this situation.
Some common types of cyber insurance liability coverage include:
- Privacy liability – Covers the defense and liability for failure to prevent unauthorized use and access of confidential information. It could also extend to personally identifiable information and confidential information of a third party.
- Security liability – Covers the defense and liability for the failure of system security in order to prevent or mitigate a computer attack. This also includes but is not limited to the spread of a virus or a denial of service.
- Multimedia liability – Covers the defense and liability for media tort from online publication. This also includes libel, disparagement, misappropriation of name or likeness, plagiarism, and more.
Cyber extortion usually takes the form of a ransomware attack. This means that the cybercriminal will encrypt a victim’s files or threaten the release of sensitive data unless a ransom is paid. Unfortunately, this is a very common type of cyber attack and can cause a lot of financial and psychological damage to both the company and the individual targeted.
Internal Expenses and Court Costs
The insurer may have the right and duty to defend any claim brought against an insured or may indemnify the insured for reasonable costs incurred by the insured to defend a claim. In order to make this work, the insured will generally be required to cooperate with the insurer in the defense of the claim and provide to the insurer all information and assistance that the insurer reasonably requests.
What Does Cyber Insurance Cover?
These are some of the most common areas of cyber insurance that are covered:
- Coverage for privacy breaches other than those that are electronic or computer-related – This means that personal data may be compromised when paper records are lost, stolen, or improperly handled, which resulted in an unauthorized disclosure
- Events that happened during the policy period but were not discovered until later – Depending on the wording of the policy, it may cover events that occurred during the policy period but were discovered after the expiration of the policy period
- Media in the control of others – meaning that cyber insurance may cover unencrypted media in the care or control of third-party processors
What Kinds of Data Are Covered by Cyber Liability Insurance?
Cyber insurance policies can protect from some or all of the following types of data:
Personally Identifiable Information (PII)
This includes information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. It also generally includes a person’s name, address, telephone number, social security number, account balances, and passwords. It includes all information that is subject to the Family Educational Rights and Privacy Act.
Personal Health Information (PHI)
This is also most commonly referred to as protected health information and includes any information that contains individually identifiable health information and generally includes any part of a patient’s medical record. This includes health status, provision of health care, or payment for health care.
Confidential third-party/research information
Sensitive third-party data such as trade secrets, designs, forecasts, methods, formulas, and records are in the care, custody, or control of an insured may be considered “confidential” or “protected” information. If an event occurs where there is an unauthorized disclosure of confidential or protected information, this is considered a breach of privacy.
Payment Card Information (PCI)
This includes the personal information held by a payment card brand to process a payment card transaction. It can also refer more broadly to the Payment Card Industry, including its rules, regulations, standards, or guidelines.
What Is Not Covered By Cyber Liability Insurance?
Cyber liability insurance does not cover every single possible loss that a business or an individual may incur.
Typical exclusions involve faulty security measures placed by the business, poor employment practices that result in criminal activity, theft of trade secrets, unfair trade practices, and others.
Cyber insurance policies also typically exclude coverage for any incident or claim that arises from or is based on a willful, intentional, deliberate, malicious, fraudulent, dishonest, or criminal act or omission committed by the insured. The general intent of this exclusion is to prevent the insured from receiving a financial benefit for committing an unlawful or dishonest act.
How to Buy Cyber Insurance
There are many cyber insurance providers available on the market, but that doesn’t mean that each one is the right option for you. Here are some ways that you can efficiently buy cyber insurance:
- Work with an experienced broker – An effective broker should have a strong, comprehensive grasp of the scope of an organization’s cyber risk; understand and explain how this risk is quantified; provide recommendations on insurance carriers or policies that might be a good fit for the organization, and obtain appropriate coverage and favorable pricing.
- Conduct a security risk assessment of your business – A risk assessment provides greater transparency into the organization’s cybersecurity controls and helps the organization identify vulnerabilities and potentially make changes to areas in need of improvement, which, if properly implemented, could result in a premium reduction.
- Implement your own security controls to reduce the premium – Cohesive and interconnected corporate practices geared around people, process, and technology-related cybersecurity improvements reduce risk and can lead to lower premiums.