The modern insurance industry sprung from trade between Europe and the new world in the late 1600s. All forms of insurance now benefit from hundreds of years of development, but in all cases insurance is a function of risk assessment. As insurers gain more experience with the types of risks they insure, they are better able to offer products that address those risks.
Within the broader insurance industry, cyber insurance is a relatively new form of coverage. An organization that is seeking cyber protection insurance should ask their provider the following five questions to determine the provider’s ability to assess the organizations’ risk level and provide the right level of cyber protection:
1. What does cyber protection insurance protect?
A cyber insurance policy can provide reimbursement for a covered party’s direct losses and costs, including investigation of a data breach, legal and public relations expenses, lost profits and expenses due to network downtime, and costs of notifying affected parties. It can also cover third-party liabilities, including legal costs to defend regulatory and class-action lawsuits, settlements, fines, and penalties. An experienced cyber insurance company should provide a thorough explanation of these coverages and the circumstances that give rise to them. That explanation should help a client to understand why it needs cyber-insurance.
2. What risks is an organization exposed to?
General liability insurance policies are typically underwritten as a function of a covered party’s assets and revenues. Cyber-insurance is not as easily assessed. Cybercriminals are developing new hacking tools and techniques every day. A cyber insurance company should remain abreast of these developments and should be able to match the risks that they present with a client’s network environment. Even a company with relatively low revenues may be exposed to cyber losses and liabilities that are orders of magnitude higher than its revenues. The insurer should match the product to the environment, and not just the revenues.
3. Where are the gaps and exclusions in the company’s cyber-insurance policy?
Few experiences are worse for an organization than believing that it has insurance coverage but then discovering that the coverage does not apply to certain situations. The prospective insured party should ask about coverage for new forms of cyberattacks, including ransomware and DDoS problems. It should determine if coverage provides reimbursement for bitcoin and other blockchain transactions that are not within the standard definition of “legal tender”. It should ask about ecommerce business interruption losses, and exposure to liabilities for corruption of third-party systems that inadvertently originate from the covered company.
4. Are losses connected to personal mobile devices covered?
More companies are adopting a “BYOD” policy that allows employees to use their own personal smartphones, tablets, and laptops for company business. Some cyber-insurance policies might exclude coverage for losses and liabilities that stem from an employee’s negligent use of his or her own device. If an organization has a BYOD policy, it needs to verify that those losses and liabilities are properly covered.
5. How much does cyberinsurance cost?
Cyberinsurance premiums will vary with a client’s level of risk and the extent of its desired coverage. A decision to procure cyber protection insurance will readily be justified by a cost-benefit analysis that considers the catastrophic losses that an organization might suffer in the event of a successful data breach on its networks.
Cyber insurance providers should answer these and all other questions that an organization might have when it is shopping for a cyber protection insurance policy. Those policies are not commodity products and each one should be tailored to an organization’s risks and the prospective losses that it might face if any of those risks give rise to real losses and liabilities.