A cyber insurance policy transfers risk to an insurance company for losses involving a cyber breach. However, a cyber insurance policy is not a substitute for implementing adequate safeguards to secure an organization’s network.
Cyber insurance may include first-party coverage and third-party coverage. First-party expenses include breach notifications and business losses. Third-party coverage includes regulatory fines and lawsuit liabilities.
Scope of Coverage
A cyber insurance policy usually offers the following coverage options:
- Privacy Liability – Protection for unauthorized access or use of confidential information
- Regulatory Claims – Protection for when an incident violates a governmental statute or regulation
- Security Breach Response – Access to a 24/7 response team
- Security Liability – Protection for a security wrongful act, such as spreading a virus or preventing a third-party from accessing a system
- Multimedia Liability – Protection against allegations of online privacy torts, such as defamation, libel, slander, and invasion of privacy
- Cyber Extortion – Protection against extortion resulting from a network intrusion, such as ransomware
- Business Income and Digital Restoration – Pays for lost income and expenses from the result of an intrusion
- PCI DSS Assessment – Protection for non-compliance of PCI DSS and to help offset the cost for lost credit card data
- Terrorism Endorsement – Provides insurance according to the Terrorism Risk Insurance Act (TRIA) for a cyberterroism event
An insurance company expects that the organization will have certain security practices in place when obtaining a policy quote. A cyber insurance application usually requires the completion of a questionnaire about an organization’s security policies, contingency plans, and network defenses. Questions may ask about the following:
- Written security policies
- Training procedures
- Mobile devices
- Backup procedures
- Encryption of data
- Third-party outsourcing
- Anti-virus software
- Firewall protection
- Network vulnerability testing
- Security penetration testing
- Intrusion detection and prevention
- History of cyber attacks on organization
A question on the application may ask about specific details of an organization’s security practice. For example, a question may inquire if the anti-virus software is updated at least quarterly.
During the underwriting process, an insurance company may choose to perform an investigation, which includes ordering site inspections, conducting interviews, and reviewing documents. Also, the insurer may conduct an investigation during the processing of a claim.
Before getting a quote for cyber insurance, an organization should understand the types of threats that a policy should cover. Management should carefully review breach scenarios with security experts and legal counsel to document the types of losses that need coverage. Otherwise, an insurance company will not pay a claim that the policy does not cover.