Cybersecurity insurance (cyber insurance) is a product that enables businesses to mitigate the risk of cybercrime activity like cyberattacks and data breaches. It protects organizations from the cost of internet-based threats affecting IT infrastructure, information governance, and information policy, which often are not covered by commercial liability policies and traditional insurance products.
Cyber insurance coverage works the same way as businesses would purchase insurance against physical risks and natural disasters. It covers the losses an enterprise may suffer as a result of a cyberattack.
Why Is Cyber Insurance Important?
Cyber insurance is increasingly becoming essential for all companies as the risk of cyberattacks against applications, devices, networks, and users grows. That is because the compromise, loss, or theft of data can significantly impact a business, from losing customers to the loss of reputation and revenue.
Enterprises may also be liable for the damage caused by the loss or theft of third-party data. A cyber insurance policy can protect the enterprise against cyber events, including acts of cyber terrorism, and help with the remediation of security incidents.
For example, hackers breached Sony’s PlayStation Network in 2011 and exposed the data of 77 million users. The attack also prevented PlayStation Network users from accessing the service for 23 days. Sony incurred costs of over $171 million that could have been covered by cyber insurance. However, it did not have a policy, so it had to shoulder the total costs of the cyber damage.
How Does Cyber Insurance Work?
The cybersecurity insurance process works in a similar way to other forms of insurance. Policies are sold by many suppliers that provide other forms of business insurance, such as errors and omissions insurance, liability insurance, and property insurance. Cyber insurance policies will often include first-party coverage, which means losses that directly impact an enterprise, and third-party coverage, which means losses suffered by other enterprises due to having a business relationship with the affected organization.
A cyber insurance policy helps an organization pay for any financial losses they may incur in the event of a cyberattack or data breach. It also helps them cover any costs related to the remediation process, such as paying for the investigation, crisis communication, legal services, and refunds to customers.
What Risks Does Cyber Insurance Cover?
Insurance for cybersecurity typically includes first-party coverage of losses incurred through data destruction, hacking, data extortion, and data theft. Policies may also provide coverage for legal expenses and related costs. Although policies may vary by provider and plan, the main areas that cyber insurance covers include:
- Customer notifications: Enterprises are usually required to notify their customers of a data breach, especially if it involves the loss or theft of personally identifiable information (PII). Cyber insurance often helps businesses cover the cost of this process.
- Recovering personal identities: Cybersecurity insurance coverage helps organizations restore the personal identities of their affected customers.
- Data breaches: incidents where personal information is stolen or accessed without proper authorization.
- Data recovery: A cyber liability insurance policy usually enables businesses to pay for the recovery of any data compromised by an attack.
- System damage repair: The cost of repairing computer systems damaged by a cyberattack will also be covered by a cyber insurance policy.
- Ransom demands: Ransomware attacks often see attackers demand a fee from their victims to unlock or retrieve compromised data. Cyber insurance coverage can help organizations cover the costs of meeting such extortion demands, although some government agencies advise against paying ransoms as doing so only makes these attacks profitable for criminals.
- Attack remediation: A cyber insurance policy will help an enterprise pay for legal fees incurred through violating various privacy policies or regulations. It will also help them hire security or computer forensic experts who will enable them to remediate the attack or recover compromised data.
- Liability for losses incurred by business partners with access to business data.
Cyber Risks Excluded From Cyber Insurance Coverage
A cybersecurity insurance policy will often exclude issues that were preventable or caused by human error or negligence, such as:
- Poor security processes: If an attack occurred as a result of an organization having poor configuration management or ineffective security processes in place
- Prior breaches: Breaches or events that occurred before an organization purchased a policy
- Human error: Any cyberattack caused by human error by an organization’s employees
- Insider attacks: The loss or theft of data due to an insider attack, which means an employee was responsible for the incident
- Preexisting vulnerabilities: If an organization suffers a data breach as a result of failing to address or correct a previously known vulnerability
- Technology system improvements: Any costs related to improving technology systems, such as hardening applications and networks