Learn the Basics of Cyber Liability Insurance
Or how to let someone else pay for cyber attack damages
In the dead of night, your phone rings. The first one goes on silent and unnoticed. But the second one blares out at full volume, pulling you from a dream and back unto the world.
“We need you at the office, someone broke into our servers and stole our customer data base and now our accounting data is encrypted.”
But small and medium companies get broken into just as frequently, they’re just not important enough to generate the news. For these fledgling businesses, a severe hacking can eat up a years worth of profit or even bankrupt them altogether.
To protect against these unpredictable situations, your company should consider cyber liability insurance. A well negotiated one can cover most, if not all, of the damage caused by an attack.
What is a cyber liability insurance?
The basic principles are the same as all the other better-known kinds of insurance, such as cars, houses or health insurance.
By paying an insurance premium, a company transfers the risk posed by a hacking threats over to the insurance company.
A good cyber liability insurance policy can potentially save your company from financial ruin, and cover most or even all of the costs, with the following expenses:
- Data breach costs such as: notifying customers, investigating the causes of the breach, legal costs and regulatory fines.
- Interruption time incurred as the business attempts to fix the damage.
- Destroyed or lost data.
- Funds and money lost through electronic fraud.
- Damages incurred when a third party gets hacked. For instance, hackers break into a payment processor and then leak the data of your customers.
However, cyber insurance might not cover costs such as:
- Brand damage.
- Costs to improve security systems.
- Erosion of intellectual property.
What are the laws in your country concerning information security?
If there are industry standards and regulation in place for data protection, do your best to meet them. If you don’t, it’s possible the insurer might throw out your claim in case of an attack, by saying you had a legal obligation to implement security measures that could have prevented the damage. Since you failed uphold your legal obligations, you bear some responsibility for the attack, thus absolving the insurer (partially or completely).
What is your cyber insurance risk profile?
The first, and most important aspect of a risk profile is to identify what sort of data is at risk in case of a hacking. This can be credit data for payment processors, electronic healthcare records for hospitals and clinics, or even email newsletter addresses for online newspapers.
Next up, is the technical analysis of a company’s entire online security infrastructure and culture.
This is one of the more fuzzier aspects of a cyber insurance risk profile, and one without industry-wide standards. Basically, each insurance company will create a risk profile based on their own criteria and standards. Most of these should be similar to one another, but a few will be particular to each insurer.
One of the closest things to a widely accepted standard is this cybersecurity framework released by US NIST (National Institute of Standards and Technology).
When creating a cyber risk profile, an insurer won’t just evaluate how strong your infrastructure is, but also how exposed your company is to a cyber attack.
For instance, a company that has only a 10% chance of being targeted will command a cheaper insurance premium than one with a 65% chance.
Here’s a general outlook of the criteria used to create your risk profile:
- Which assets of a company are vulnerable to be hacked.
- An estimate of potential damages.
- What are the chances for a company to be a victim of cybercrime.
- How would an attack impact business activity.
- What are the chances of a successful hackingsuccessful? Assess and evaluate the strength of a company’s security measures.
- How a company will respond to a successful hacking.
What does a cyber insurance liability policy cover?
What are your cybersecurity needs?
The value of a company’s data varies from case to case, as do their security infrastructure.
In other words, insurers have almost no standard fees they use to calculate your premium. So both the insurer and the client company have to work together to correctly value the price of a consumer record, what services the client company offers to other business and also exposure to third party providers (such as the firm that hosts the company’s servers and databases).
But the price also varies depending on how big the company is. Chances of a breach increase exponentially in a company with 100 employees compared to one with just 10. Similarly, a company with more servers and other infrastructure should expect it’s premiums to go up, since there are more moving parts that can break down.
Companies considering a cyber insurance might be tempted to go for an “all in one” option, but this would be a losing proposition. For starters, some attacks require only minimal downtime and costs, such as a short DDoS that lasts a few hours. Trying to obtain coverage for these would only hike your premium, without offering much in return.
Instead, a company should insure against specific threats, such as a ransomware or spear phishing attacks. These are the most frequent threats a company is most likely to face and with the highest costs.
By being highly specific and precise in your demands, you can reach an optimum point that properly balances the cost of premiums and the overall coverage.
Also, another step you can take to reduce your premiums is to implement certain security measures. This builds confidence in the insurer that you take your security seriously, minimizing potential damage from aonline threats. It also diminishes the overall risk of taking you as a client.
Here are just a few policies a company can implement to improve security infrastructure:
- Implement a company-wide two-factor authentication process.
- Conduct information security training courses for employees, especially certified ones.
- Using up-to-date security products.
- Implementing security measures at the workplace itself. Things such as limiting the access of strangers to company buildings or computers will reduce the chance of infection with malicious USB sticks or Wi-Fi sniffers.
- Frequent back-up measures. Backing up your data once a day, as opposed to once a week, will cut down on how much information you lose in case of a successful ransomware attack. This reduces the damage coverage for data loss, and also your premiums.
- Company-wide strong password policy. In an ideal situation, every employee should use a password that is at least 10 characters long, has at least lower and uppercase letter, has at least one number and a special character.
Here are some more resources you can use to upgrade your company’s security:
- Cyber Security for Small Business Owners
- Cyber Security for Beginners
- How to Secure a Business Network, Servers and Endpoints
Cyber liabiltiy insurance limits and sublimits
Now that we’ve covered the need to know basics of premiums, let’s look into the coverage you get for your money.
Cyber insurance offers a come with a ceiling for damage coverage, which can vary depending on what sort of data you want to protect or the price you are willing to pay. For instance, you have an insurance coverage of $100,000, but the total damages you suffered from the hack come at $150,000. What happens is that you’ll end up shouldering the extra $50,000 in damages.
For this reason, knowing the costs related to a information security breach is a must if you want to negotiate an insurance that can protect in the worst case scenario.
The retail store Target for instance, had a liability coverage of around $100 million, but the hacking they suffered in 2013 casually went over that sum, and reached almost $300 million dollars.
Next up, be aware of any sublimits you might have.
For instance, let’s say you have a total coverage of $100,000 dollars. But, out of those you have a limit of $20,000 for legal costs.
If the total cumulative damage you incurred as part of the cyber attack is $80,000 but you legal costs came in at $30,000, then you will still have to pay $10,000 dollars out of pocket in order to cover those legal expenses that are above the insurance ceiling.
The article just above about the Target data breach has a clear example of this in action.
In Target’s case, their insurance policy only covered $50 million in credit card damages, so they most likely paid $36 million out of pocket when they settled with MasterCard for $67 million and also Visa for an additional $19 million (unless they had their financial arrangements).
Just as there is a maximum ceiling for covering damages, so too is there a minimum threshold that must be passed before the cyber liability insurance policy takes over. Of course, we’re referring to deductibles.
For example, you’ve signed an insurance policy for $100,000, with a deductible of $10,000. In this scenario, if the hack causes damage of $30,000, then you will have to pay $10,000 deductible yourself, and the insurer pitches in with only $20,000.
Likewise, it’s possible that you have deductibles for certain parts of the insurance policy, but not others. For instance, you have $5,000 deductible for legal expenses, but a $10,000 dollar one for notification costs.
Understanding this interplay between deductibles, limits and sublimits is crucial if you want to obtain the best bang for your buck. Buying a dirt cheap cyber liability insurance policy with a $1 million coverage but a $15,000 general deductible is useless, if you keep getting hit by small ransomware attacks that cost you $2,000 to $10,000 per infection. In this case, you’re practically losing money twice: 1) on the insurance premium and 2) the cost of the breach.
Choosing the right insurer
So you’ve done your homework, checked all the studies, done an audit, implemented security measures. You’re basically an infosec Rambo.
You’re ready to find an insurer, but where exactly do you start?
First of all, it depends where your company is headquartered in. The cyber liability insurance market is more developed in the USA than in Europe, the second most mature one. This means the US market has a more developed legal wording, more mature data sets, a larger pool of insurers and a better coverage.
Against that backdrop, you have to deal with the fact that the industry itself is still in its infancy. Offers aren’t standardized, so it’s difficult to compare the policy from one insurer to that of another.
This means your company will have to negotiate with each insurer in order to get the best possible price deal and legal wording.
If you don’t have expertise in the finance/legal field, then you should consider contacting an insurance broker. A good one will already be in touch with the market, and know the strengths and weaknesses of each player, how they word their contracts and whether they are reliable or not.
How to make a business case for a cyber insurance liability policy to your superiors
So you’re the one lone person in the company who knows that information security is an important aspect of the business that should be taken seriously.
How can you, the last Mohican, convince your superiors and colleagues of the need to have a cyber liability insurance?
The best way to convince your superiors of the need for a cyber liability insurance, is to show them tales and figures of online crimes, hard numbers that show how very real this danger is.
Unfortunately, there is no shortage of this. To put the threat of online crime into perspective, here are some of the number’s we’ve gathered for one of our recent infographic about major cyber threats:
- 61% of email traffic is spam.
- Phishing emails have a click rate of 12%
- 15% of customers say they will discontinue a relationship with a company suffering a data breach.
- 76% of websites have a security vulnerability.
- More than 70% of businesses targeted by ransomware have paid the ransom to recover their data.
The statistics we’ve mentioned in this section are just a quick overview, if you want a more detailed look into the state of online security, then check out some of the links below or search for other studies.
- Barkly Phishing Statistics
- Phishing Activity Trends Report
- Spear phishing statistics
- Verizon’s DBIR studies and reports
- Bitsight Statistics
- Datto’s State of Ransomware
- Kaspersky’s Report on Spam and Phishing Emails
- Sucuri Website Hacked Trend Report
- Google’s bad ads report
Cyber liability insurance can make all the difference when trying to cope with a major hack against your company or organization. It’s not just the coverage that will help you out, but also the preparation and diligence required to convince an insurer to take you as a client. Often times, the preparation itself will ward off most of the big threats out there.
Do you have any experience with a similar types of insurance policy? It can be anything really, such as success stories, trustworthy (or untrustworthy) insurers, sublimits, deductibles and anything else!