Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

Cyber insurance: What are the considerations and challenges?

By David Dufour, VP of Engineering & Cybersecurity, Webroot

For business owners, connecting to the internet has been a blessing, allowing organisations the ability to grow at an unprecedented rate. However, such connection does have its drawbacks, namely cyberattacks. Business owners have come to accept cyberattacks as an eventuality, rather than a possibility. Executives can do their best to defend against attacks, such as implementing a robust employee training programme, but even with the most cutting-edge security solution in place, there is no such thing as being 100% secure.

David Dufour
David Dufour

As Forrester points out in its Now Tech: Security Awareness and Training Solutions, Q1 2019, “Even the most sophisticated technologies and well-crafted policies can be rendered useless when employees simply decide to — or unknowingly — break the rules. Because of this, and because many cybersecurity attacks are personally tailored to mimic daily, routine actions, it’s harder than ever to protect your workforce against today’s threats.”

Considering the fact that cyberattacks have become the norm for businesses, the need for cyber insurance has never been more vital. Having a policy that will provide financial compensation in the case of a successful cyberattack provides an additional sense of financial security to a business as insurers are able to reimburse organisations should they fall victim to an expensive ransomware attack or data breach.

What is cyber insurance?

According to Hiscox, cyber insurance is a form of coverage designed to protect your business from threats in the digital age, such as data breaches or malicious cyber hacks on work computer systems. Over the past decade, it has become a necessity as businesses, of all sizes, across the world are falling prey to cyberattack sand are having to pay hundreds of millions in compensation to partners and customers for their compromised data. However, what companies will struggle to pay for is the impact on brand reputation and regaining customer trust, two things that insurance cannot directly recover. Cyber insurance is required because it is rare for an insurance provider’s general liability coverage to include nontangible assets – such as data – as they’re not considered ‘property’. No cyber insurance policy will work without a robust, preventative cybersecurity strategy in place to keep businesses running smoothly through modern threats.

Cyber insurance typically falls under two categories, although some policies will incorporate both:

  • First-party insurance: This type of insurance provides compensation for damages that directly affect a business, such as the cost of data recovery.
  • Third-party insurance:Cover damages to other people or business partners of the targeted business, such as stolen customer data.

Cyber insurance may cover costs associated with the following items:

  • Legal fees and expenses
  • Notifying affected customers of a breach and protecting their identities
  • Business interruption, downtime and lost revenue
  • Recovering compromised data
  • Repairing damaged networks, computers and systems
  • Public relations or crisis communications support

Organisations need to consider several factors when selecting the most appropriate cyber insurance policies. The top priority is ensuring that an organisation’s existing cybersecurity network is as strong as it can be. When a business is attacked and it submits a claim, in line with their insurance policy, insurers will look to see if the claimant has taken the correct steps to protect their data and infrastructure. The insurer has the right to refuse payment if they find that the victim did not take appropriate measures to secure their assets.

In fact, providers have a specific exclusion for negligence written in their policy language, and this can catch organisations out. The now infamous Equifaxfell afoul of this, failing to demonstrate strong cybersecurity measures and now having to pay $700 million dollars plus more than $100 million dollars in recovery costs.

Does cyber insurance cover ransomware?

Ransomware, a now commonly used type of malware that locks sensitive data behind an encryption and holds it to ransom from a business, is a major concern for many businesses thanks to the tremendous disruption that it can bring to an organisation and its supply chain. Cyber insurers are aware of the rise of reported ransomware attacks and are now taking them into account, offering payment that covers the cost of downtime associated with getting an organisation back up and running.

Unconditional coverage is never guaranteed. A recent incident saw cyber insurance coverage denied after an attack from the NotPetya ransomware strain. The ransomware attack was determined to be an “act of war,” exempted from coverage under a clause of the insurance policy. Although the legal territory is still somewhat uncharted, it’s likely that restrictions will continue to come into play with other types of cyberattacks as well.

Insurance coverage is not a substitution for a security program

Just like you wouldn’t leave your door unlocked simply because you have home insurance, cyber insurance should not serve as reasoning to divest funding in security planning and strategy. Additionally, while cyber insurance may reimburse costs, it cannot mitigate the reputational damage incurred by a breach or a security incident. Insurance will not reinstate trust from clients and customers post-breach.

Security teams should get involved early in the insurance process

While the conversation about insurance is often led by financial divisions of a company, such as at the C-suite level, the security department should be involved at the very start to help draw up policies and expected coverage levels. No one will have a better understanding of the technical language and definitions within a cyber insurance contract that the CISO, or other members of the security team. Security also is more qualified to identify important exclusions that may be slipped into the policy and can advise accordingly. To ensure the policy has the right inclusions for a specific organisation’s needs, security must be a valued partner through every step of the evaluation and purchasing process.

With organisations under attack more than ever, cyber insurance is vital for any business looking to survive a data breach or malicious cyberattack. All considerations and challenges must be weighed up to ensure that organisations are giving themselves an extra layer of protection financially, if not reputably. An insurance policy helps, but only if a business can avoid major mistakes that can escalate the costs associated with data breaches.