Cyber risk is a growing threat to all companies, regardless of their size. New threats emerge daily. It is increasingly difficult for business owners to protect their organizations against risks that have the potential to cripple—or even shutter—companies with limited resources. The best way to counteract the expanding landscape of cyber threats is with an integrated cyber risk management strategy—one that includes risk assessment, risk mitigation, and risk transfer through cyber insurance.
Cybersecurity plus cyber insurance equals balanced risk management. It’s not one or the other. No cybersecurity program can eliminate all cyber risk to a business. That’s why you also need cyber insurance—to pick up where the security program leaves off by providing coverage for risks that cannot be mitigated.
When combined, cybersecurity and cyber insurance work together to create balanced risk management that reduces costs and improves your company’s overall risk posture. But not all senior leaders are yet taking a strategic approach to cyber risk management. More than two-thirds admit they haven’t purchased cyber insurance because they don’t understand their risk exposures.
The basics:
What Is Cyber Insurance?
Cyber and privacy liability coverage is a form of insurance meant to provide organizations with financial security against the risks associated with conducting business in a digitized world and evolving regulatory environment. While cyber insurance coverage doesn’t help you identify or eliminate cyber risks themselves, this special type of policy provides a remedy and financial safety net in the event a cyber incident occurs.
As cyber threats evolve, so does cyber insurance. There has been a trend in the insurance industry to standardize coverage types to provide consistency for both insurers and insureds. While standardization brings some benefits, it is difficult to create one-size-fits-all policies since the probability of loss due to cyber incident depends heavily on the overall cyber risk management practices of each individual organization—things insurance companies can rarely control. Industry innovators look to a future in which insurers can accurately evaluate companies’ cyber risk and loss potential in order to tailor policies to specific protection needs and budgets.
What it Covers:
A robust cyber insurance policy covers three main categories of financial risk:
- First-Party Expenses: This category includes costs that organizations would ordinarily have to pay to mitigate losses related to a data breach or privacy incident. Examples of first-party expenses are incident response and digital forensics services, PR services to manage reputational damage caused by a breach, notification to affected parties, and other expenses involved with directly responding to a cyber incident.
- Third-Party Expenses: This category covers costs associated with defending liability claims and/or fines and penalties assessed by regulating authorities. Examples include legal fees to defend lawsuits against the company and fines for violating HIPAA regulations.
- Cyber Crime Costs: This category deals with financial losses resulting directly from criminal activity. An example is the theft of funds as a result of digital fraud.
Note: Though referred to as “cyber” coverage, this type of insurance can also cover claims arising from non-digital perils (think: theft or damage of physical records containing sensitive data).
When assessing the strength of a cyber policy, it’s a good idea to look for coverage pertaining to the following common issues:
- Cyber Extortion: Ransomware attacks are a prevalent form of cyber extortion.
- Social Engineering: Phishing and spear phishing campaigns are types of social engineering.
- Business Interruption: Losing revenue from downtime caused by a cyber incident constitutes business interruption.
- Virus Transmission: End-to-end coverage applies from discovery to removal of a virus, even if the virus spreads before being removed.
- Liability Implications: Legal fees and regulatory fines comprise typical liability costs.
What it Doesn’t:
While cyber insurance provides financial protection for businesses with respect to their digital assets, it doesn’t cover every possible risk and cost. Some things a typical cyber insurance policy might exclude are:
- Upgrades: If you suffer a data breach and decide to upgrade your systems afterward to prevent future incidents, your policy may not cover the upgrades.
- Future Profits: Cyber policies don’t usually cover potential future profits that may be lost—due to reputational damage caused by a breach, for example.
- Decreased Valuation: If a cyber criminal steals intellectual property and the theft results in a decrease in the company’s valuation, a cyber insurance policy may not cover the loss.
How to Get it
Though the industry has seen some standardization, cyber insurance policies still vary, and not all of them provide the type and depth of coverage you might need for your business. For expert guidance on policy options and costs, your best bet is to speak with an insurance professional who can help you tailor cyber coverage to the specific needs of your business.
If you already have cyber insurance and want to review your policy to make sure it covers the appropriate risks at the right level for your business, contact Trava’s team of licensed cyber insurance brokers for a free consultation.
If you don’t have cyber coverage yet, now is the time to consider adding a layer of financial protection to your risk management plan. You can get free quotes from up to eight different carriers in a matter of minutes using Trava’s cyber quoting tool.
Insurance brokers, let Trava uncover cyber risks and help patch them before you write a policy.
