In this day and age, cyber insurance is necessary for all businesses—small and large—because it helps reduce the cost that you could incur if you had a breach. However, not all cyber insurance is created equal, and it’s important you know what you are buying prior to getting a policy. At Blackhat USA 2019, there were three sessions on cyber insurance coverage. Each presenter shared different types of information regarding cyber insurance; however, they all agreed on two things:
- Cyber insurance cost is dirt cheap
- Contrary to the news, claims are paid
What Is Typically Covered/Not Covered?
When you choose a cyber insurance policy, make sure you have first party and third party covered. First party pays when your action or inaction causes harm. Third party pays when the action or inaction of others causes harm. Costs associated with a breach coach, IT forensics, legal, notification, credit monitoring, public relations, data recovery, and in many cases, loss of income directly related to the incident, are typically covered. Typical exclusions include where you have other insurance, such as bodily injury or property damage, uninsurable events such as war or terrorism, and costs arising that are against public policy, such as regulatory fines.
Watch out for “gotcha” type language in your policy. Policies with exclusions like the ones below are dangerous and could result in non-payment:
- Failure to encrypt data (mobile devices)
- Failure to maintain, or take reasonable steps to maintain, security
- Coverage limited to website and internet activities only
- Widespread virus/spyware
- Failure to comply with PCI
- Wireless/Cloud (SaaS)
- Income loss/contingent business interruption
Involve It and Information Security
Most of the time, insurance is purchased by your CFO, and this includes cyber insurance. A common pitfall is not involving IT or your information security department when answering the questions during the application process. The CFO may not be aware that the organization does not have a particular security control in place and inadvertently misrepresent the organization’s controls. This could make your policy null and void.
Know Your Policy
Understanding your cyber insurance policy and cyber insurance coverage limits is extremely important. The majority of policies have short time limits on when you can make a claim. This is different from other insurance policies the organization may have in place where the organization can make a claim up to one year after the event where a loss was suffered. Cyber insurance policies have shorter reporting windows, and for valid reasons. If the time to identify and contain a breach—also known as the mean time to contain—is less than 200 days, it saves the organization $1.22 million on average (2019 Ponemon Cost of a Data Breach Report). This is why timing is important, and why they would deny your claim if you failed to report the breach within the stated time period.
You will also need to understand how your insurance policy covers costs. There are two ways:
- Pay on behalf
Reimbursement means you will be allowed to choose your vendors to help you through an incident. You would then submit bills for reimbursement. This is less common now, as many of the carriers have already pre-negotiated costs with companies that would provide incident response services.
Pay on behalf is the most common way the insurance carriers cover costs. With pay on behalf, the insurance carrier has control over the costs and your organization will have less control over who you work with during an incident. However, you will have many services at your disposal.
Knowing how your insurance policy pays will determine what you need to include in your incident response plan.
The cost of securing your assets is expensive. Your organization spends many resources implementing, maintaining, and monitoring security controls. Event with this investment, your organization is vulnerable to a breach. A good cyber insurance policy will transfer that cost of responding to a breach and can minimize the damage to your organization.