This brings us to today’s topic: cyber insurance. A fitting subject to discuss during cybersecurity awareness month.
Cyber Insurance Basics
First, the lingo. Cyber Insurance can sometimes be referred to as cyber risk insurance or cyber liability insurance coverage (CLIC). It is meant to protect businesses financially from internet-based risks. Should a cyber-related security breach occur, cyber insurance will offset the costs involved in recovery. These can include:
• Business losses due to network downtime, data loss recovery and costs involved managing a crisis
• Forensic investigations after a breach to determine what occurred, how to repair the damage and how to prevent the incident in the future
• Data breach notifications to customers and other affected entities, typically required by law
• Legal expenses related to suits over release of confidential information, legal settlements and any regulatory fines
• Extortion fees, such as those that come from ransomware
Many cyber policies offer some combination of first-party and third-party coverage—covering both direct losses to the organization and claims against the organization by others impacted—such as clients or partners.
Purchasing Cyber Insurance
The first question you may ask is: should I get cyber insurance? For many organizations, the answer is yes. Any organization that stores and maintains customer, client, or patient information, collects online information, or uses the cloud should consider getting cyber insurance. For some companies, the cost of a cyber attack may not be a significant dent to the budget. For small businesses, however, a cyber attack can cost an organization $150,000 to $200,000, a cost which can be avoided via a $1 million plan costing $3,000 to $5,000 a year. A smart investment in my book. So, how do you prepare for cyber insurance? Computer Weekly recommends starting by determining the expenses and types of events you want coverage for. Discuss this with all the relevant people to create a holistic list and make sure to include information from third-party suppliers and partners. Include first-party costs and third-party costs (the costs others impacted by an incident may claim from your organization). Another important, early step, is to create a cyber risk profile for your organization. A cyber risk profile means that you have assessed your organizations vulnerability to cyber attacks. This may involve engaging threat intelligence services or ethical hackers. For small organizations, a vulnerability assessment tool or penetration tester may be more feasible. Creating a cyber risk profile, in conjunction with training employees in security best practices, will both improve security and help in negotiating the price when purchasing cyber insurance.
What to Look for in Cyber Insurance
Okay. You’re prepared to purchase cyber insurance – but what should you look for in insurers? CIO.com suggests looking for the following:
• A stand-alone policy, which is typically more comprehensive than an extension to an existing policy
• A policy that is customizable to the organization
• Differences in deductible costs among different insurers
• Coverage for attacks in which your organization falls victim but was not a target
• Coverage and limits for first and third-parties–I.e. whether policies cover both
• Coverage for non-malicious actions from an employee resulting in an incident
• Coverage for social engineering and network attacks. A policy that include time frames under which coverage still applies since advanced persistent threats (APT) can occur over months or sometimes even years
Bolstering Your Cyber Security Cyber Insurance and beefing up the cyber security at your organization go hand-in-hand. Bolstering your cyber security reduces the likelihood of an attack or breach, lessening the likelihood that you will have to file a claim. This also provides you greater leverage when negotiating your rates for insurance so the tighter your security the better your position. There are a variety of ways you can improve cyber security at your organization (for further reading on this you can check out some articles from Vaporstream’s CEO here and here) including introducing secure methods of communication that can assist during a breach.To learn more about how Vaporstream can help with secure communications, contact us or view us in action.Contributor: Kristi Perdue Hinkle