Cyber insurance is one of the fastest growing sectors of the insurance industry. Less than a decade ago, there was much confusion around what cyber insurance exactly was and the utility of the coverage. Insurance companies, along with brokers, were often left in the position of trying to convince companies that they needed the coverage. This historically turned out to be unsuccessful.
Now, ransomware events and massive data breaches have become more widespread globally. So much so that stricter privacy laws have been implemented around the world that impose harsh penalties on non-compliant companies (see GDPR, California’s new privacy law, and lawsuits have been cropping up targeting companies’ boards.
With this in mind, cyber insurance is gaining more and more traction as an insurance coverage that is necessary to achieve seamless business operations. It has evolved, and continues to do so, to create coverage that responds to the ever changing threat landscape.
See also: Cyber insurance – Information Age’s comprehensive guide to cyber liability insurance Right now, the cyber-insurance market is in its adolescence — rapidly changing, but also awkward, and not yet reaching its full potential. While many policies are currently available, many offer a lot less coverage than buyers would like.
The real cost of a threat
There are perhaps some large-scale businesses with sizeable IT infrastructures that may think they don’t require coverage – possibly to keep insurers at arms’ length out of fear of increased premiums or declination of coverage. But the threats are real, and the damage a company is exposed to for a network security event can be astronomical.
Take a fairly standard ransomware event. A bad actor deploys ransomware into a manufacturing company’s network environment which freezes up operations and deletes files until it receives its ransom payment. This could lead to direct revenue loss in a business interruption claim while operations are down and sales are halted.
There could be consequential damages if this causes supply chain issues with its partners who aren’t receiving necessary component parts, thereby leading to third party claims.
Additional costs could include:
- paying the ransom;
- restoring the deleted data;
- complying with any applicable breach notification laws which may include providing credit monitoring or credit restoration;
- monetary loss of defending loss suits of those aggrieved third parties that have suffered as a result of the incident.
Then, there is the cost to reputation. Insurers have been responding to reputational harm exposure by providing coverage that responds directly. Most cyber policies provide first party expenses for PR firms coverage to manage reputational harm. However, this coverage is meant to mitigate reputational damages, and does not consider lost revenue a business may suffer as a result of a publicised incident.
See also: Cyber-insurance can reshape the way organisations do security for the better – With experts now agreed it’s not a case of “if” but “when” your organisation suffers a major breach or outage, the expanding cyber-insurance industry offers a vital way to protect against losses
Today, you will see more insurers providing business interruption coverage that continues until an insured’s business income has been restored to pre-incident level, as opposed to the more traditional way of cutting off coverage when the network is restored, which thus accounts for lost revenue due to an event.
There are pure reputational harm endorsements and policies that address this risk as well. There are even goodwill types of coverage that may allow a certain amount of coverage for coupons or rewards offered to customers in the wake of an incident in order to keep them happy. There are a myriad number of options in the market to address a company’s concerns.
And so, with the cost of a single threat spiralling into potentially crippling realms, the need to pursue cyber insurance coverage becomes increasingly evident.
However, before trying to navigate what could be a potential minefield or diving feet-first into a bad decision, it’s imperative that businesses first take time to understand their individual needs.
The era of cyber attacks: AI’s role in cyber insurance – When AI is added to the mix, it can be used to analyse patterns and predict risk beyond what humans can fathom and strengthen cyber insurance offerings immensely as it helps businesses learn where they are vulnerable
Assess your needs
In this connected world, any company that conducts business utilising a connected network needs cyber insurance. There are some important factors a company should consider in assessing its needs:
- The nature of the business and the sort of threats that may be particular to the class of business;
- The types of data a company collects or processes and the sensitivity of that data;
- The contracts in place with business associates and what data they may have access to through joint business operations;
- The laws applicable in the jurisdictions in which the business operates;
- How susceptible a company’s operations are to a network interruption event, i.e. evaluate whether an interruption event would result in delayed vs. lost revenue, whether the revenue is subject to cyclical/seasonal risk, etc. For instance, health care providers may not have a great business interruption exposure since a doctor can continue to see patients if the networks are down, but they handle the most personal sensitive data, and low-level employees have access to this data, so they are very high risk for a data breach
For companies that have never suffered a major breach, knowing where to start assessing potential damage from such a breach could be daunting. But by taking a few smart steps, it can be done.
- Understand the types of data you hold. Only then can you really assess the notification costs in the event of a breach of that data.
- Understand how much revenue you would lose on a daily basis if an interruption event brought your operations down. While the average network outage is around 4 hours, many events last up to a week or more, and a company should factor that into its assessment.
- Look for coverage that responds to business income restoration as opposed to network restoration to account for reputational damage.
The fact is that today, a company’s management should understand network security is a crucial part of the business, and no longer just an IT issue. This has really come home to roost as directors and officers litigation has been on the uptick with regards to network security.
Related: Cyber insurance in the spotlight – what WannaCry taught us The significant rise of ransomware and targeted extortion has meant the need for cyber insurance is no longer a luxury
Know your options
Traditionally, mid- to large-sized businesses will obtain cyber insurance through their brokers. However, the SMB market is a rapidly growing sector, and there are start-ups and less traditional models that are seeing opportunity in this growing space.
Typically, like much of insurance, smaller companies will be confined to off-the-shelf type policies, while larger businesses with broker representation can flex their muscles more to get custom-tailored coverage suiting their specific needs. However, many cyber policies offer a modular approach, which allows companies to select the coverages that match their specific business issues, i.e. system failures, business interruptions, or cyber extortion etc.
The reality is that there’s a revolution happening in the insurance industry right now, and the power has shifted to the customer. In a very short space of time, insurers aren’t going to be able to get away with bulk coverage and bulk exclusions, because disruptors are changing the game and resetting expectations around tailored, custom cover. For instance, some of the more disruptive insurtech players are already co-creating insurance products with their partners.
This drive towards innovation is a positive step forward for the insurance industry, with businesses poised to benefit from the slew of new-to-market options. But companies should also see the activity in this space as an alarm bell: the cyber risk is more urgent and more real than ever before, so assess what risk you truly are susceptible to in order to get appropriate cover.
Written by Graeme Dean, Head of Insurance at Cover Genius