Modern horror stories begin with seemingly simple sentences. “I can’t get into my computer. There’s an error message, something about my files being encrypted.”
From a business perspective, this could be the start of an extraordinarily expensive event, one that could easily cost your company hundreds of thousands of dollars. A data breach or ransomware event means lost revenue, potential lawsuits, and expenses that add up quickly as cyber remediation experts are hired, security tools are deployed, ransoms are negotiated and end of life equipment is finally replaced.
At Ingalls, we understand cybersecurity attacks. Since 2010, we’ve been in war rooms and boardrooms, investigating computer networks targeted and attacked by criminals and nation-state sponsored hackers.
At Ingalls, we understand cybersecurity attacks. Since 2010, we’ve been in war rooms and boardrooms, investigating computer networks targeted and attacked by criminals and nation-state sponsored hackers. This experience gives us a powerful edge. We’ve seen too many companies that have been breached, those who had insurance coverage and those that did not, and we’ve seen the difference insurance has made on their ability to resume operations.
As with any expensive catastrophe, insurance companies have created plans to help cover unexpected losses in exchange for monthly premiums. Cyber insurance policies, though still evolving in a dynamic technological and legal landscape, have become a common offering as more and more businesses look to mitigate the risks of operating in a world of rising cyber crime.
The State of Cyber Insurance
Cyber insurance, like the cybersecurity programs that came before, is increasingly becoming a normal and necessary part of the risk mitigation plan for any company looking to protect itself from disruption and potential losses.
Despite being a relatively young market, approximately a third of US businesses are now carrying some form of cyber insurance, and the total value of coverage carried by companies has grown by billions of dollars. As more and more companies begin to price and compare cyber insurance policies, business managers and executives need to know what to look for. What’s covered? What isn’t covered? What caveats and exceptions and surprises are hiding in the fine print? Although the precise details of a cyber insurance policy will vary, certain coverage areas and categories have increasingly emerged as a sort of unofficial standard in the industry.
Types of Coverage
Most policies will differentiate between first-party and third-party coverage. First-party coverage compensates for losses incurred by your business as a direct result of a cyber attack, while third-party coverage compensates for expenses incurred due to any legal proceedings resulting from the attack, such as fines or lawsuits.
Although any business can benefit from both types of coverage, third-party coverage is well-suited to industries that are subject to greater regulation, which may explain why the cyber insurance adoption rate is highest among healthcare providers, with over two-thirds carrying a policy.
Beyond explicit first and third-party coverage, you may see reference to “silent cyber insurance”, which refers to instances where traditional property and casualty insurance policies cover some losses created by cyber attacks; for example, an attack that disables computers at a hospital may disrupt smart-medication cabinets and cause time-sensitive medications to expire before they can be dispensed. In such a scenario, the cost of replacing spoiled medications may be covered under the hospital's disaster insurance. However, businesses should not rely on this type of implicit benefit from traditional plans, as property and casualty policies have increasingly begun to explicitly exempt cyber attacks from coverage, preferring to address those scenarios in a separate policy.
Cyber insurance policies typically divide protection into distinct insuring agreements, each one of which covers a specific aspect of the damages from a cyber attack. The five most common coverage areas are network security, privacy, interruption to your business, media liability, and errors and omissions.
Network security coverage is the broadest area, and is primarily concerned with first-party type expenses such as hiring a cybersecurity response firm, paying a ransom, and the costs of restoring data or notifying customers. Privacy coverage relates to expenses incurred if, for example, customers file a lawsuit over stolen personal information, or if a regulatory agency imposes fines for failing to effectively steward customer information. Network business interruption coverage is designed to address costs incurred if network outages caused by a cyber attack require the outlay of extra expenses to continue business operations. Media liability coverage deals with any damages from intellectual property infringement (although it typically excludes patent infringement) resulting from advertising of your services. Finally, errors and omissions coverage deals with potential allegations of breach of contract or negligence should a cyber attack prevent your business from meeting contractual obligations to your customers. Other, less common coverage areas such as social engineering coverage or reputational harm coverage may be present in specific policies, and the combination of coverages you look for should be appropriate to your business’s risk profile.
What This Means For You
With the rising costs of ransomware and other cyber crime attacks, cyber insurance policies make good business sense and should form one part of your risk management strategy.
If you already have a policy, you may find yourself looking to change or increase your coverage.
If your business doesn’t already have a cyber insurance policy, chances are good that you’ll be in the market for one in the near future.
A clear sense of your business’s needs should inform your policy selection process. Are you a highly-regulated financial or healthcare provider who needs significant third-party coverage to offset potential fines? What are your expected first-party losses in the event that your business is taken offline by cyber criminals.
Everyone benefits from network security coverage, but what other coverage areas are most appropriate for your business continuity plan? These and other questions can help you select a policy that will provide real and meaningful protection in an increasingly risky cyber landscape.
Ingalls helps businesses large and small manage security risks and defend against cyberattacks. If you’d like to learn more please contact us here. One of our cybersecurity experts will be more than happy to assist you and answer any questions you may have.
About the Author
Jon Lee, CCNA-Security