What You Are and Aren’t Responsible for Under Cyber Risk Insurance

Kaitlyn Graham | March 30, 2021 | tag: Cyber Insurance

It’s not hard to justify why you need property insurance when you’re surrounded by your physical goods that you don’t want to be lost or damaged in your home or business. So why isn’t cybersecurity the same?

Cyber risk insurance is often not considered until it’s too late. Imagine you’ve discovered malicious software present on your network, like a ransomware attack on employee information or a backdoor breach through a third-party access point. Without cyber risk insurance, your organization is solely responsible for all of the resources and monetary needs to remediate your systems and respond to the attack.  

Definitely not ideal for any organization dealing with growing attack surfaces and increasingly sophisticated recent hacking attempts.

 

What is cyber risk insurance?

 

Cyber risk insurance protects an organization from security & privacy events by covering the cost to recover from a data breach, virus, or other form of malicious cybersecurity activity. Besides aiding your organization in your own recovery, cyber insurance is also important to support and defend your organization from legal liability from those affected by the breach. This could potentially come from customers, employees, partners, third parties, and anyone connected to your network who is affected and potentially had their data exposed.

 

Coverage Explained

 

It’s important to match your expectations with reality when deciding on cyber insurance for your organization. Where are the risks most prominent on your network, and who could be impacted by a breach?

In short, every organization is vulnerable to a cyber incident, and even if the data you store on your network isn’t particularly desirable to hackers, it is likely that sensitive data may reside with your third party providers

Like other insurance coverages, cyber risk insurance covers a common set of scenarios, but there are situations where an organization can still be exposed. Most insurers offer similar coverage options, however a few offer less-common ones. Here is a breakdown of what is covered, and not covered, with cyber risk insurance:

When you can expect coverage

  • Data breach or Distributed Denial of Service (DDOS) attack that brings down your network
  • Malware infection that spreads through devices connected to your network, making it impossible to operate
  • Extortion demands made by bad actors holding sensitive information they are threatening to expose
  • Ransomware demands that lock up devices and threaten to leak sensitive data
  • Business-email compromise resulting in sharing sensitive information 
  • Liabilities associated with contractual obligations, including within the payment card industry (PCI) Fines & Penalties
  • Defending against class-action lawsuits and paying settlements
  • Legal expenses, fines, and penalties associated with regulatory investigations
  • Lost business profits, accrued expenses, and extra costs while actively experiencing a cyber incident, either due to malicious hack or human error
  • Media liability associated with infringement and other content that is electronically disseminated
  • Losses due to social engineering fraud tricking you or your employees into sending funds you shouldn’t have
  • The business profit lost due to reputational damage to your brand soon following a publicized cyber attack

For many of the scenarios above, these can also be triggered by trusted third-party vendors whom you are sharing data with and/or rely on for critical business operations.

When you aren’t covered

  • When physical company property is damaged or destroyed, even if it holds sensitive data 
  • The lost value to an organization due to theft of intellectual property 
  • The loss of potential future company profits

 

Beyond covering first and third-party costs associated with the above scenarios, cyber insurers also offer customers a vetted list of providers they can work with. These providers can be: pre-breach - like BitSight - to help organizations better understand their security posture and prepare themselves to be more resilient to a cyber event; post-breach providers like a legal firm who acts as a “breach coach” helping clients navigate through an event; forensic service providers, public relations companies, and more. You should try to align yourself with an insurer that has both a comprehensive set of coverages they provide and also a panel of expert vendors you can work with to prepare, prevent and protect yourself from a cyber event.

Like other types of insurance, cyber risk insurance often requires organizations to prove they are taking some sort of action to protect their network against threat actors. If an organization doesn’t protect their network at all, they might not be approved for insurance, or be charged a high rate, similar to how if someone has a riskier health behavior like smoking they might be given a higher health-insurance monthly cost.

BitSight Security Ratings are a great way to prove your cybersecurity protection efforts to a cyber risk insurance provider. Presenting an objective view of your network’s cybersecurity posture will give your potential insurance provider a trusted view into what your organization does to protect from threats, and will make securing a cyber risk insurance policy smoother. 

 

Real examples happening around us

 

There are countless real-world cyber incident examples where organizations have suffered financial, reputational, and operational losses due to a seemingly small vulnerability. Just look at the recent Microsoft Exchange Hafnium breach that affected thousands of organizations around the world.

 

Hafnium GIF (1)-1

Organizations trusting their sensitive email conversations and contact information stored in the Exchange servers were left scrambling to update their devices and patch their systems from a vulnerability that occurred on a seemingly cybersecurity-focused corporation like Microsoft.  

You can’t ignore the possibility of a compromise to your network any longer. With large, well-funded, global organizations being targeted by malicious actors, it is less of a “if” a cyber incident will occur and more shifting to a “when”. Organizations rely on cloud management services to facilitate company operations and stay competitive in their industry. Preventing attacks to your network is now becoming just as vital to organization success, as well as not letting an attack completely drain your organization’s funds.

 

Insurance that you can trust

 

Even if you have a mature, established security management system, your network is subject to the performance of your vendors’ cybersecurity management practices as well. Gaining full visibility in the threats on your network, including your vendor risk landscape, will help prepare you for the level of cyber risk insurance you need. Accurate data on your vendor risks can also help you stay informed if your vendors are meeting their cybersecurity requirements potentially listed out in your contract, or in a recent audit. 

BitSight Security Ratings provide an external view of the risks to your network, as well as third parties and partners with integrated systems. Utilizing security ratings to get a complete view of your network now can help reduce potential cyber risk insurance claims in the future.

 

3 Ways to Get the Most Out of Your Security Investments

Suggested Posts

What You Are and Aren’t Responsible for Under Cyber Risk Insurance

It’s not hard to justify why you need property insurance when you’re surrounded by your physical goods that you don’t want to be lost or damaged in your home or business. So why isn’t cybersecurity the same?

READ MORE »

The Financial Impact of SolarWinds: A Cyber Catastrophe… But Insurance Disaster Avoided?

The SolarWinds breach is already one of the most significant cybersecurity incidents ever. And as with any unprecedented cyber event, this will have long-term effects on the way businesses and government consider their security...

READ MORE »

A Security Score vs. A Security Rating: What’s The Difference?

This post was originally published July 18, 2016 and has been updated for accuracy and comprehensiveness.

READ MORE »

Get the Weekly Cybersecurity Newsletter.