What is Cyber Insurance and How Does it Work?
With the vast majority of companies’ sensitive data being online, the vulnerability for data breaches is obvious, especially now that cybercriminals are becoming more tactical and clever with their hacking approach. These factors have played into the upbringing of cyber insurance, where companies can manage their risk by buying policies to cover potential losses from data breaches. However, there are many speed bumps that come with buying cyber insurance. These are the 6 main questions that come with buying cyber insurance.
-
How Do Companies Decide What They Want Covered?
Before companies fill out applications to buy cyber insurance, they first need to find where they need to be covered. To do this, they need to find where their highest risks of data breaches are located and how much they need to be covered in each part. Some companies use the likes of private, experienced network security specialists to figure out where they need to buy insurance.
What Prices do Brokers Charge for Cyber Insurance Premiums?
Usually, there are 3 or 4 main questions insurance companies ask potential insureds before pricing a cyber insurance premium:
First Question: Industry
- What industry is your company in? Usually, insurers want to know what type of work your company does. This gives a clue to how much data you may be storing and how valuable that information may be. For example, an IT firm may have more quality and valuable information stored in their networks than a trucking company.
Profit
- How much is your company’s annual revenue? More income from a company attracts more cyber-criminals to their information stored online.
What kind of data do you have online and where? Insurers want to know where you are storing this data, and on how many different networks. Based on their judgment, the easier it is for cyber-criminals to extract this valuable information and more of it at once, the more the insurance premiums will cost.
Current Systems
- How much security does your company have installed to protect your sensitive data? What kind of security protocols do you have in place other than insurance to protect your security? How much training do your employees have from professionals to keep phishing scams and ransomware at bay? These types of questions are frequently on insurance applications as the insurers can gauge two things. How seriously a company takes cyber-security? How much are companies willing to put into top-notch cyber-security in terms of people, money, time, and resources?
-
What Type of Claims/Cyber Attacks do Insurers Usually Keep Out of Policies?
Typically, insurance companies will not cover thighs such as preventable security breaches, cyber-attacks due to negligence to maintain proper cybersecurity, an employee mistake with sensitive information, or any attack from an employee within the company. Other than that, there are other policies that may or may not be excluded, it is up to the individual broker for how much, if at all, they want to cover that policy.
-
So if the Company/Insured is Liable for any Breach, they Will Not be Covered?
In some cases, this is true, but not in every situation. An insurer may not cover an employee mishandling sensitive information, but the insurer may cover a simple mistake. This may include losing a device with information on it or losing information due a phishing scam. Every situation is different, and that is why insurers investigate every claim thoroughly. This is especially in cyber security as there may not be any physical evidence.
-
Speaking of Liability, What Constitutes First-party Liability vs. Third-Party Liability?
The difference between the two is who actually loses the data and who is actually responsible for the losses. In first party-liability policy, the insured is covered for any data breach they are liable for within their open company. To make it simple, if a company had their own sensitive information stolen and had a first-party liability policy, they would be covered. This is different from third-party liability, which is coverage for an insured that is liable for the data breach of information kept by another person or company. For example, if an IT company makes their money by creating private networks and software and encryption programs to protect their client’s private information, they may buy third-party liability. In this case, if their client has their data hacked, the IT company is liable. But third-party liability may cover them.
-
Not All Companies Know They’ve Been Hacked Instantly. When do Companies say that Their Coverage for a Specific Claim has Expired?
This is up to the insurers to determine when they feel it is within the proper scope of time after the insureds REALIZED the hack. This is important because it is not when the hack or attack actually occurs, since it may take a small-market company over 200 days to realize their systems are compromised. Insurers go by when the insurers have figured out they had lost sensitive data and information, and the timeline begins on that date. Insurers know that the first thing on companies minds is not to file a claim. Companies want to figure out the exact damages, enforce accountability, and re-secure/change the data security program first. Then, many companies will file a claim within a reasonable time frame. Most insurance brokers say about 6 months before carriers hand down warnings and coverage for that claim expires.
To Conclude
With cyber-attacks increasing significantly in the last 2 years through Ransomware and Business Email Compromises (BEC), having your data not only protected but insured is crucial in today’s modern corporate environment. Hopefully, these tips have helped with the frequently asked questions about the confusing intricacies of cyber insurance.
For more information about Cyber Liability Insurance contact a Risk Advisor or call 914-357-8444.