Cybersecurity incidents and cybercrime are on the rise in every sector of industry and against businesses and organizations of all sizes.
In connection with the increase in the number of incidents and attacks, the scope and impact of the incidents and attacks are also growing. With the rise in frequency and impact of cybersecurity incidents and cybercrimes, many companies are left wondering when (not if) they will be targeted and how large of a cost it will be. Costs associated with investigating, mitigating, remediating, and notifying of a cybersecurity incident or cybercrime can be substantial, and most businesses do not have the operational funds available to cover such costs when they suddenly arise. In order to hedge their bets, these companies are looking to cyber liability insurance policies to transfer these costs, and the risks they pose, from themselves to their insurance carriers.
Similar to traditional types of insurance, cyber liability insurance is intended to provide relief in the event of a loss or liability event. In the context of cyber liability insurance, the loss or liability event is often a cybersecurity incident or cybercrime. Cyber liability insurance policies often consist of first-party coverage, protection for the company from losses that directly impact the company, and third-party coverage, protection for losses suffered by other companies and individuals due to having a relationship with the impacted company.
Cyber liability insurance policies tend to vary depending on the provider and the policy, but generally, cyber liability insurance covers or has the potential to cover the following:
- Incident Investigation: Following discovery of a cybersecurity incident, companies need to engage a firm that can conduct a forensics investigation to determine what happened, how the threat actor was able to access the systems, and what data was accessed or exfiltrated. Cyber liability insurance helps businesses pay for the investigation, which can amount to a significant cost depending on the complexity of the systems, size of the organization, amount of data involved, and the sophistication of the incident or attack.
- Ransom demands: Ransomware attacks are becoming more common and usually involve a threat actor demanding a fee to unlock, return, or not publicly disclose sensitive or confidential data. Such ransom demands can range from tens of thousands to millions of dollars. While there is a difficult decision to be made regarding whether to pay the ransom or not, if a company chooses to pay the ransom, its cyber liability insurance coverage can help the company cover the costs of the ransom demands.
- Customer notifications: Businesses are usually required to notify impacted parties of a data breach, especially if it involves the loss or theft of personally identifiable information (PII). Cyber liability insurance can help businesses pay for this process.
- Mitigating impacts to personal identities: Cyber liability insurance can help businesses provide credit or identity monitoring services to impacted individuals, which helps businesses show that they are doing all they can to help mitigate the impact for individuals who trusted them with personal information following a cybersecurity incident.
- Data recovery: To the extent possible, cyber liability insurance policies generally cover the cost of recovery of any data compromised by an attack.
- System damage repair: Similarly, cyber liability insurance can cover the costs of restoring a business’s systems from a backup or rebuilding an impacted system to allow the business to return to full operational capacity.
- Costs associated with Data breaches: Cyber liability insurance can help businesses pay for certain other costs associated with a security incident or data breach, including legal fees and fees for information technology teams.
In addition to being aware of what a cyber liability insurance policy covers, it is also important for businesses who have or who are contemplating procuring cyber liability insurance to be aware of common exclusions featured in cyber liability insurance policies. Often excluded from these policies are issues caused by or due to human error or negligence, such as:
- Poor security processes: If a cybersecurity incident resulted from the company implementing and maintaining outdated, ineffective, or inappropriate security measures, the cyber liability insurance policy may not cover the incident.
- Prior Security Incidents: Security incidents that occurred before the business purchased the insurance policy are typically excluded.
- Human error: A security incident caused by human error of the company’s employees is often excluded.
- Insider attacks: A security incident that an employee of the company was responsible for or carried out is typically excluded.
- Preexisting vulnerabilities: If a security incident was caused by a vulnerability that was known to the company, which was not remedied, the incident may not be covered.
- Technology system improvements: Costs related to upgrading or improving the company’s systems and networks are not covered under cyber liability policies.
Cyber liability insurance is effective to manage and reduce the financial impact to a company in the event of a cybersecurity incident or cybercrime; however, it is not a substitute for having appropriate safeguards, policies, and practices in place to protect against a cybersecurity incident. And having such measures in place can improve the coverage available to a company—both in terms of scope and affordability—as cyber liability insurance carriers evaluate a company’s cybersecurity efforts when considering whether to bind a particular policy (i.e. as part of their underwriting and policy issuance decision-making process).
When looking to obtain a cyber liability insurance policy, there are several important considerations to ensure the policy covers the types of threats and costs the company may face due to a cybersecurity incident.
Certain industries and companies may be more likely to be a target of certain types of cyber-attacks. For instance, hospitals and law firms typically handle and store sensitive and confidential information. A hospital or law firm may likely be a target of a ransomware attack where a threat actor infiltrates the company’s systems to exfiltrate and encrypt the valuable sensitive data held by the company, threatening to publicly disseminate the information unless the company pays a substantial ransom amount. A utility company, on the other hand, may not have significant sensitive or confidential information of its customers and thus be less likely to be a target of ransomware attacks, but may be more likely to be a target of a distributed denial of service (DDoS) attack or cyber-attack that shuts down the services provided by the utility company, massively impacting a large number of people or entire geographic areas.
Similarly, depending on the industry and sensitivity of data typically handled by the industry, the costs associated with a cybersecurity incident may vary. The damages resulting from a cybersecurity incident involving sensitive data in the medical or financial industry can be significantly higher than a data breach of contact or shipping information in the logistics or courier industries.
Accordingly, businesses should carefully consider the sensitivity of the data they process, the risks of handling such data, the types of cybersecurity incidents and attacks they may be susceptible to, and the nature and scale of damages that can arise from a breach of the data they are entrusted with in considering a cyber liability insurance policy to ensure the types of cyber security incidents or attacks it may face, and the amount of damages it can expect are adequately covered under the cyber liability insurance policy.