While no organization ever wants to find itself in the position of needing to use its cyber insurance, the only thing that is worse is finding coverage is not available because of the policy’s provisions. For a general counsel (GC) trying to mitigate risk, that is a nightmare.
As an additional layer of protection and a major investment for an organization, a cyber insurance policy should be the last thing you want to worry about – especially when it is needed most.
Regardless of the carrier or the amount of available coverage, every cyber insurance policy should be scrutinized before signing on the dotted line. This cyber insurance coverage checklist will help make sure you find a policy that suits your organization’s needs.
Why Purchase Cyber Insurance?
Should you find yourself a victim of a cybersecurity or data privacy breach, cyber insurance helps reimburse an organization’s liability costs. You also need cyber insurance to meet industry-specific regulations, like HIPAA for healthcare. Customers or organizations may require you to have a CI policy in order to work with them.
A survey of 2,650 risk management experts ranked cyber incidents as the biggest risk to their organizations in 2022. With cyberattacks on the rise, organizations need to protect themselves to mitigate risks.
Since the world of cybersecurity and data privacy continues to evolve, be sure to check with your insurer as to what is covered and what is not.
Cyber Insurance Coverage Checklist: 7 Things Every Cyber Insurance Policy Should Have
Your cyber insurance coverage should be tailored to your unique organizational needs and risk profile. When evaluating a policy, your checklist should include these seven items:
- Ransomware payments and recovery: This includes the ransom paid to an attacker and other expenses including hiring a negotiator.
- Data restoration: This covers restoring damaged data and software destroyed by malware or any other cyber attack.
- Loss of income: This includes recovering lost profits, fixed expenses, and other costs while your network is down as well as costs to restore operations. Some policies include coverage for lost profits from reputational damage or decreased valuation.
- Legal expenses and fees: This includes costs related to legal representation for your organization in the event of a lawsuit brought against you in the wake of an attack. Some policies will also cover penalties, fines, or hearings from regulatory agencies.
- Data breach notification: This includes costs associated with notifying anyone affected by the data breach. Some regulations require businesses to notify consumers who are affected.
- Digital forensics after a breach: This includes the cost of investigating, isolating, and removing a threat. It also covers the costs of hiring cybersecurity professionals to get a clear picture of the size and scope of a breach and to help get your cyber and data security programs up and running stronger than before.
- Fraud and credit monitoring: This includes credit monitoring costs and costs associated with creating a call center for impacted customers.
If you provide services to others or connect to other networks, you may also want to consider third-party cyber liability coverage to protect you in case an error or omission on your part causes damages to others.
Find Out What Else You Need to Know About Cyber Insurance Coverage
Download our free e-book, “A Compendium for Obtaining & Retaining Cyber Insurance.”
What A Cyber Insurance Policy Will Not Cover
Even with a robust cyber insurance policy in place, not everything is covered. Some things generally excluded from policies that every General Counsel should look for include:
- Physical damage or loss: You will need general liability insurance for this.
- Internal theft, fraud, or criminal activity: Attempting to defraud your insurance company leads to your claims not being covered and potential legal action against you from the insurer.
- Systems upgrades: You are responsible to pay for upgrades to your cyber security and data privacy program.
Of note, some policies limit flexibility with partnerships and service providers and require you to use only vendors on their approved list.
The Most Frequent Cyber Insurance Claims
One of the biggest reasons organizations take out cyber insurance policies is the threat of ransomware attacks. The average ransomware payment rose 82% over the past year with ransomware attacks increasing by more than 150%.
In addition to ransomware, the most frequent cyber insurance claims by organizations in 2021 include:
- Data breaches
- Data privacy liability
- Network business interruption
- Regulatory costs
The top cause for these breaches? Human error stemming from phishing attacks or employee negligence.
Cyber Security Insurance Policy Costs
While recognizing its importance, the #1 question most organizations have when considering coverage is: what does a cyber security insurance policy cost?
In short, the costs vary because of a variety of factors, such as:
- Organization size
- Risk profile
The average cost for $1 million of cyber insurance coverage is generally between $1,500-$1,700 per year or $125-$145 per month. Most policies have a $5 million limit.
Lowering Cyber Insurance Premiums
With increased threats, cyberattack insurance premiums are rising significantly, as much as 50% or more per year. In some cases, exclusion lists are growing, as well as coinsurance and sublimits. With rising payouts by cyber insurance providers, they are looking even closer at claims to mitigate their losses.
Cybersecurity insurance coverage will generally pay out for ransomware attacks if the organization opts to pay the ransom. In this case, it is likely policy premiums will rise significantly, at least double (or higher).
There are ways, however, to lower your cyber insurance premiums. By proactively managing your cybersecurity, regularly testing your security posture, and employing industry best practices, you can better control your insurance costs.
Best practices include:
- Obtaining industry certifications and attestation reports
- Conducting internal audits
- Performing regular penetration testing
- Implementing a strong password policy with MFA
- Encrypting sensitive data at rest and in transit
- Controlling personal data accessed, stored, and transferred
- Deploying a zero-trust architecture (ZTA)
- Having active intrusion prevention and threat intelligence
Cybersecurity Partner: Another Layer of Protection
Cyber insurance often has terms and conditions to maintain coverage or keep premiums low. Failing to meet these terms and conditions can lead to claims being denied, significant increases in premium costs, or outright cancellation.
A cybersecurity and data protection partner can help you meet them. They can also help you develop defenses to avoid needing to use the policy in the first place or limit the damage.
Get Advice on Finding Cyber Insurance That Works For You
Contact us today to learn how our services can help you meet cybersecurity insurance coverage requirements.