A well-formed cybersecurity strategy is not only about the defenses put in place to stop adversaries. It is also about the resources an organization has to rely upon in the event of a breach.
Cyber insurance is relatively new in the world of cybersecurity. Though not an active part of the physical or virtual cyber defense that stops hackers from infiltrating a network or accessing data, it has become a vital component in an overall protection strategy at a time when recent events have shown that even the most costly and sophisticated defenses can be breached.
A financial safety net of sorts, cyber insurance provides funding in the immediate aftermath of an incursion or theft of data. Essentially, it prevents an organization from going into financial ruin because of a bad actor’s actions while furnishing a financial lifeline needed for recovery.
For an organization’s general counsel, understanding cyber insurance and how policies work is now as important as understanding existing cyber threats and the risks associated with not being prepared.
As cyber insurance is now practically a necessity for doing business, having a firm grasp of available coverage is essential to providing advice to an organization on protecting itself and reducing its liability from a cyberattack.
General Counsel Should Care About Cyber Insurance
As someone tasked with making sure an organization is protected from legal, financial, and reputational threats, a general counsel plays an important role in advocating for, and selecting, a cyber insurance policy. In addition to evaluating the policy and its provisions, the general counsel can also help determine if the coverage is appropriate and the best value for the dollar.
Cyberattacks are a very real and present danger to all types of organizations. Adversaries do not discriminate against who they target. As long as there’s the potential for a gain from infiltrating a network or stealing data, that’s reason enough.
The numbers tell a concerning story: Not only has the frequency of cyberattacks grown exponentially in recent years, the attacks are also becoming increasingly subtle, sophisticated, and targeted. In addition, the costs associated with recovering from an attack – generated by deep-dive investigations, fines, penalties, lost revenue, etc. – are going well beyond the $1 million mark.
Though an expense, cyber insurance minimizes the direct impact of a cyberattack on an organization.
What is Cyber Insurance? An Overview
Like any other form of coverage, cyber insurance is an additional layer of protection for a worst-case scenario. Having coverage can mean the difference between a successful recovery from an attack or breach, and bankruptcy or shutting down.
A funding source for both the immediate and long-term aftermath of an attack, cyber insurance helps organizations pay for the costs associated with an infiltration of their networks or compromised data such as:
- Repairing hardware
- Network damage
- Recovering stolen or corrupted data
- Ransoms and extortion payments
- Legal fees and fines
- Lost revenue
Cyber insurance breaks down into three categories of protection:
- First-party cyber liability insurance
- Third-party cyber liability coverage
- Cyber errors and omission insurance
First-Party Liability Coverage
First-party cyber insurance is the most common form of coverage organizations invest in. At their core, first-party cyber insurance policies serve as a funding source for the damages from a cyberattack, thus reducing the monetary impact of a breach on an organization.
During the first few hours and days after an attack, first-party cyber liability policies typically cover:
- Operational expenses
- Extortion fees (ransoms)
- Forensic investigations
- Notifying those affected by an incident
- Public relations efforts
In the weeks and months after an attack, first-party cyber liability policies cover the expenses of:
- Ongoing data restoration and recovery efforts
- Attorney and court fees
- Judgment claims
- Fines and fees for non-compliance
Third-Party Liability Coverage
Third-party coverage extends to those organizations that a business or company works with, and is liable for, such as its partners and vendors. In the event of a cyberattack against an affiliate, the primary organization is spared from some of the expenses of network infiltration or data compromise.
Be warned: third-party liability coverage does not provide the same level of protection as first-party liability coverage. Rather, it is an enhancement to the latter.
Cyber Errors and Omission Insurance
Addressing cyber risks from a different perspective, cyber errors and omission (E&O) insurance protects an organization should its products or services be the reason for a cyberattack against a user.
Similar to first-party cyber liability insurance, cyber E&O insurance provides coverage for expenditures such as legal fees, fines, and judgment claims. Such policies are, however, not all-encompassing, meaning they only provide coverage for the costs directly associated with the incident.
What Cybersecurity Insurance Does Not Cover
Having a cyber insurance policy is not a guarantee that an organization is immune from the financial impacts of a breach. Like other forms of insurance, there are elements of an incident that are simply not covered.
When looking for comprehensive coverage, be aware that cyber insurance policies usually do not provide coverage for:
- Employee negligence
- Employee theft
- Software and hardware upgrades
- Reputation damage
- Utility failures
- Social engineering cyberattacks
The High Cost of Being Uninsured
Cyber insurance is in many respects a form of assurance that an organization has the opportunity to recover from a cyberattack rather than being bankrupted by one.
On average, cyberattack and data breach costs in 2021 averaged $4.24 million – up from $3.86 million the previous year. As the frequency and depth of attacks are expected to only increase, the financial impact on organizations is expected to follow suit.
Without cyber insurance, an organization is forced to foot the bill for recovery on its own – expenditures that could put it out of business.
Not having cyber insurance costs organizations in other ways, as well.
As a potential vendor or partner to another organization, having a cyber insurance policy can mean the difference between moving forward in a relationship or not. Many organizations require those they formally partner with to have a cyber insurance policy. A lack of such coverage in a partner may mean that there is virtually no financial relief available to an organization suffering the impacts of a cyber incident or data breach inflicted on the organization with whom they are affiliated.
Holding a cyber insurance policy also serves as a motivating factor in driving an organization to better protect itself from digital adversaries. To retain coverage, most insurers require that policyholders maintain a certain level of cyber defense and implement established data security protocols. In essence, cyber insurance helps reduce an organization’s risk profile by forcing it to stay on top of its cybersecurity and data protection programs.
Maximizing Cyber Insurance & Minimizing its Costs
When looking at cyber insurance costs, keep in mind that insurance companies will examine the depths and levels of an organization’s cybersecurity and data privacy frameworks.
In most cases, a cyber insurer will require an organization to fill out lengthy and in-depth questionnaires to assess their existing cybersecurity and data privacy frameworks. Completing these questionnaires requires a certain level of expertise in cyber and data security. Working with a cybersecurity partner simplifies this process and ensures that the insurer has the necessary information.
Inadequate responses could disqualify from insurability or an insurer may saddle an organization with higher premiums and costs to implement changes. If there are gaps or innocent misrepresentations in certain responses, a cybersecurity partner can help address them properly.
Beyond the application, working with a cybersecurity partner will also help an organization:
- Meet coverage requirements
- Maintain robust cybersecurity and data privacy practices
- Respond faster when a breach happens
Cyber Insurance for Peace of Mind
The digital assets of organizations are at greater risk than ever before. Cyber insurance helps reduce the vulnerability that comes from threats to those assets while indirectly improving cyber defense and data security measures. An investment in a cyber insurance policy is an investment in peace of mind and enduring after a cyberattack.
The responsibility for understanding and providing knowledgeable guidance on the importance, function, requirements, and benefits of cyber insurance most often falls to the general counsel. It is then advisable that the general counsel consult with qualified cybersecurity experts to acquire this proficiency.
Meet & Exceed Cyber Insurance Requirements
Book time with one of our experts to learn how we can help your organization make the most of its investment in a cyber insurance policy.