A Compendium for Obtaining & Retaining Cyber Insurance
Home > Cybersecurity Resources> Cyber Insurance Compendium
It goes without saying, robust cybersecurity and data privacy measures are a necessity for doing business in this day and age. Without either, an organization’s defenses are left to luck and hope – maybe an adversary will never take notice of the wide-open gaps in your network? (The odds are not in your favor).
The unfortunate reality is that the majority of organizations – regardless of their size or industry – will experience a cyberattack. While cybersecurity and data privacy measures help limit the depth and breadth of the incursion, they are only part of a larger strategy to mitigate the effects of an attack.
The fallout of a network infiltration is rarely a non-event. In many cases, it takes a concerted effort over months and a significant investment to recover from an attack. Cyber insurance helps an organization meet the challenges of returning to pre-attack operations without going bankrupt.
It also serves as a means to make sure an organization’s cybersecurity and data privacy measures are meeting base-level standards and best practices.
Obtaining cyber insurance is not a simple process. This should come as no surprise – while insurance is designed in part to mitigate an organization’s risk, insurers are not looking to assume unnecessary risk in providing coverage. In other words, the last thing an insurance provider wants to do is provide protection to an organization with inadequate, non-existent, or poorly maintained cybersecurity and data privacy programs.
Keeping coverage – especially after a cyber attack or data breach – is not a given either. As the threat landscape changes, an organization is likely to face higher premiums and new terms to retain coverage.
Just like implementing and maintaining cybersecurity and data privacy mechanisms takes agility and constant vigilance, meeting the terms of a cyber insurance policy requires the same. Leveraging a partnership with a cybersecurity and data privacy consultant can mean the difference between having the benefits of cyber insurance available or not.
In this guide, we’ll take a complete look at obtaining and retaining cyber insurance for your organization. We cover:
- What is Cyber Insurance and Why it Matters
- Data Privacy Vs. Data Security Vs. Cybersecurity
- Maturing Data Privacy Governance and Cybersecurity Programs
- Common Data Privacy & Cybersecurity Program Immaturities
- Cyber Insurance and a Cybersecurity Partner: Why You Need Both
- 5 Tips for Working with a vCISO
- Cyber Insurance Coverage Checklist: What to Look for in a Policy
- Tapping Your Cyber & Data Breach Insurance Post Attack
- Cyber Liability Insurance Costs & Avoiding Rate Hikes
What is Cyber Insurance & Why it Matters: An Overview
Cyber insurance is relatively new in the world of cybersecurity.
Though not an active part of the physical or virtual cyber defense that stops hackers from infiltrating a network or accessing data, it has become a vital component in an overall protection strategy.
A financial safety net of sorts, cyber insurance provides funding in the immediate aftermath of an incursion or theft of data. Essentially, it prevents an organization from going into financial ruin because of a bad actor’s actions while furnishing a financial lifeline needed for recovery.
For an organization’s general counsel, understanding cyber insurance and how policies work is as important as understanding existing cyber threats and the risks associated with not being prepared.
Cyberattacks are a very real and present danger to all types of organizations. Adversaries do not discriminate against who they target. As long as there is the potential for gain from infiltrating a network or stealing data, that is reason enough.
The numbers tell a concerning story: Not only has the frequency of cyberattacks grown exponentially in recent years, the attacks are also becoming increasingly subtle, sophisticated, and targeted. In addition, the costs associated with recovering from an attack – generated by deep-dive investigations, fines, penalties, lost revenue, etc. – are going well beyond the $1 million mark.
As someone tasked with making sure an organization is protected from legal, financial, and reputational threats, a general counsel plays an important role in advocating for and selecting a cyber insurance policy. In addition to evaluating the policy and its provisions, the general counsel can also help determine if the coverage is appropriate and the best value for the dollar.
A Closer Look at Cyber Insurance
Like any other form of coverage, cyber insurance is an additional layer of protection for a worst-case scenario. Having coverage can mean the difference between a successful recovery from an attack or breach, and bankruptcy or shutting down.
A funding source for both the immediate and long-term aftermath of an attack, cyber insurance helps organizations pay for the costs associated with an infiltration of their networks or compromised data such as:
- Repairing hardware
- Network damage
- Recovering stolen or corrupted data
- Ransoms and extortion payments
- Legal fees and fines
- Lost revenue
Though an expense, cyber insurance minimizes the direct impact of a cyberattack on an organization.
Types of Cyber Insurance
Cyber insurance breaks down into three categories of protection:
- First-party cyber liability insurance
- Third-party cyber liability coverage
Cyber errors and omission insurance
1. First-Party Liability Coverage
First-party cyber insurance is the most common form of coverage. At its core, a first-party cyber insurance policy serves as a funding source for the damages from a cyberattack, reducing the monetary impact of a breach on an organization.
During the first few hours and days after an attack, first-party cyber liability policies typically cover:
- Operational expenses
- Extortion fees (ransoms)
- Forensic investigations
- Notifying those affected by an incident
- Public relations efforts
In the weeks and months after an attack, first-party cyber liability policies cover the expenses of:
- Ongoing data restoration and recovery efforts
- Attorney and court fees
- Judgment claims
- Fines and fees for non-compliance
2. Third-Party Liability Coverage
Third-party coverage extends to those organizations that a business or company works with, and is liable for, such as its partners and vendors. In the event of a cyberattack against an affiliate, the primary organization is spared from some of the expenses of network infiltration or data compromise.
Be warned: third-party liability coverage does not provide the same level of protection as first-party liability coverage. Rather, it is an enhancement to the latter.
3. Cyber Errors and Omission Insurance
Addressing cyber risks from a different perspective, cyber errors and omission (E&O) insurance protects an organization should its products or services be the reason for a cyberattack against a user.
Similar to first-party cyber liability insurance, cyber E&O insurance provides coverage for expenditures such as legal fees, fines, and judgment claims. Such policies are, however, not all-encompassing, meaning they only provide coverage for the costs directly associated with the incident.
What Cybersecurity Insurance Does Not Cover
Having a cyber insurance policy is no guarantee of immunity from the financial impacts of a breach. Like other forms of insurance, there are elements of an incident that are simply not covered.
When looking for comprehensive coverage, be aware that cyber insurance policies usually do not provide coverage for:
- Employee negligence
- Employee theft
- Software and hardware upgrades
- Reputation damage
- Utility failures
- Social engineering cyberattacks
The High Cost of Being Uninsured
Cyber insurance is in many respects a form of assurance that an organization has the opportunity to recover from a cyberattack rather than being bankrupted by one.
On average, cyberattack and data breach costs in 2021 averaged $4.24 million – up from $3.86 million the previous year. As the frequency and depth of attacks are expected to only increase, the financial impact on organizations is expected to follow suit.
Without cyber insurance, an organization is forced to foot the bill for recovery on its own – expenditures that could put it out of business.
Not having cyber insurance costs organizations in other ways, as well.
As a potential vendor or partner to another organization, having a cyber insurance policy can mean the difference between moving forward in a relationship and not. Many organizations require those they formally partner with to have a cyber insurance policy. A lack of such coverage in a partner may mean that there is virtually no financial relief available to an organization suffering the impacts of a cyber incident or data breach inflicted on the organization with whom they are affiliated.
Holding a cyber insurance policy also serves as a motivating factor in driving an organization to better protect itself from digital adversaries. To retain coverage, most insurers require that policyholders maintain a certain level of cyber defense and implement established data security protocols. In essence, cyber insurance helps reduce an organization’s risk profile by forcing it to stay on top of its cybersecurity and data protection programs.
Data Privacy vs. Data Security vs.
Data Governance
Discussions about keeping data safe usually include terminology such as “data privacy,” “data security,” and “data governance.” While these terms indeed have a place in such conversations, they are often misused and misunderstood.
In the case of obtaining or retaining cyber insurance, most insurers take an in-depth look at an organization’s existing cybersecurity and data privacy practices before drawing up a policy. Having robust data security, privacy, and governance helps satisfy the insurer’s concerns and may translate to substantially lower premiums. Without them, an insurance provider may outright deny coverage or require an organization to develop and implement data management controls to obtain a policy.
Both individually and collectively, all three elements of data protection are vitally important to creating a well-rounded and successful data management strategy.
Understanding Data Privacy vs. Data Security vs. Data Governance
What is Data Privacy?
Data privacy – sometimes also referred to as “information privacy” – is the laws and regulations for how organizations collect, process, store, and share protected data.
In most countries, data privacy is a right, and individuals have the final say in how an organization manages and shares its data, including:
- Name
- Address
- Social security number
- Financial information
- Health information
What is Data Security?
Data security refers to the processes and procedures that protect data from unauthorized access, use, or alteration. At their core, data security measures keep data from falling into the hands of those with malicious intent.
Some of the most common data security mechanisms include:
- Firewalls
- Encryption
- Network access control
- Multi-factor authentication
What is Data Governance?
Data governance is the foundation on which the pillars of data security and privacy stand. In simplest terms, data governance is the internal policies for how an organization handles the data it collects.
Data governance comprises:
- Data retention policies
- Data storage locations
- Access controls
- Decision-making procedures and authority
- Contingency plans
- Auditing procedures
Remember: There is never a conflict between data privacy, security, and governance – all three complement each other in an effective data management strategy.
Maturing Data Privacy Governance & Cybersecurity Programs
As companies increasingly collect, process, and store data, they have also become more enticing to adversaries looking to carry out a cyberattack. Stolen data and disabled networks carry a high premium.
In the eyes of an insurer, this additional vulnerability impacts an organization’s risk profile.
Having mature cybersecurity and data privacy programs in place is almost a prerequisite for obtaining cyber insurance. Another form of protection against the effects of a network or data breach, cyber insurance goes hand-in-hand with cybersecurity and data privacy programs.
However, cyber insurers will not take on unnecessary risk. In evaluating an organization for coverage, they look more favorably on those that have more than just the basics to keep their digital assets safe. In other words, cyber insurers much prefer covering organizations that exceed their requirements for cybersecurity and data privacy protections.
The stronger an organization’s cybersecurity and data privacy frameworks, the more coverage options an insurance provider may offer and the lower premiums may be.
What Constitutes “Maturity” in Cybersecurity and Data Privacy Programs?
Mature Cybersecurity Program
A systematic approach to protecting computer networks and systems, a mature cybersecurity program features three overarching components:
1. Defined Policies and Procedures
Defined policies and procedures leave little question about an organization’s standards and practices for its cybersecurity. They are:
- Easily understandable
- Provide mechanisms for reporting suspicious activity
- Enforce consequences on those found not following guidelines
2. Organizational Buy-in
From the CEO to the rank and file employees, everyone should be on the same page with maintaining cybersecurity. Employees should receive regular cybersecurity training on suspicious emails, social engineering attempts, and proper data handling.
Decision-makers should review what to do in the event of a network breach as often as their quarterly reports.
3. Tools and Technology
An organization’s cybersecurity defenses are only as good as the tools it is using. Utilities such as end-point protection and anti-malware software are musts at a minimum. Further, an organization may want to consider advanced technologies like artificial intelligence for predictive analysis of potential future threats.
Mature Data Privacy Program
A mechanism for keeping private data out of the wrong hands and within the parameters of laws and regulations, mature data privacy programs should include:
1. Data Inventory and Mapping
Data inventory and mapping examines all the data an organization touches, uses, and collects. By understanding what data an organization has, where it lives, and who has access to it, decision-makers are able to better protect it from unauthorized access or theft. It can then identify and protect sensitive data that may require additional safeguards.
2. Data Retention Policies and Procedures
Data retention policies are guidelines dictating how long an organization is required to keep customer information before deleting it. The purpose is to provide protection against litigation over lost records that an individual may need to prove claims, as well as address legal requirements such as those imposed by law or industry best practices.
3. Privacy Policies
A privacy policy should be clear and concise, informing the individual or customer about what data is being gathered and why. It should also let the customer or user know that the organization did, in fact, gather their data and what their intentions are with it. The privacy policy should be easy to find on the organization’s website and updated regularly.
Common Cybersecurity & Data Privacy Program Immaturities
Cyberattacks have exponentially increased in recent years. While it might seem logical to attribute the uptick in attacks to adversaries becoming more cunning, that is only part of the story. In reality, hackers are able to gain access to a network by exploiting basic, yet common, gaps in cybersecurity.
Put simply, immature cybersecurity and data privacy programs can have big costs – especially when it comes to cyber insurance.
Despite many organizations taking steps toward stronger network security and compliance with data privacy regulations, three common issues persist that keep programs for both from being considered mature.
Many organizations have simply not prioritized their cybersecurity and data privacy programs. Rather, they do the bare minimum necessary to meet security and compliance standards.
Oftentimes, organizations have:
- Unused or underutilized security software and licenses
- Siloed or out-of-date security tools and technologies
- A lack of multifactor authentication
- Few measures are in place to determine if tools are working
- Compliance programs that see little attention
Unfortunately, many organizations put themselves at risk because they do not dedicate adequate resources to protecting themselves. The demand for security talent and a shortage of qualified experts has caused many organizations to be understaffed or lacking in necessary skills.
Out-of-date or ineffective defense mechanisms also make it easy for significant gaps to go unnoticed or unaddressed; this is particularly true in an understaffed environment. Once a breach is identified, many organizations also lack a formal incident response plan to mitigate threats and recover.
Cyber Insurance and a Cybersecurity Consultant: Why You Need Both
While cyber insurance helps mitigate some of the costs of a cyberattack, it cannot defend against an attack itself. In an overall strategy to circumvent and limit the effects of an attack, cyber insurance is half the equation. The other half is having robust cyber and data security measures in place.
Like obtaining and retaining cyber insurance, creating effective safeguards against digital adversaries is not an easy task. Nor is it a one-time endeavor. That is where a cybersecurity consultant is crucial.
Having a solid partnership cybersecurity consultant or vCISO (virtual chief information security officer) gives an organization peace of mind. It also does the same for an insurer providing coverage to an organization.
How Cybersecurity Consultants Compliment Cyber Insurance
Cyber insurance is now as essential in business as general liability insurance or any other insurance that is designed to ensure the survivability of an enterprise. Driven by increases in threats, new compliance requirements, and attack frequency, the cyber insurance market is expected to grow from $7.6 billion in 2021 to $36.85 billion by 2028.
However, it comes with a corresponding, and not insignificant, bite out of the bottom line.
Yet, just as a good driving record can lead to lower auto insurance premiums, demonstrating a lower risk factor to a cyber insurance underwriter can keep the cost of premiums down. A cybersecurity consultant helps an organization reduce its risk level and optimize insurance coverage, manage premiums, and ensure compliance with constantly evolving security frameworks and privacy regulations, while also staying on top of the latest cyber threats.
A cybersecurity consultant bridges the gap between the general counsel and a cyber insurance carrier by providing:
- Up-to-date information on new regulations and standards and program development for continuous compliance.
- Enhanced cybersecurity protection via ongoing vulnerability assessments, vendor risk management, and data privacy services.
- The experience that comes from consulting with scores of clients facing similar challenges
- Guidance through successfully syncing cybersecurity and data privacy programs during mergers and acquisitions.
- The ability to facilitate discussions and strategic planning around policy, priorities, vulnerabilities, adversary testing, incident response (IR) management, cyber insurance, as well as emerging threats
Need a Break?
Download this guide to finish when you’re ready:
Beyond Cyber Insurance Requirements: The Role of a Cybersecurity Consultant
The reality of the global threat of cybercrime and cyberwarfare has inspired a growing list of new regulations and laws designed to defend against such attacks. While largely beneficial, these new rules also create challenges for organizations. Organizations must not only achieve and maintain compliance but also understand and acclimate to new and existing regulations to fully recognize their defensive purpose.
It is prudent, therefore, for the general counsel to work closely with a cybersecurity consultant to make informed decisions about how to:
- Work within a regulatory framework to protect the organization against cyberattacks
- Develop a cyber incident response plan
- Remain in compliance with applicable data protection laws
A cybersecurity consulting partner will also provide valuable insight as the general counsel works with internal information security staff to implement programs that help an organization prepare for, and quickly recover from, inevitable cyber incidents that:
- Minimizing damage to the corporate reputation
- Mitigating the loss of key data
- Determining the source of the incursion
- Avoiding litigation and penalties by enacting a rapid and appropriate recovery plan
- Communicating regularly with the cyber insurance provider
- Ensuring an organization acts in ways consistent with its insurance policy
5 Tips for Working with a vCISO
An on-demand data security and privacy service provider, a virtual Chief Information Security Officer (vCISO) who works for an organization remotely. A vCISO can help build, improve, and maintain a robust and reliable cyber- and data-security program.
While a vCISO and general counsel (GC) fill two distinctly different roles in an organization, their work goes hand-in-hand – especially when it comes to maintaining cyber insurance coverage.
At their core, both the vCISO and GC share a common goal – protecting an organization. To maximize a working relationship, a GC and vCISO should:
1. Communicate
Communication is crucial in any relationship. GCs and vCISOs must be on the same page when it comes to assessing and mitigating risk. Neither party should be bashful about speaking up – sometimes hard conversations are the best, as they keep an organization proactive in staving off cyber threats.
2. Set Defined Expectations
One of the most dangerous things for an organization is when they engage outside resources without a clear picture of the intended outcomes of an engagement. Having the goals and deliverables clearly defined from the start of a relationship helps alleviate concerns or misunderstandings in the future. In addition, having expectations literally spelled out creates a means for accountability.
3. Understand the Threat Landscape
Cyber risks are higher than ever. Encrypted threats, ransomware, jackware, breach attempts, and nearly every other form of cyber-attacks rose by double or triple digits in 2021. Cybercriminals continue to evolve tactics.
A vCISO and GC should have regular conversations about where they see threats coming from and discuss ways to address them.
4. Be Familiar With the Regulatory and Compliance Landscape
Next to security, meeting compliance regulations and laws is the most important thing for data management and network security. Without having a grasp of the latest compliance laws and regulations, it becomes nearly impossible to develop programs that keep an organization secure and in compliance. Non-compliance is very costly to an organization, often meaning fines and penalties beyond the five-figure mark.
5. Practice Incident Response Readiness
The only thing worse than a cybersecurity or data privacy breach happening is not being ready to respond immediately. If an organization cannot respond quickly, the damage and fallout from an incursion are far greater.
Organizations need to have a formal cyber incident response (IR) plan in place and test it regularly. Practicing a simulated response to incidents allows both a GC and vCISO to evaluate the effectiveness of the plan and make refinements.
Cyber Insurance Coverage Checklist: What to Look for in a Policy
While no organization ever wants to find itself in the position of needing to use its cyber insurance, the only thing more frustrating is finding coverage is not available because of the policy’s provisions.
A cyber insurance policy should be the last thing an organization needs to worry about – especially when it is needed most in the aftermath of a breach.
Regardless of the carrier or the amount of available coverage, every cyber insurance policy should be scrutinized before signing on the dotted line. This cyber insurance coverage checklist will help make sure you find a policy that suits your organization’s needs.
Cyber Insurance Coverage Checklist: 7 Things Every Cyber Insurance Policy Should Have
Your cyber insurance coverage should be tailored to your unique organizational needs and risk profile. When evaluating a policy, evaluate it for these seven provisions:
- Ransomware payments and recovery: The ransom paid to an attacker and other expenses including hiring a negotiator.
- Data restoration: This covers restoring damaged data and software destroyed by malware or any other cyber attack.
- Loss of income: This includes recovering lost profits, fixed expenses, and other costs while your network is down as well as costs to restore operations. Some policies include coverage for lost profits from reputational damage or decreased valuation.
- Legal expenses and fees: This includes costs related to legal representation for your organization in the event of a lawsuit brought against you in the wake of an attack. Some policies will also cover penalties, fines, or hearings from regulatory agencies.
- Data breach notification: This includes costs associated with notifying anyone affected by the data breach. Some regulations require businesses to notify consumers who are affected.
- Digital forensics after a breach: This includes the cost of investigating, isolating, and removing a threat. It also covers the costs of hiring cybersecurity professionals to get a clear picture of the size and scope of a breach and to help get your cyber and data security programs up and running stronger than before.
- Fraud and credit monitoring: This includes credit monitoring costs and costs associated with creating a call center for impacted customers.
If you provide services to others or connect to other networks, you may also want to consider third-party cyber liability coverage to protect you in case an error or omission on your part causes damages to others.
Tapping Your Cyber & Data Breach Insurance Post Attack
While having insurance allows for a sigh of some relief in a worst-case scenario, there is no pleasure in tapping into coverage. Using insurance of any kind means something bad happened.
Like any other form of coverage, cyber insurance