It goes without saying, robust cybersecurity and data privacy measures are a necessity for doing business in this day and age. Without either, an organization’s defenses are left to luck and hope – maybe an adversary will never take notice of the wide-open gaps in your network? (The odds are not in your favor).
The unfortunate reality is that the majority of organizations – regardless of their size or industry – will experience a cyberattack. While cybersecurity and data privacy measures help limit the depth and breadth of the incursion, they are only part of a larger strategy to mitigate the effects of an attack.
The fallout of a network infiltration is rarely a non-event. In many cases, it takes a concerted effort over months and a significant investment to recover from an attack. Cyber insurance helps an organization meet the challenges of returning to pre-attack operations without going bankrupt.
It also serves as a means to make sure an organization’s cybersecurity and data privacy measures are meeting base-level standards and best practices.
Obtaining cyber insurance is not a simple process. This should come as no surprise – while insurance is designed in part to mitigate an organization’s risk, insurers are not looking to assume unnecessary risk in providing coverage. In other words, the last thing an insurance provider wants to do is provide protection to an organization with inadequate, non-existent, or poorly maintained cybersecurity and data privacy programs.
Keeping coverage – especially after a cyber attack or data breach – is not a given either. As the threat landscape changes, an organization is likely to face higher premiums and new terms to retain coverage.
Just like implementing and maintaining cybersecurity and data privacy mechanisms takes agility and constant vigilance, meeting the terms of a cyber insurance policy requires the same. Leveraging a partnership with a cybersecurity and data privacy consultant can mean the difference between having the benefits of cyber insurance available or not.
In this guide, we’ll take a complete look at obtaining and retaining cyber insurance for your organization. We cover:
Cyber insurance is relatively new in the world of cybersecurity.
Though not an active part of the physical or virtual cyber defense that stops hackers from infiltrating a network or accessing data, it has become a vital component in an overall protection strategy.
A financial safety net of sorts, cyber insurance provides funding in the immediate aftermath of an incursion or theft of data. Essentially, it prevents an organization from going into financial ruin because of a bad actor’s actions while furnishing a financial lifeline needed for recovery.
For an organization’s general counsel, understanding cyber insurance and how policies work is as important as understanding existing cyber threats and the risks associated with not being prepared.
Cyberattacks are a very real and present danger to all types of organizations. Adversaries do not discriminate against who they target. As long as there is the potential for gain from infiltrating a network or stealing data, that is reason enough.
The numbers tell a concerning story: Not only has the frequency of cyberattacks grown exponentially in recent years, the attacks are also becoming increasingly subtle, sophisticated, and targeted. In addition, the costs associated with recovering from an attack – generated by deep-dive investigations, fines, penalties, lost revenue, etc. – are going well beyond the $1 million mark.
As someone tasked with making sure an organization is protected from legal, financial, and reputational threats, a general counsel plays an important role in advocating for and selecting a cyber insurance policy. In addition to evaluating the policy and its provisions, the general counsel can also help determine if the coverage is appropriate and the best value for the dollar.
Like any other form of coverage, cyber insurance is an additional layer of protection for a worst-case scenario. Having coverage can mean the difference between a successful recovery from an attack or breach, and bankruptcy or shutting down.
A funding source for both the immediate and long-term aftermath of an attack, cyber insurance helps organizations pay for the costs associated with an infiltration of their networks or compromised data such as:
Though an expense, cyber insurance minimizes the direct impact of a cyberattack on an organization.
Cyber insurance breaks down into three categories of protection:
Cyber errors and omission insurance
First-party cyber insurance is the most common form of coverage. At its core, a first-party cyber insurance policy serves as a funding source for the damages from a cyberattack, reducing the monetary impact of a breach on an organization.
During the first few hours and days after an attack, first-party cyber liability policies typically cover:
In the weeks and months after an attack, first-party cyber liability policies cover the expenses of:
Third-party coverage extends to those organizations that a business or company works with, and is liable for, such as its partners and vendors. In the event of a cyberattack against an affiliate, the primary organization is spared from some of the expenses of network infiltration or data compromise.
Be warned: third-party liability coverage does not provide the same level of protection as first-party liability coverage. Rather, it is an enhancement to the latter.
Addressing cyber risks from a different perspective, cyber errors and omission (E&O) insurance protects an organization should its products or services be the reason for a cyberattack against a user.
Similar to first-party cyber liability insurance, cyber E&O insurance provides coverage for expenditures such as legal fees, fines, and judgment claims. Such policies are, however, not all-encompassing, meaning they only provide coverage for the costs directly associated with the incident.
Having a cyber insurance policy is no guarantee of immunity from the financial impacts of a breach. Like other forms of insurance, there are elements of an incident that are simply not covered.
When looking for comprehensive coverage, be aware that cyber insurance policies usually do not provide coverage for:
Cyber insurance is in many respects a form of assurance that an organization has the opportunity to recover from a cyberattack rather than being bankrupted by one.
On average, cyberattack and data breach costs in 2021 averaged $4.24 million – up from $3.86 million the previous year. As the frequency and depth of attacks are expected to only increase, the financial impact on organizations is expected to follow suit.
Without cyber insurance, an organization is forced to foot the bill for recovery on its own – expenditures that could put it out of business.
Not having cyber insurance costs organizations in other ways, as well.
As a potential vendor or partner to another organization, having a cyber insurance policy can mean the difference between moving forward in a relationship and not. Many organizations require those they formally partner with to have a cyber insurance policy. A lack of such coverage in a partner may mean that there is virtually no financial relief available to an organization suffering the impacts of a cyber incident or data breach inflicted on the organization with whom they are affiliated.
Holding a cyber insurance policy also serves as a motivating factor in driving an organization to better protect itself from digital adversaries. To retain coverage, most insurers require that policyholders maintain a certain level of cyber defense and implement established data security protocols. In essence, cyber insurance helps reduce an organization’s risk profile by forcing it to stay on top of its cybersecurity and data protection programs.
Discussions about keeping data safe usually include terminology such as “data privacy,” “data security,” and “data governance.” While these terms indeed have a place in such conversations, they are often misused and misunderstood.
In the case of obtaining or retaining cyber insurance, most insurers take an in-depth look at an organization’s existing cybersecurity and data privacy practices before drawing up a policy. Having robust data security, privacy, and governance helps satisfy the insurer’s concerns and may translate to substantially lower premiums. Without them, an insurance provider may outright deny coverage or require an organization to develop and implement data management controls to obtain a policy.
Both individually and collectively, all three elements of data protection are vitally important to creating a well-rounded and successful data management strategy.
Data privacy – sometimes also referred to as “information privacy” – is the laws and regulations for how organizations collect, process, store, and share protected data.
In most countries, data privacy is a right, and individuals have the final say in how an organization manages and shares its data, including:
Data security refers to the processes and procedures that protect data from unauthorized access, use, or alteration. At their core, data security measures keep data from falling into the hands of those with malicious intent.
Some of the most common data security mechanisms include:
Data governance is the foundation on which the pillars of data security and privacy stand. In simplest terms, data governance is the internal policies for how an organization handles the data it collects.
Data governance comprises:
As companies increasingly collect, process, and store data, they have also become more enticing to adversaries looking to carry out a cyberattack. Stolen data and disabled networks carry a high premium.
In the eyes of an insurer, this additional vulnerability impacts an organization’s risk profile.
Having mature cybersecurity and data privacy programs in place is almost a prerequisite for obtaining cyber insurance. Another form of protection against the effects of a network or data breach, cyber insurance goes hand-in-hand with cybersecurity and data privacy programs.
However, cyber insurers will not take on unnecessary risk. In evaluating an organization for coverage, they look more favorably on those that have more than just the basics to keep their digital assets safe. In other words, cyber insurers much prefer covering organizations that exceed their requirements for cybersecurity and data privacy protections.
The stronger an organization’s cybersecurity and data privacy frameworks, the more coverage options an insurance provider may offer and the lower premiums may be.
A systematic approach to protecting computer networks and systems, a mature cybersecurity program features three overarching components:
Defined policies and procedures leave little question about an organization’s standards and practices for its cybersecurity. They are:
From the CEO to the rank and file employees, everyone should be on the same page with maintaining cybersecurity. Employees should receive regular cybersecurity training on suspicious emails, social engineering attempts, and proper data handling.
Decision-makers should review what to do in the event of a network breach as often as their quarterly reports.
An organization’s cybersecurity defenses are only as good as the tools it is using. Utilities such as end-point protection and anti-malware software are musts at a minimum. Further, an organization may want to consider advanced technologies like artificial intelligence for predictive analysis of potential future threats.
A mechanism for keeping private data out of the wrong hands and within the parameters of laws and regulations, mature data privacy programs should include:
Data inventory and mapping examines all the data an organization touches, uses, and collects. By understanding what data an organization has, where it lives, and who has access to it, decision-makers are able to better protect it from unauthorized access or theft. It can then identify and protect sensitive data that may require additional safeguards.
Data retention policies are guidelines dictating how long an organization is required to keep customer information before deleting it. The purpose is to provide protection against litigation over lost records that an individual may need to prove claims, as well as address legal requirements such as those imposed by law or industry best practices.
A privacy policy should be clear and concise, informing the individual or customer about what data is being gathered and why. It should also let the customer or user know that the organization did, in fact, gather their data and what their intentions are with it. The privacy policy should be easy to find on the organization’s website and updated regularly.
Cyberattacks have exponentially increased in recent years. While it might seem logical to attribute the uptick in attacks to adversaries becoming more cunning, that is only part of the story. In reality, hackers are able to gain access to a network by exploiting basic, yet common, gaps in cybersecurity.
Put simply, immature cybersecurity and data privacy programs can have big costs – especially when it comes to cyber insurance.
Despite many organizations taking steps toward stronger network security and compliance with data privacy regulations, three common issues persist that keep programs for both from being considered mature.
Many organizations have simply not prioritized their cybersecurity and data privacy programs. Rather, they do the bare minimum necessary to meet security and compliance standards.
Oftentimes, organizations have:
Unfortunately, many organizations put themselves at risk because they do not dedicate adequate resources to protecting themselves. The demand for security talent and a shortage of qualified experts has caused many organizations to be understaffed or lacking in necessary skills.
Out-of-date or ineffective defense mechanisms also make it easy for significant gaps to go unnoticed or unaddressed; this is particularly true in an understaffed environment. Once a breach is identified, many organizations also lack a formal incident response plan to mitigate threats and recover.
While cyber insurance helps mitigate some of the costs of a cyberattack, it cannot defend against an attack itself. In an overall strategy to circumvent and limit the effects of an attack, cyber insurance is half the equation. The other half is having robust cyber and data security measures in place.
Like obtaining and retaining cyber insurance, creating effective safeguards against digital adversaries is not an easy task. Nor is it a one-time endeavor. That is where a cybersecurity consultant is crucial.
Having a solid partnership cybersecurity consultant or vCISO (virtual chief information security officer) gives an organization peace of mind. It also does the same for an insurer providing coverage to an organization.
Cyber insurance is now as essential in business as general liability insurance or any other insurance that is designed to ensure the survivability of an enterprise. Driven by increases in threats, new compliance requirements, and attack frequency, the cyber insurance market is expected to grow from $7.6 billion in 2021 to $36.85 billion by 2028.
However, it comes with a corresponding, and not insignificant, bite out of the bottom line.
Yet, just as a good driving record can lead to lower auto insurance premiums, demonstrating a lower risk factor to a cyber insurance underwriter can keep the cost of premiums down. A cybersecurity consultant helps an organization reduce its risk level and optimize insurance coverage, manage premiums, and ensure compliance with constantly evolving security frameworks and privacy regulations, while also staying on top of the latest cyber threats.
A cybersecurity consultant bridges the gap between the general counsel and a cyber insurance carrier by providing:
The reality of the global threat of cybercrime and cyberwarfare has inspired a growing list of new regulations and laws designed to defend against such attacks. While largely beneficial, these new rules also create challenges for organizations. Organizations must not only achieve and maintain compliance but also understand and acclimate to new and existing regulations to fully recognize their defensive purpose.
It is prudent, therefore, for the general counsel to work closely with a cybersecurity consultant to make informed decisions about how to:
A cybersecurity consulting partner will also provide valuable insight as the general counsel works with internal information security staff to implement programs that help an organization prepare for, and quickly recover from, inevitable cyber incidents that:
An on-demand data security and privacy service provider, a virtual Chief Information Security Officer (vCISO) who works for an organization remotely. A vCISO can help build, improve, and maintain a robust and reliable cyber- and data-security program.
While a vCISO and general counsel (GC) fill two distinctly different roles in an organization, their work goes hand-in-hand – especially when it comes to maintaining cyber insurance coverage.
At their core, both the vCISO and GC share a common goal – protecting an organization. To maximize a working relationship, a GC and vCISO should:
Communication is crucial in any relationship. GCs and vCISOs must be on the same page when it comes to assessing and mitigating risk. Neither party should be bashful about speaking up – sometimes hard conversations are the best, as they keep an organization proactive in staving off cyber threats.
One of the most dangerous things for an organization is when they engage outside resources without a clear picture of the intended outcomes of an engagement. Having the goals and deliverables clearly defined from the start of a relationship helps alleviate concerns or misunderstandings in the future. In addition, having expectations literally spelled out creates a means for accountability.
Cyber risks are higher than ever. Encrypted threats, ransomware, jackware, breach attempts, and nearly every other form of cyber-attacks rose by double or triple digits in 2021. Cybercriminals continue to evolve tactics.
A vCISO and GC should have regular conversations about where they see threats coming from and discuss ways to address them.
Next to security, meeting compliance regulations and laws is the most important thing for data management and network security. Without having a grasp of the latest compliance laws and regulations, it becomes nearly impossible to develop programs that keep an organization secure and in compliance. Non-compliance is very costly to an organization, often meaning fines and penalties beyond the five-figure mark.
The only thing worse than a cybersecurity or data privacy breach happening is not being ready to respond immediately. If an organization cannot respond quickly, the damage and fallout from an incursion are far greater.
Organizations need to have a formal cyber incident response (IR) plan in place and test it regularly. Practicing a simulated response to incidents allows both a GC and vCISO to evaluate the effectiveness of the plan and make refinements.
While no organization ever wants to find itself in the position of needing to use its cyber insurance, the only thing more frustrating is finding coverage is not available because of the policy’s provisions.
A cyber insurance policy should be the last thing an organization needs to worry about – especially when it is needed most in the aftermath of a breach.
Regardless of the carrier or the amount of available coverage, every cyber insurance policy should be scrutinized before signing on the dotted line. This cyber insurance coverage checklist will help make sure you find a policy that suits your organization’s needs.
Your cyber insurance coverage should be tailored to your unique organizational needs and risk profile. When evaluating a policy, evaluate it for these seven provisions:
If you provide services to others or connect to other networks, you may also want to consider third-party cyber liability coverage to protect you in case an error or omission on your part causes damages to others.
While having insurance allows for a sigh of some relief in a worst-case scenario, there is no pleasure in tapping into coverage. Using insurance of any kind means something bad happened.
Like any other form of coverage, cyber insurance is something an organization would rather have and not need than need and not have. In cases of using cyber and data breach insurance, an organization has fallen victim to a hacker gaining access to its networks and private data.
Though post-cyberattack conversations are the last thing anyone wants to have, they are a necessity to move forward in the recovery process. By coming to the table prepared, those hard conversations are a little easier and streamline the initial stages of getting back to pre-breach business as usual.
After a cybersecurity or data privacy breach, one of your first steps is to execute your breach response and notification plan. The sooner you start, the sooner you can start filing an insurance claim.
For your data breach insurance provider to effectively help your organization, they need as much information as possible from the onset. Key details to share in the immediate aftermath of a breach include:
Whether you are an organization’s general counsel, CISO, risk management professional, or member of its IT team, there are some important questions you should ask your insurer to move forward in starting the claims process:
