The following content was produced by Natalie Sherod and appeared in Kazmarek Technology Solutions monthly newsletter.
It is no secret that the number of cyber attacks and data breaches have increased significantly over the last decade. Data from Chubb, a well known cyber insurance carrier, suggests that cyber incidents have increased over 435% in the last 10 years. Many businesses utilize cyber insurance policies as one way to manage their risk. Strong cyber security measures along with a robust cyber insurance policy can help a business to reduce financial risks associated with cyber-attacks.
Before diving into specific details surrounding a cyber policy, it is important to understand the exposures that a business faces with regards to cyber risk. These risks can be organized into three different categories:
Third Party Liability Costs: Businesses have a legal and financial responsibility to keep certain types of data secure. This could include personally identifiable information of employees, customers or vendors and can even included confidential business information from the same sources. If a data breach exposes that information, the business could be found liable and will be faced with damages owed.
First Party Costs: From the moment a suspected breach occurs, a business will start incurring costs. Costs associated with a breach can include the cost to bring in a forensic team to determine if a breach even did occur and whether data was compromised, costs to notify affected individuals, costs to monitor credit of those individuals, etc. One, often overlooked, potential cost is the affect a breach will have on your business if it cannot operate normally. Many attacks result in critical operating systems, networks and data being deemed unusable. There are costs associated with rebuilding that data/network as well as potential lost revenue while you are unable to operate at normal level, or at all.
Cyber Crime Costs: The number of cyber crime attacks have greatly increased over the last few years. Ransomware, funds transfer fraud, and social engineering losses are just a few examples. These attacks are becoming more and more sophisticated and target all different levels within the organization.
Cyber insurance policies can protect businesses from all three of these risk categories, but it is extremely important to have an understanding of the policy form you choose to buy. Coverage can vary greatly between carriers and forms. Limited coverage can be found as an endorsement to a property/liability policy (not recommended) while stand alone polices offer anywhere between five to 15 insuring agreements. Along with providing coverages to address the issues above, many also come with additional offerings such as public relations costs, breach coaches, and preventative risk management strategies.
The cost of these policies will vary based on industry, revenue, and cyber security controls in place. The focus on controls has become increasingly important in the last three years. A business used to be able to get a policy offering broad coverages without having to provide much information on controls in place. That is no longer the case and businesses are now faced with lengthy, detailed applications to describe their current cyber security posture. Most cyber insurance carriers are going to want to see numerous controls including Multi Factor Authentication (MFA), Endpoint Detection and Response (EDR), and that offsite immutable back ups are in place before offering significant coverage. For those also wanting cyber crime coverage, employee training is a must.
The current threat landscape makes a well thought-out and properly executed Cyber Security program, including Cyber Insurance, absolutely imperative. This helps ensure that your business and its assets are protected from the panoply of bad actors online. For more information on this topic, please reach out to Cavignac.