Cyber Insurance FAQ

No business is immune to cyber attacks, network outages and data breaches; in fact, many studies show that small businesses are victims of 71% of cyberattacks. The impacts are often devastating, ranging from lost business opportunities to customer revolt, and from a damaged reputation to stolen data and funds. Repercussions can even extend to loss of employment, as Target’s former CEO discovered. Considering these potential repercussions, cybersecurity insurance may be a wise investment for your company. It mitigates many of the costs associated with investigating and resolving a security incident, and it helps a business return to normal operations quickly protecting your balance sheet and helping recovering your reputation.

Cybersecurity insurance warranties comes in two types: first party and third party. Most insurers offer policies that combine features of both, but not always. Many carriers also write provisions and exclusions into first or third-party policies, so businesses should carefully choose their cybersecurity policy to define the real needs (or if already underwritten, read it carefully to understand what is covered and what not, which coverage limits, which exclusions, …) . A cybersecurity plan that focuses on first-party coverage is what most businesses will need. It protects against losses suffered by the insured and can include reparations for some of the following incidents:

• Damaged or lost digital assets, such as data and software
• Lost business opportunities or increased operational costs due to an interruption of the insured’s computer systems
• Cyber extortion if the hacker holds the insured’s data for ransom
• Money stolen through an electronic crime (if included)

• Security breaches of employee confidentiality
• Lost customer data and information
• Customer notification after a security breach
• Public-relations efforts as well as combatting defamation and intellectual-property violations.

Cybersecurity policies are relatively new and still growing, but some exclusions are more common as theft of intellectual property, lower sales due to damaged reputation, crimes. These shortcomings may change, but cybersecurity insurance is so new that underwriters remain unable to easily and accurately assess risk. As a result, they exclude items—such as product designs, software code and reputation loss—that are hard to quantify.

The best way to determine what kind of cybersecurity insurance your business needs is to perform a risk assessment and impact analysis. Businesses should carefully review their assets—including financial and customer data—as well as intellectual property, and categorize them as high or low risk. But also try to develop quantitative approaches to understand which needs of coverage they have to set-up proper insurance limits.

They should also recognize their main points of vulnerability during this process. The recent attack on Swift, which was once considered a highly secure financial messaging system, showed how hackers can exploit vulnerabilities in a system to steal a company’s physical assets.

Finally, business owners should visit with legal counsel and other department heads. Doing so will provide more insight into the implications of a data breach and pinpoint which assets are critical to safeguard when developing a risk-management strategy.

Businesses should work with a cybersecurity-insurance broker who has proven experience and expertise in designing/selecting a cyber policy. This individual will be able to offer advice about different policies, prices and exclusions, allowing businesses to choose the coverage that best fits their needs.

The perceived risk exposure of cybersecurity insurance is high, so it is currently available only through major carriers like AIG, Beazley Chubb, Allianz and UnipolSai and Generali (these insurance carriers are directly active in Italy, but there are more than 70 insurance carriers in the EMEA area). These companies have both the means and willingness to cover filed claims. The options will likely grow, however: as cyber threats increase, so does public demand for standalone coverage.

Insurers price cybersecurity coverage using the same method that they employ for traditional insurance packages. Underwriters analyze the insured’s risk and company’s risk management policies accordingly.

But pricing cyber insurance can be more challenging. Underwriters have a few data available, making it difficult to accurately assess risk, for this reason is very important to perform a cyber security risk assessment, preferably quantifying the impacts of cyber security incident scenarios, otherwise the price to pay and the scope to be secured could be seen as a black box by the insurer.

The premiums are risk-based and represent a high risk because they generally ensure the purpose of the "black box" of companies and for this reason may require large payments. However, insurance premiums for cyber security have increased significantly in recent years.

A cutting-edge and cost-cutting approach is to adapt policies to the needs of companies to create a tailor-made policy. The lack of actuarial data underlines the need to carry out qualitative assessments or rather quantitative assessments of a company's Cyber risk.

Although cybersecurity insurance doesn’t follow the new usage-based model of auto insurance, there are still ways to reduce premiums. One is by implementing best security policies and practices for your business. The Department of Homeland Security urges businesses to adopt preventative cybersecurity measures and encourages insurance companies to base premiums on the insured’s level of self-protection.

Hacks and breaches are on the rise, but businesses can make two types of offensive moves. First, they can adopt best security practices. Second, they can develop a robust recovery plan that prominently features cybersecurity insurance. These two tactics will not only help guard against cyberattacks, but they will also help get businesses back on their feet quickly if their data is compromised.