Technology, social media and transactions over the Internet play key roles in how most organizations conduct business and reach out to prospective customers today. Those vehicles also serve as gateways to cyber attacks. Whether launched by run-of-the-mill hackers, criminals, insiders or even nation states, cyber attacks are likely to occur and can cause moderate to severe losses for organizations large and small. As part of a risk management plan, organizations routinely must decide which risks to avoid, accept, control or transfer. Transferring risk is where cyber insurance comes into play. Every company that handles any personally identifiable information or provides any type of IT-related work should have Cyber Liability Insurance.
A cyber insurance policy, which is also referred to as cyber risk insurance or cyber liability insurance coverage, is a Liability policy for businesses that are at risk. They are designed to help an organization mitigate risk exposure by offsetting costs involved with recovery after a cyber-related security breach or similar event. With its roots in errors and omissions (E&O) insurance, cyber insurance began catching on in 2005. It doesn’t stop cyber crimes, but rather helps to keep your business on a stable footing should a significant event happen.
Cyber insurance typically covers expenses related to first parties as well as claims by third parties. Although there is no standard for underwriting these policies, the following are common reimbursable expenses:
Keep in mind that cyber insurance is still evolving. Cyber risks change frequently and organizations tend not to report the full impact of breaches in order to avoid negative publicity and damaging the trust of customers. Thus, underwriters have limited data on which to determine the financial impact of attacks. Essentially, the true risk of cyber attacks is not completely understood.
Not all Cyber policies are the same. As a matter of fact, a General Liability policy could have coverage that would appear to provide for cyber risks. But if you really want to protect your organization from the results of these threats, you need to know what the policy offers you in terms of coverage and how it applies to your specific environment. Some things to look for in a policy are:
As an example, you are a retailer that uses a point of sales system from a vendor. The system has some malware associated with the credit card scanner and information is captured by an outside player. You, the retailer, are considered the "First Party" while the point of sales system vendor might be considered the "Third Party". It is always important for you to know what your vendors have in the way of Cyber insurance protection for themselves and you.