Cyber insurance offers businesses protection from financial losses created by cyber-attacks, including system hacking, data breaches, and ransomware extortion payments. If an organization stores a great deal of sensitive information internally, it would be smart for them to implement cyber insurance. When a successful cyber-attack occurs, credit card information, full names, phone numbers, addresses, driver’s license data, health records and social security numbers of multiple people no longer become private information. With knowledge of people's sensitive information, anyone with access could do profound damage to a person's life.
Every business, no matter how large or small, is an opportunity for a cybercriminal to make money. Cybercrime is opportunistic, and certain vulnerabilities make any organization a target for attack. An immediate consequence after business experiences a data breach is damage to its overall reputation. If you’re part of a larger organization, there is room for improvement upon that image. However, smaller organizations tend to have a hard time surviving post-attack. Data breaches can also sometimes include customer financial data, and heavy fines can be filed depending on what the incident report shows and if your business was compliant with the minimum standards within the law.
Productivity, too, suffers post-cyber-attack. When companies don’t have a cyber security policy and a response plan in place, then that focus that could be aimed towards forwarding business is now redirected to recovery and playing catch-up. In the end, business suffers. Lastly, if your company computer system is hacked and cybercriminals make false wire transfers using online banking credentials gathered from employees, the bank is not responsible for lost funds. These four points are exactly why cyber insurance exists and why it is used by companies around the globe.
Cyber insurance typically falls under two forms, first-party coverage and liability coverage. First-party coverage provides financial assistance to aid an insured business with recovery costs. These types of policies usually cover the cost of incident investigation, risk assessment, revenue lost from interruption of business, and ransom attack payments. Policies generally cover the cost of notifying customers about cyber-attacks and providing anti-fraud services such as credit monitoring. Some policies will even cover the repair of important systems that were damaged in an incident. The most common first-party cyber coverage is data breach insurance. Cyber liability coverage protects a business from paying out of pocket when a third party sues the policyholder for damages because of a cyber-attack. Ultimately, this coverage protects businesses from the high costs of a data breach or malicious software attack. Policies commonly cover attorney, court fees, settlements, court judgments, and regulatory fines for noncompliance.
All businesses need to comprehend the cyber insurance landscape is in transition and plan out policies to mitigate their cyber risk. In the very soon future, policyholders are going to be required to prove with all the documentation that the minimum controls insurance companies set are being complied with. The burden of proof will be placed solely on the policyholder, not the insurance company. To maximize the chances of a full payout, businesses will need to keep comprehensive records of insurance requirements and show that tools are being implemented to continuously alleviate potential cyber risk.
Additionally, in 2022, cyber insurance will be more difficult to acquire. Companies that cannot verify that legitimate controls are being followed will not be renewed for their insurance policy. Furthermore, even if the company has had a longstanding policy in place with a particular insurer, it will have no bearing on continued coverage. Businesses must ensure requirements are timely met rather than rushing to complete everything before a deadline, or risk getting denied insurance. Organizations must disclose if they were denied by their insurance company for renewal, so denial can become a recurring issue and make a company uninsurable. A business can certify the missing controls to make sure insurability is back on the table. Companies can improve their insurability by keeping up with what is necessary to be insured, making sure it is implemented, documenting the requirements, and tentatively improving cyber policy as new regulations come out.