Cyber security insurance requirements

Whether it’s hacking, extortion, or other business-disrupting attacks like deliberate denial of service (DDoS), cybercrime can interrupt day-to-day business and dramatically affect your bottom line. Cybercrime damages are predicted to reach $10.5 trillion USD annually by 2025, which measures to more than $190,000 every second.

Cyber insurance can help protect organizations from malicious actions in a variety of ways. Policies often have provisions covering both the organization (first-party coverage) as well as liability brought against the organization by an outside party (third-party coverage). Together, this coverage offers comprehensive protection from cyber attacks.

Contrary to what many organizational leaders may believe, general business liability insurance does not cover cybercrime. These policies typically only cover bodily injuries and property damage, leaving cyber threats unaddressed. First-party and third-party cyber insurance covers these gaps.

First-party cyber insurance coverage

First-party cyber security insurance covers organizational data and business costs related to cybercrime. These policies should include:

• Legal fees. Legal counsel may be necessary for determining reporting obligations to customers and regulatory agencies.
• Data services. Should data be compromised, data recovery, replacement, and forensic investigations will need to be covered.
• Communications. These services may include customer notification and relevant logistics as well as any public relations services.
• Financial repercussions. Proper coverage can cover fines and penalties leveled, as well as lost revenue.

Third-party cyber insurance coverage

Third-party cyber security insurance covers an organization against outside liability. These policies should include:

• Litigation. This may involve ongoing costs for legal representation and communication.
• Financial liability. Claims, settlements, and related expenses brought by customers or other outside parties that need to be addressed should be covered.
• Business costs. Losses resulting from copyright or trademark disputes or ongoing accounting costs can be addressed.

What cyber security insurance does not often cover

Cyber insurance is not a data security panacea. As a result, there are often gaps in coverage which will need to be remediated by alternative means. When researching policies, understand that the following exclusions may exist:

• Data security improvements. Expenses incurred to prevent future cyber attacks will likely not be covered by insurance.
• Future income. Lost profit as a result of factors such as reputational damage resulting from data breaches or operational negligence.
• Devaluation. Should intellectual property or other valuable information be lost, insurance will not often cover loss of company value.
• Outside agencies. Insurers may include language excluding acts of war in their policy documentation.

While cybercrime has traditionally been thought of as a problem primarily for large businesses to deal with, small- and medium-sized businesses are increasingly lucrative targets for criminals, and 43% of attacks target small businesses. This is often due to the lax data security practices found in smaller businesses.

For this reason, investing in proper cyber security insurance on the front end can save time and money on the back end. Incidents cost $200,000 on average, which can damage the financial trajectory of a business for years or put a permanent end to a smaller business.

Direct costs alone aren’t the only factor, however. The time requirements to clear up the aftermath of a cyberattack can be significant. In addition to the physical time required to contact financial institutions and restore business operations, it’s important to also consider the revenue lost during any downtime resulting from the attacks. Should customer information be compromised, potential legal actions may stretch out over many months as well.

Cyber insurance is not a one-size-fits-all solution, and organizations looking to purchase coverage will need to do their part to ensure certain requirements have been met before a policy is in place. Should these requirements not be met to a satisfactory level, insurers may reconsider policy terms or refuse coverage altogether.

Proper data security should not be limited to one person or one department. In addition to technology, legal, and finance leaders, relevant team members should be kept informed on policy decisions in order to maintain compliance with insurer demands.

How an organization can meet the demands of the insurer

While cyber security insurance requirements may vary between policies and issuing companies, best practices to consider should include the following:

• Basic IT security. Ensure good data security measures are in place to provide a first line of defense against cyber attacks. Add a data discovery tool like the Spirion Sensitive Data Finder for better data visibility, encryption, and a targeted response in the event of a breach.
• Early planning. Prepare for policy purchase or renewal well ahead of time to ensure all organization data security practices are in line with policy requirements.
• Detailed documentation. Along with early preparation, having accurate and extensive documentation of organizational policies can reduce friction during the underwriting process.

Consequences of deficiencies found during the underwriting process

Cyber security insurance represents a transfer of risk. As a result, organizations with inadequate data security practices may face various hurdles in the insurance acquisition process. Common outcomes as a result of deficiencies found during the underwriting process include:

• Coverage limitations. Organizations found lacking in proper preventative action may have coverage written to exclude these shortcomings, resulting in coverage gaps.
• Premium increases. Due to increased insurance risk, coverage costs may be higher.
• Coverage rejection or cancellation. Should an organization present too great a risk, coverage may be denied or discontinued, resulting in increased operational risk.

One of the best ways an organization can take an active role in their data security process is by practicing good data hygiene. This means ensuring that all data in your internal systems is accurate, up to date, and well-classified. By ensuring sensitive data is well-protected, your organization can be better prepared for cyber threats and more capable of responding should you face a cyber attack.

You need the ability to take a deeper look into your data to understand all that you possess. A platform like Spirion’s Sensitive Data Platform allows organizations to identify, classify, and remediate sensitive data for increased security from data breaches. Laws and regulations regarding data privacy are constantly evolving, as well, and you will need to be prepared to address potential obstacles like Data Subject Access Requests (DSAR).