What Is Cybersecurity Insurance?

By

Any Managed Service Provider in Washington DC should be able to help you with understanding Cybersecurity Insurance. Since Capital Techies is all about maintaining our client’s business continuity- this new type of insurance policy is becoming more of a necessity.

In today’s environment, there is no doubt that the Cyberthreat Landscape is constantly evolving and changing on a daily basis.  For every original threat vehicle launched, there are many variants of it that will soon follow.  A perfect example of this is Phishing.  This is probably one of the oldest forms of a Cyberattack, yet it is still being used heavily today in many different variants like Spear Phishing and Business Email Compromise.

Why Do I Need Cybersecurity Insurance?

Once an organization has been impacted, there is downtime that is experienced in order to restore back to a baseline level of operations. Mission-critical processes need to keep running.  There can be exponential losses of revenue experienced because of this.  However,  loss of time and revenue are only the tangible losses.

Beyond this, there are also the intangible losses.  These are the unquantifiable losses, which include the following:

  • Tarnished brand image
  • Loss of reputation
  • Loss of customers
  • The time it takes new customers
  • The time it takes to send out notifications to customers and the stakeholders (both Internal and external) that their Personal Identifiable Information (PII) could be at risk;
  • The time it takes to answer questions posed by law enforcement and regulators (both at the federal and state levels)
  • Any further downtime that may experienced in a potential lawsuit.

The Cost of Not Having a Cybersecurity Insurance Policy

Here are some examples of what the latest Cyberattacks have cost Corporate America:

greatest breaches 2019 1
Greatest Data Security Breaches of the 20th Century

As you can see from the diagram above, the costs are enormous. And every year the costs are getting worse.  But keep in mind that these are only the tangible costs, not the intangible costs.  If the latter were factored, the costs would be much more staggering.

Corporate America is now looking into procuring Cybersecurity insurance as a means to hedge or cover the losses incurred after a Cyberattack.  However, purchasing a plan is a little bit more complicated than it is when getting car or medical insurance. Unfortunately, it is also poorly misunderstood by C-Suite Executives.

Cybersecurity Insurance Coverage

When shopping around for the policy that’s right for you, this  is what is typically covered:

Cybersecurity Insurance Coverage of  Damage or Loss to Electronic Data

This includes any “damage, theft, disruption or corruption” to the Electronic Data that a business or corporation may possess.  It even covers any loss or damage to your employee’s workstations, laptops, or wireless devices.  But in order to be provided coverage, there are two criteria that need to be met:

  • The Electronic Data that has been impacted must be the result of a Cyberattack;
  • Coverage will only be granted to the Electronic Data that resides on company-issued devices.

This provision will also provide coverage to recover any hijacked, lost, or stolen Electronic Data, and even the costs that are associated with hiring a specialist to accomplish this task.

Cybersecurity Insurance Coverage of Any Lost Income

To a certain extent, many insurance providers will provide for any monetary loss as a result of a Cyberattack, whether it is lost revenue or extra expenses incurred because of it.  However, this coverage is typically different than the normal coverage afforded by a standard Commercial Property Policy, which applies to only any monetary losses incurred to the physical property of a business entity.

Cybersecurity Insurance Coverage of Damages from Cyber Extortion

Cyber Extortion is exactly how it sounds. Cyber-criminals demand payment by using a threat or malicious activity against you or your business. A data compromise or a denial of service are typical extortion techniques used to exploit their victims.

Ransomware is an example of this.  Under this kind of Cyberattack, the hacker sends out Malware to your computer or server, which will lock up the screen, and any other mission-critical files that reside within it.  The hacker will typically ask for a ransom, made payable by a virtual currency, such as Bitcoin.  Theoretically, once this is paid, the Cyber attacker should send you the decryption algorithm to unlock your screen and files, but in reality, this hardly ever happens.  Cybersecurity Insurance will cover this, from two perspectives:

  • Any costs that are associated with responding to the Cyber attacker;
  • Any ransom money that you have paid them.

Cybersecurity Insurance Coverage for the Costs of Notification

After a security breach has impacted an organization, many regulations now require for the C-Suite to provide written notification to the affected stakeholders, which typically involve the customers, suppliers, etc.  Cybersecurity Insurance will cover the following:

  • The costs that are associated with notifying the stakeholders (such as letter preparation, the costs of sending the letters out, etc.);
  • Any legal expenses;
  • Providing credit monitoring services to the impacted stakeholders (this is typically for one year);
  • In some cases, the costs that are associated with setting up a temporary call center in order to address stakeholder questions and concerns.

First Party Coverages vs. Third Party Coverages

The above are known as “First Party Coverages” and are subject to a deductible based upon the type of Cybersecurity Insurance that you have.

It should be noted that Cybersecurity Insurance also provides for what are known as “Third Party Coverages”, and these typically arise from claims that been filed by the impacted stakeholders against the organization, and any type monetary settlements that have been subsequently agreed upon.  Typical examples of this include the following:

Cybersecurity Insurance Coverage for Third-Party Network Security Liability

These kinds of claims arise when lawsuits are filed against a business entity when there has been a major breach, and the Personal Identifiable Information (PII) has been hijacked, as a result of a Distributed Denial of Service (DDoS) attack, Virus, Malware, or any unauthorized access to the database in which the PII resides in.

Cybersecurity Insurance Coverage for Third-Party Network Privacy Liability

This is different than the above, in which the Cybersecurity Insurance policy will cover any claims on the grounds that the organization did not adequately protect the PII that was stored on the database.  Inadequate protection often refers to not deploying and applying the latest software patches and upgrades, letting unauthorized users gain access to the database when there was no need for them to in the first place, etc.

Cybersecurity Insurance Coverage for Third-Party Electronic Media Liability

Typical examples of this include:

  • Copyright Infringement
  • Domain Name Infringement

Cybersecurity Insurance will only cover those instances if the above has been published and distributed maliciously over the Internet, without your prior knowledge.

What is Not Covered Cybersecurity Insurance

Anything in excess of your policy limit or sub-limit:

Any costs or claims that have been filed that exceed your current Cybersecurity Insurance policy will not be covered.  In these cases, if more coverage is needed, you will have to get a newer policy, which means it will be more expensive.

A sub-limit is defined as the limitation in an insurance policy is the available  amount of coverage for a specific type of loss. This limitation places a maximum amount available to pay our for that specific loss, rather than providing additional coverage for that type of loss.

For example, a sub-limit may on the costs that are related to a Forensics Investigation, which would place cap for that specific kind of activity.

Loss of Intellectual Property (IP) or Corporate Trade Secrets

At the present time, Cybersecurity Insurance does not cover this, because the industry cannot quantitatively gauge with certainty any losses that occur because of a devaluing in this area.

The Loss to Reputation and Brand Damage

The insurance industry has no current financial methodology quantify the risk in these two areas.  The present view is that it is up to the CIO or CISO to provide protections in this, as well as any financial expenses that are incurred.

Expenses due to Business Interruptions or Downtime

In this instance, any loss monetary loss incurred is not covered by a Cybersecurity Insurance policy.

Any Security Breaches That Have Been Caused by Negligence

The insurance industry will not provide coverage for an organization that maintains a level of poor “Cyber Hygiene”.  Although this is a qualitative term, this can stem from such things as not implementing a Security Policy, being out of compliance with regulatory agencies within the federal government, or even failure to maintain minimum standards that have been set forth by the insurance company that is providing the Cybersecurity Insurance.

Threats Posed by Nation-State Actors

Nation-State Actors work for a specific government to disrupt, compromise, and wreak havoc on opposing governments, political organizations, and dignitaries to gain access to valuable intel and data which has the power to create significant international incidents.

Insurance companies do not provide coverage for any hacks or Cyberattacks that have been ascertained as terrorist by nature.  Typically, this will involve the Fortune 100 companies, that have a large international dominance, with a lot of Personal Identifiable Information (PII) at risk.

Remediating IT Assets

Any costs that are incurred to make an IT Asset more fortified after a Cyberattack is not covered.

Losses occurred to Physical Property

As described earlier, Cybersecurity Insurance will typically cover only those losses that are deemed to be digital in nature.  Any expenses incurred to the Physical Property of an organization will not be covered.  For example, if there was a Cyberattack that damaged the Critical Infrastructure to a city (such as the water supply, electrical power grids, oil/gas pipelines, etc.) these would not be covered.

Cybersecurity Insurance Criticisms

It is important to note that the insurance industry is often criticized in two fronts.

First, there are currently no efforts being undertaken to create quantitative financial models or developing other risk assessment tools so that more coverage, especially in the way of the intangible losses can eventually be offered to businesses and corporations.

Second, Insurance companies are only providing Cybersecurity Insurance to make themselves more profitable.  For example, according to a recent study by the Financial Times demonstrated that in 2017, the Loss Ratio (which is the monetary number of claims paid divided by the monetary amounts of premiums that have been paid in) was as high as 32%.  For example, for every $1 Million in premiums that are being paid by an organization, only a mere $320,000 is being paid out in claims.

Preventative Maintenance and Cyber Hygiene

Preventative maintenance is always the first step in securing your company’s data and IT infrastructure safe. Before taking out a Cybersecurity Insurance policy, working with a Managed Service Provider can help identify the risks and weak points you have in your current setup. Along with our many security service offerings we tailor to your business, we offer consultation within the scope of our Managed IT Support packages. We partner with you through the technicalities and terms of purchasing your Cybersecurity Insurance Policy. Contact us today if you are considering outsourcing your IT services, or if you have more questions about a Cybersecurity Insurance Policy.

Capital Techies does not sell Cybersecurity Insurance- however, we do have strong expertise on what you need to cover yourself in the event of a cyber attack.


Recent Posts / View All Posts

Presenting in Skype for Business

We Can Help You Establish Your Cyber Security Audit Checklist Before It’s Too Late

| No Comments
We all know by now that IT security needs to be taken seriously and be an ongoing priority for all firms.  While no company or individual can be 100% protected from cybersecurity threats, you can implement security best practices within a Cyber Security Audit Checklist which significantly reduces the risk of you becoming a victim of hackers …
Presenting in Skype for Business

Technology In The Super Bowl

| No Comments
Technology in the Super Bowl With the Superbowl over and all of us fans reminiscing the highlights of play and the low lights of this year’s stint of commercials, tech played a huge part in every fan’s NFL experience. The Superbowl is not only the most celebrated day in American sports, but the NFL continues …
Presenting in Skype for Business

Managed IT Services Arlington Virginia - What Is Layered Security?

| No Comments
Why is Layered Security Important? As the name implies, Layered Security involved multiple layers of authentification to reach critical information systems. In the traditional model of overall security, only one layer of defense has been commonly used.  This is most associated with that of legacy systems, especially that with of the Critical Infrastructure, which includes …