Any Managed Service Provider in Washington DC should be able to help you with understanding Cybersecurity Insurance. Since Capital Techies is all about maintaining our client’s business continuity- this new type of insurance policy is becoming more of a necessity.
In today’s environment, there is no doubt that the Cyberthreat Landscape is constantly evolving and changing on a daily basis. For every original threat vehicle launched, there are many variants of it that will soon follow. A perfect example of this is Phishing. This is probably one of the oldest forms of a Cyberattack, yet it is still being used heavily today in many different variants like Spear Phishing and Business Email Compromise.
Why Do I Need Cybersecurity Insurance?
Once an organization has been impacted, there is downtime that is experienced in order to restore back to a baseline level of operations. Mission-critical processes need to keep running. There can be exponential losses of revenue experienced because of this. However, loss of time and revenue are only the tangible losses.
Beyond this, there are also the intangible losses. These are the unquantifiable losses, which include the following:
- Tarnished brand image
- Loss of reputation
- Loss of customers
- The time it takes new customers
- The time it takes to send out notifications to customers and the stakeholders (both Internal and external) that their Personal Identifiable Information (PII) could be at risk;
- The time it takes to answer questions posed by law enforcement and regulators (both at the federal and state levels)
- Any further downtime that may experienced in a potential lawsuit.
The Cost of Not Having a Cybersecurity Insurance Policy
Here are some examples of what the latest Cyberattacks have cost Corporate America:
As you can see from the diagram above, the costs are enormous. And every year the costs are getting worse. But keep in mind that these are only the tangible costs, not the intangible costs. If the latter were factored, the costs would be much more staggering.
Corporate America is now looking into procuring Cybersecurity insurance as a means to hedge or cover the losses incurred after a Cyberattack. However, purchasing a plan is a little bit more complicated than it is when getting car or medical insurance. Unfortunately, it is also poorly misunderstood by C-Suite Executives.
Cybersecurity Insurance Coverage
When shopping around for the policy that’s right for you, this is what is typically covered:
Cybersecurity Insurance Coverage of Damage or Loss to Electronic Data
This includes any “damage, theft, disruption or corruption” to the Electronic Data that a business or corporation may possess. It even covers any loss or damage to your employee’s workstations, laptops, or wireless devices. But in order to be provided coverage, there are two criteria that need to be met:
- The Electronic Data that has been impacted must be the result of a Cyberattack;
- Coverage will only be granted to the Electronic Data that resides on company-issued devices.
This provision will also provide coverage to recover any hijacked, lost, or stolen Electronic Data, and even the costs that are associated with hiring a specialist to accomplish this task.
Cybersecurity Insurance Coverage of Any Lost Income
To a certain extent, many insurance providers will provide for any monetary loss as a result of a Cyberattack, whether it is lost revenue or extra expenses incurred because of it. However, this coverage is typically different than the normal coverage afforded by a standard Commercial Property Policy, which applies to only any monetary losses incurred to the physical property of a business entity.
Cybersecurity Insurance Coverage of Damages from Cyber Extortion
Cyber Extortion is exactly how it sounds. Cyber-criminals demand payment by using a threat or malicious activity against you or your business. A data compromise or a denial of service are typical extortion techniques used to exploit their victims.
Ransomware is an example of this. Under this kind of Cyberattack, the hacker sends out Malware to your computer or server, which will lock up the screen, and any other mission-critical files that reside within it. The hacker will typically ask for a ransom, made payable by a virtual currency, such as Bitcoin. Theoretically, once this is paid, the Cyber attacker should send you the decryption algorithm to unlock your screen and files, but in reality, this hardly ever happens. Cybersecurity Insurance will cover this, from two perspectives:
- Any costs that are associated with responding to the Cyber attacker;
- Any ransom money that you have paid them.
Cybersecurity Insurance Coverage for the Costs of Notification
After a security breach has impacted an organization, many regulations now require for the C-Suite to provide written notification to the affected stakeholders, which typically involve the customers, suppliers, etc. Cybersecurity Insurance will cover the following:
- The costs that are associated with notifying the stakeholders (such as letter preparation, the costs of sending the letters out, etc.);
- Any legal expenses;
- Providing credit monitoring services to the impacted stakeholders (this is typically for one year);
- In some cases, the costs that are associated with setting up a temporary call center in order to address stakeholder questions and concerns.
First Party Coverages vs. Third Party Coverages
The above are known as “First Party Coverages” and are subject to a deductible based upon the type of Cybersecurity Insurance that you have.
It should be noted that Cybersecurity Insurance also provides for what are known as “Third Party Coverages”, and these typically arise from claims that been filed by the impacted stakeholders against the organization, and any type monetary settlements that have been subsequently agreed upon. Typical examples of this include the following:
Cybersecurity Insurance Coverage for Third-Party Network Security Liability
These kinds of claims arise when lawsuits are filed against a business entity when there has been a major breach, and the Personal Identifiable Information (PII) has been hijacked, as a result of a Distributed Denial of Service (DDoS) attack, Virus, Malware, or any unauthorized access to the database in which the PII resides in.
Cybersecurity Insurance Coverage for Third-Party Network Privacy Liability
This is different than the above, in which the Cybersecurity Insurance policy will cover any claims on the grounds that the organization did not adequately protect the PII that was stored on the database. Inadequate protection often refers to not deploying and applying the latest software patches and upgrades, letting unauthorized users gain access to the database when there was no need for them to in the first place, etc.
Cybersecurity Insurance Coverage for Third-Party Electronic Media Liability
Typical examples of this include:
- Copyright Infringement
- Domain Name Infringement
Cybersecurity Insurance will only cover those instances if the above has been published and distributed maliciously over the Internet, without your prior knowledge.
What is Not Covered Cybersecurity Insurance
Anything in excess of your policy limit or sub-limit:
Any costs or claims that have been filed that exceed your current Cybersecurity Insurance policy will not be covered. In these cases, if more coverage is needed, you will have to get a newer policy, which means it will be more expensive.
A sub-limit is defined as the limitation in an insurance policy is the available amount of coverage for a specific type of loss. This limitation places a maximum amount available to pay our for that specific loss, rather than providing additional coverage for that type of loss.
For example, a sub-limit may on the costs that are related to a Forensics Investigation, which would place cap for that specific kind of activity.
Loss of Intellectual Property (IP) or Corporate Trade Secrets
At the present time, Cybersecurity Insurance does not cover this, because the industry cannot quantitatively gauge with certainty any losses that occur because of a devaluing in this area.
The Loss to Reputation and Brand Damage
The insurance industry has no current financial methodology quantify the risk in these two areas. The present view is that it is up to the CIO or CISO to provide protections in this, as well as any financial expenses that are incurred.
Expenses due to Business Interruptions or Downtime
In this instance, any loss monetary loss incurred is not covered by a Cybersecurity Insurance policy.
Any Security Breaches That Have Been Caused by Negligence
The insurance industry will not provide coverage for an organization that maintains a level of poor “Cyber Hygiene”. Although this is a qualitative term, this can stem from such things as not implementing a Security Policy, being out of compliance with regulatory agencies within the federal government, or even failure to maintain minimum standards that have been set forth by the insurance company that is providing the Cybersecurity Insurance.
Threats Posed by Nation-State Actors
Nation-State Actors work for a specific government to disrupt, compromise, and wreak havoc on opposing governments, political organizations, and dignitaries to gain access to valuable intel and data which has the power to create significant international incidents.
Insurance companies do not provide coverage for any hacks or Cyberattacks that have been ascertained as terrorist by nature. Typically, this will involve the Fortune 100 companies, that have a large international dominance, with a lot of Personal Identifiable Information (PII) at risk.
Remediating IT Assets
Any costs that are incurred to make an IT Asset more fortified after a Cyberattack is not covered.
Losses occurred to Physical Property
As described earlier, Cybersecurity Insurance will typically cover only those losses that are deemed to be digital in nature. Any expenses incurred to the Physical Property of an organization will not be covered. For example, if there was a Cyberattack that damaged the Critical Infrastructure to a city (such as the water supply, electrical power grids, oil/gas pipelines, etc.) these would not be covered.
Cybersecurity Insurance Criticisms
It is important to note that the insurance industry is often criticized in two fronts.
First, there are currently no efforts being undertaken to create quantitative financial models or developing other risk assessment tools so that more coverage, especially in the way of the intangible losses can eventually be offered to businesses and corporations.
Second, Insurance companies are only providing Cybersecurity Insurance to make themselves more profitable. For example, according to a recent study by the Financial Times demonstrated that in 2017, the Loss Ratio (which is the monetary number of claims paid divided by the monetary amounts of premiums that have been paid in) was as high as 32%. For example, for every $1 Million in premiums that are being paid by an organization, only a mere $320,000 is being paid out in claims.
Preventative Maintenance and Cyber Hygiene
Preventative maintenance is always the first step in securing your company’s data and IT infrastructure safe. Before taking out a Cybersecurity Insurance policy, working with a Managed Service Provider can help identify the risks and weak points you have in your current setup. Along with our many security service offerings we tailor to your business, we offer consultation within the scope of our Managed IT Support packages. We partner with you through the technicalities and terms of purchasing your Cybersecurity Insurance Policy. Contact us today if you are considering outsourcing your IT services, or if you have more questions about a Cybersecurity Insurance Policy.
Capital Techies does not sell Cybersecurity Insurance- however, we do have strong expertise on what you need to cover yourself in the event of a cyber attack.