As cybersecurity attacks and ransomware demands continue to increase and often become the lead story of many news outlets, businesses are looking to cyber insurance to help offset the costs associated with a cyberattack. Because they are prime targets for ransomware attacks due to the valuable data they store, healthcare, education, legal, and financial organizations – and any professional services company – have a solid focus on evaluating and purchasing cyber insurance.
Cyber insurance goes mainstream
Online Media. Data processing errors. Early forms of cybersecurity liability insurance in the 1990s focused on these areas. Coverage was sparse and included many exemptions. As computer, digital communications, and internet use evolved, so did policies. By the 2000s, coverage began to include viruses, networks, unauthorized access, and data breaches and loss. When states began passing laws that require notification to people whose data may have been accessed or stolen, insurers began to add first party coverage.
Cyber Insurance, as we know it today, was developed to mitigate financial risk associated with three elements of cybercrime. The first example is the massive number of targeted intrusions companies experience, where hackers breach systems with the intent to steal valuable information. Second, the “Dark Web” provides a place where criminals illegally buy and sell stolen cyber data and often use it for fraudulent activities such as emptying bank accounts and identity theft. Finally, cyber criminals have realized significant financial success by taking over companies’ systems and requiring them to pay ransom to retrieve their data and bring systems back online.
Real-world liabilities: Cybercrime
A successful cyberattack can cause a myriad of liabilities for an organization. Among the risks and challenges is the potential for hackers to hold, publish, and use confidential data. For example:
- A company’s financial information, product secrets, payroll and employee data, and customer data – including Personal Identifiable Information (PII), credit card numbers, or banking information,
- A healthcare organization’s patient and financial data, including Protected Health Information (PHI),
- A law firm or legal service provider’s highly sensitive and confidential information, which they use to support their clients’ matters or business, and
- Valuable information of any kind, or even software systems required to operate a business, can be breached by hackers and held for ransom. Using ransomware, cybercriminals request money (often in the form of Bitcoin or another cryptocurrency) in exchange for releasing your data or reestablishing your system access. Because thieves are generally not reputable, they may attempt to further extort money from you or your customers in return for not publishing their data. It is important to note that, in many cases, it is actually illegal to pay a ransom. You can expect a visit from the FBI if they become aware of this action.
- Organizations who experience data breaches may be subject to industry, regulatory, and government financial penalties, especially if they cannot demonstrate that they have a comprehensive information security program in place.
Beyond direct financial costs and penalties, companies that experience a cyberattack face many indirect costs. Those include:
- Operational delays or shutdowns, including patient care delays in healthcare facilities due to tampering with connected medical devices,
- Loss of worker productivity due to the inability to access computer data,
- Loss of sales because goods or services cannot be provided to customers until the computer problem(s) are resolved,
- Loss of trust and confidence by your customer base, resulting in them purchasing from your competitors,
- Financial loss, attributed to the costs to restore computers and data and the ransomware, and
- Business closure: 60% of small businesses close within six months of data breach or cyber-attack.
Insurance coverage has become a valuable tool for any organization to include in an arsenal to reduce risks that go hand-in-hand with cybercrime.
Market demand for cyber insurance coverage
Recently, the US Government Accountability Office (GAO), as required by the National Defense Authorization Act for Fiscal Year 2021, studied and published data, trends, and challenges faced by cybersecurity insurers. Among the data the GAO identified is:
- The number of companies purchasing cyber insurance increased from 26% in 2016 to 47% in 2020.
- The cost for cyber insurance increased by 10 to 30% in 2020 as demand increased.
- Cybersecurity policies are becoming more specific to 1) what they will or will not cover and 2) coverage limits.
- Tracking financial repercussions of cyberattacks is relatively new, so there is limited data regarding estimated losses from events. As a result, policy pricing and coverage can vary significantly from policy to policy.
What to consider: Purchasing a cyber insurance policy
So, how do businesses decide the amount of coverage they need and which risks should be covered? And, how do insurance companies determine how much coverage to provide, the costs, and the potential risk they will incur?
Typically, an insurance company will ask a potential customer to complete a form that identifies what assets they would like covered and how the business will be affected should a cybersecurity attack occur. Additionally, the insurance company will want to know:
- The internal policies and measures the business has in place to mitigate the risk of their assets being affected by a cyberattack.
- How you manage your program along with the credentials of the personnel that perform these activities,
- The frequency of your updates to program documentation, policies, and assets.
- How often you perform various tests of your information security program, such as tabletop exercises, disaster recovery plans, and penetration exercises.
Those who work in cybersecurity will recognize this process, as risk assessment and periodic audits follow a similar path. With a sound technology platform for managing your cybersecurity program, providing this information to an insurance company is relatively straightforward. However, if you manage your program using a homegrown system with spreadsheets and multiple information repositories, it will be a more labor-intensive, time-consuming process. In fact, your carrier or broker may not offer coverage to businesses that cannot prove the scope and quality of their program—more details on that issue below.
The purpose of the exercise above is to demonstrate the:
- Maturity of your existing program,
- Controls in place to reduce risk, and
- Ongoing process in place to continuously monitor and improve your program.
When you demonstrate that you have not had any car accidents or speeding tickets for the past several years, compared to someone with a record of accidents and moving violations, it results in a lower car insurance premium. Likewise, proving that you have a robust cybersecurity program and qualified personnel to manage it can reduce the cost of your cyber insurance. In this case, you want to demonstrate that you have implemented cybersecurity best practices and continuously review and improve your program.
Developing your cyber insurance strategy
The next step is to identify the type of insurance coverage to be purchased and any internal personnel policies needed to meet any coverage requirements.
Company leaders should involve key stakeholders with the asset documentation process and vetting cyber insurance companies and policies. The stakeholder team should include representation from privacy and security leaders, information technology personnel, senior executives, board members, and legal personnel.
Cyber insurance is not a “one-package-fits-all” type of product. Your key stakeholders, led by the General Counsel and Chief Information Security Officer (CISO) or the person responsible for protecting the organization’s assets, must determine coverage importance. First, consider which types of coverage are critical vs. nice-to-have for your business, depending on the associated costs and coverage terms. Then, consult with your insurance agent(s) to determine which policies and coverages are recommended based on your requirements.
Insurance Coverage Options
Among the types of cyber insurance options are:
- First-Party: As suggested, this type of insurance will cover anyone directly involved in the incident. Often, the policy will include the following services:
- Data Destruction – will typically pay for costs incurred to replace data if the data is destroyed or lost due to theft or fraud
- Fraud and Theft – will typically reimburse a company for fraudulent money transfers
- Extortion, such as ransomware
- Online Theft
- Denial of Service
- Forensic analysis performed by technical or legal personnel
- Liability Coverage: This covers incidents caused by others.
- Errors of Commission or Omission
- Data Breaches
- Data Theft of Business Secrets
- Defamation and Related Negative Publicity
- General Benefits
- Post-Incident Management
- Public Relations Initiatives
- Major Investigations and Reports
- Criminal Reward Funds
- Litigation Coverage
- Pay for court judgments, lawsuits, penalties and fines associated with the cyber-attack incident
- Communications and Notifications:
- Pay for costs of notifying appropriated agencies and people of the incident.
- Credit Monitoring and Review
- Pay for providing credit monitoring to any victims of a cybersecurity incident
- Breach of Privacy and Confidence
- Pay for liability that may occur if a breach of customer confidentiality
Note: For specific information about your coverage or potential coverage, please check with your insurance agent or policy.
Trends in cyber insurance: What’s changing in 2021?
The insurance industry is for-profit, and insurance companies make their money by evaluating risk and offering coverage that collects more cash than it pays out to their clients. As such, insurance companies are constantly assessing risks; their insurance fees are dependent upon risk. Their business model is to take in more cash in premiums than they pay out in claims. Simple.
The cyber-insurance model is no different. Carriers want to insure those companies and organizations with a dedicated, well-educated cybersecurity team, strict policies that are documented and followed, and supportive technologies that reduce the risk of being the victim of a cybercrime.
Due to the increase in cyberattacks and the associated risks that companies face if they experience one, several new trends have emerged. They include:
- Some insurance companies have recently moved to a model that will reduce or eliminate the coverage for businesses with a limited or no cybersecurity program in place.
- Another emerging trend is that cybersecurity insurance companies have reduced or completely eliminated the option to cover the costs of ransomware attacks. According to research from Chainanalysis, Rising ransomware costs are pushing carriers to reevaluate how much coverage they can afford to offer to clients.
- Two states, Ohio and Utah, have enacted Cybersecurity Affirmative Defense Acts. These laws protect those companies that experience a cyberbreach and have created and maintain a cybersecurity program by allowing them to use an Affirmation Defense (see below) in any litigation associated with the breach. This defense will protect companies from being sued for claims such as:
- Failure to implement reasonable information security controls that resulted in the breach of the system security
- Failure of an individual to appropriately respond to a security breach
- Failure to notify an individual that had their personal information comprised in a data breach.
An organization’s cybersecurity programs must meet several criteria in order to qualify for this program. They are:
- Designed to protect the security, confidentiality, and the integrity of personal information
- Designed to protect against a cybersecurity breach
- Conform to a recognized cybersecurity framework such as NIST, ISO, SOC, CMMC, and HIPAA
There are some limits to the ability to claim an Affirmative Defense, including:
- Any known notices of a threat or hazard that was not addressed
- The company did not act in a reasonable amount of time to perform remedial actions to protect against a known threat
- The threat resulted in a system security breach
There are many reasons to implement and maintain a cyber-security program. First, it is the right thing to do to keep your data and customers’, partners’, and employees’ data secure. And, if you fail at protecting the information you have been trusted to handle, it will cost significantly more to repair the damage to your company and its reputation. As described above, implementing and maintaining a cybersecurity program can enable you to leverage Safe Harbor protections, like those laws recently enacted by Ohio and Utah.
Finally, to leverage cybersecurity insurance, you need to demonstrate that you have a comprehensive program to protect against risk. If you do not have a comprehensive cybersecurity program in place, its now the time to do so.
It may be a matter of your company remaining in business — or not.
Questions about cyber insurance and information security? Orrios can help.
Contact us for expert advice and guidance.
Orrios’ OnTrack platform helps businesses meet cyber insurance requirements by enabling them create, manage, analyze, and monitor their information security program. From assets and vendors to a library of policies and controls to risk assessment and mitigation, your entire security program is accessible in one easy-to-use platform.
Reach out to Steve Henn for our guide on using OnTrack to help your clients efficiently and cost-effectively manage their information security program.