As businesses continue to rely on emerging technology and data to serve their customer base, they may be exposing themselves to cyber risk, which encompasses any financial loss or damage incurred from a cyberattack or breach.
That’s where cyber insurance comes in.
“Cyber insurance is such a critical thing for businesses,” said Mike Volk, vice president of cyber risk solutions at PSA Financial, an insurance brokerage and risk management firm. “Every business that relies on data or technology needs it.”
While cyber insurance is still a maturing concept, cyber liability is not. Since the 1990s, businesses purchased cyber liability insurance to cover data loss or damage due to computer viruses. Then, in 2014, with rulings from two separate court cases that found that personal identifiable information that had been breached by a hacker was not covered under general liability insurance, modern-day cyber insurance was born.
Cyber insurance today covers four things: liability, cyber event expenses, the cost of restoring and recovering data and cyber crime.
Liability coverage protects companies from third-party liability in the event a company they contract with suffers a data breach. It can also cover any fines or penalties a company suffers as it navigates a state’s data breach reporting laws. In Maryland, for instance, a company is required to alert consumers within 45 days of a breach, unless delayed by a law enforcement agency or the need to determine the scope of a breach.
Cyber event expenses coverage involves the cost of an attorney to navigate state laws and regulations. Since every state has different data breach reporting laws, they can be difficult to navigate, said Volk, making a lawyer necessary to keeping incident response in check.
This also covers the cost of a forensic audit of the breached software or data to see what went wrong and notification expenses a company might incur informing consumers their data was breached in accordance with state laws.
Cyber insurance also covers the costs of restoring and recovering data, including any costs to get a business back up and running, if operations were shut down or severely limited by the effects of the breach. Additionally, some insurance covers payroll costs if employees cannot work due to the data breach.
Finally, cyber insurance covers ransoms, but that does not mean a ransom is always paid.
“Sometimes you’ll hear things like, ‘Never pay a ransom,’ but it’s hard to say that without context,” Volk said.
When a forensic audit of a breach is done, auditors may find that the perpetrators of the cyberattack may not have as much access to a company’s data as they say they do, and the ransom might not need to be paid. On the other hand, sometimes cyberattackers may have access to critical infrastructure that prevents a company from operating. In those cases, typically a ransom is paid.
However, Volk cautioned, while cyber insurance is important, it “should never be thought of as a replacement for controls. It’s not something you do instead of, but a part of, a cyber risk management system,” he said.
A cyber risk management system includes protections like two-factor authentication, firewalls, virtual private networks, antivirus software, data backups, encryption and endpoint response protection. Early detection of incidents is crucial, Volk said, because if you can catch a cyberattack early, you can mitigate more damage.
Markus Rauschecker, the director of the University of Maryland’s Center for Health and Homeland Security’s Cybersecurity Program, agrees.
“Having a plan in place is one of the most important things a client can do, because it’s not a matter of if a cyber incident will happen, but when,” said Rauschecker. “Cyber insurance is becoming an even bigger part of incident response plans.”
The center, which is about 20 years old, works with clients worldwide to develop these incident response plans, which are procedures companies follow in the event of a cyberattack. They also hold trainings with clients to talk through different cyber incident scenarios and see how a client may respond, and should respond, to an attack.
There is no one-size-fits-all policy a company can seek out for cyber insurance. Instead, cyber insurance tends to be very client-specific, said Rauschecker. The cost of insurance coverage depends on what data a company might deal with and how much, as well as what type of company is seeking insurance.
Additionally, some companies might want coverage for forensic and legal fees, but not others, so they have the ability to pick and choose their coverage level.
Still, some companies that might need cyber insurance may not even think they need it.
“We always tell our clients no matter how small, they need to take cybersecurity seriously because there’s a good change they’ll suffer a cyberattack,” Rauschecker said. “If you can afford it, get insurance.”