So you’ve decided it’s time to secure a cybersecurity insurance policy for your company — but you’re not sure where to start. With today’s constantly evolving threat landscape and rapidly increasing policy pricing, you’ll want to make sure you’re extra prepared before you start shopping around.
The good news is we’ve got you covered. In this post, we’ll walk you through what it takes to get started and what to keep an eye out for.
There are some key things you’ll want to have a handle on right out of the gate, including:
- Where to Start: Am I covered, and is it enough?
- What to Look For: Policy Basics
- What to do Next: Reducing Your Risk
Where to Start: Am I covered, and is it enough?
To begin with, you’ll need to evaluate your current insurance policy and Cyber Risk Value.
Every insurance company differs in what is covered in their general business policies, and, according to Nationwide Insurance, most Commercial General Liability policies exclude cyber coverage. For the policies that do include it, many typically cover only a small amount, which is related to very specific incidents. Therefore, it’s essential to review your policy to see if you’re covered, or check with your current insurance company to see if this is something they offer. You may be surprised to find that many insurance companies provide such policies — from large national brands to smaller shops.
Along with your insurance policy, it’s important to understand your Cyber Risk Value. Nearly every business inherently carries cyber risk associated with data stored on company computers. A common type of cyber risk that businesses work with is Personal Identifiable Information (PII) and Protected Health Information (PHI). PII is information that is used to specifically identify individuals (social security, credit card, and/or driver’s license numbers). PHI is health information used to provide patient care (demographic information, phone numbers, and/or medical results). Though there are best practices when it comes to securely encrypting PII and PHI, many companies may not be enforcing strict cyber policies. Since this information can be found in documents, notes, emails, and other unsecured files, this can significantly increase a company’s liability should a breach occur. Because cyber risks can be accidental or intentional, and can happen many different ways, ongoing cyber hygiene practices should be a critical pillar of your cyber risk strategy.
Once you understand what cyber risk is, you can then translate it into Cyber Risk Value. Every piece of sensitive information (such as PII or PHI) has a monetary value associated with it. The sum total value of each unencrypted PII and PHI occurrence determines your Cyber Risk Value. If you were to be breached in a cyber security attack, your company would be fined for each piece of PII and/or PHI. Therefore, knowing your Cyber Risk Value can help you make more informed decisions. It allows you to accurately cover your cyber insurance policy, minimize any unnecessary stored sensitive information, or monitor internal cyber hygiene practices. Tools such as RiskAware can provide you with your Cyber Risk Value by safely and securely assessing and calculating potential risk found on company computers, and give you the information necessary to proactively make smart business decisions.
What to Look For: Policy Basics
When shopping for a cyber insurance policy, you’ll often find it split into two categories: first-party coverage or third-party coverage (cyber liability).
First-party coverage is focused on protecting your company’s data. This often includes:
- Investigating the incident
- Recovery/replacement of data
- Lost revenue due to business interruption
- Legal counsel to determine your notiﬁcation and regulatory obligations (i.e., notifying customers about the cyber incident and providing them with anti-fraud services)
- Investigating the source of the breach
- Restoration of business reputation
- Resurrection of a network
- Recovery and replacement of lost or stolen data
- Fees, ﬁnes, and penalties related to the cyber incident
- Payment of ransom to cybercriminals
Third-party coverage (often called Cyber Liability Insurance) is focused on protecting you from a third-party lawsuit. Often, you’ll find these policies cover:
- Payments to consumers affected by the breach
- Claims and settlement expenses relating to disputes or lawsuits
- Attorney/Court/Litigation fees and costs
- Losses related to defamation and copyright/trademark infringement
- Regulatory fines
- Other settlements, damages, and judgments
- Accounting costs
Determining which type of policy is best for you starts with knowing both your specific business needs and Cyber Risk Value. You can also review the guidelines provided by the Federal Trade Commission (FTC), which recommends that an average cyber policy includes the following:
- Data breaches (Such as incidents involving theft or PII and PHI)
- Cyber attacks on your data held by vendors/and other third parties
- Cyber attacks (such as breaches of your network)
- Cyber attacks that occur anywhere (global scale, not just in the U.S.)
- Terrorist attacks
Planning for your organization’s cybersecurity needs can be daunting, which is why it’s important to work with an experienced insurance agent who can help explain your cyber insurance needs. From there, you should be able to determine a policy tailored to your business environment.
What to do Next: Reducing Your Risk
Obtaining a cyber insurance policy is just the first step to reducing your risk. To ensure you’re getting the most out of your policy, you’ll need to stay on top of your organization’s sensitive PII and PHI. Because it’s not uncommon for companies to overpay or underpay on their cyber insurance policies, our Cyber Risk Value can be an effective tool for helping you make informed policy decisions.
According to the National Cyber Security Centre, most policies are re-assessed once per year. By monitoring your Cyber Risk Value through tools like RiskAware, you can optimize your policy to match internal changes which may affect your policy’s cost and/or coverage. Like with any insurance policy, it’s critical to inform your insurance company as you discover changes in your Cyber Risk Value.
When it comes to cyber insurance:
- It’s critical to know if — or how — your organization is covered in the event of a cyber incident
- Discuss your unique business needs with your agent, so they can determine the optimal cyber coverage options for your organization
- After acquiring your policy, continue to monitor and manage your Cyber Risk Value to avoid being either under- or over-insured
Learn more about the cyber insurance landscape by downloading RiskAware’s free ebook for small businesses.