What is cyber insurance, and why is it important?

Origins of cyber insurance

Cyber insurance emerged in the late 1990s because of the growing reliance on technology and increasing prevalence of cyberthreats. Initially, insurers focused on data breaches and computer attacks. Over time, they expanded to cover a broad range of cybercrimes, including malware, ransomware, cyber extortion, social engineering attacks, system failures and business interruptions from cybersecurity incidents.

Cyber insurance has its origins in errors and omissions (E&O) insurance, a separate form of insurance that protects against faults and defects in the services a company provides. E&O insurance is analogous to product general liability policies for companies that sell physical or digital products. While some cyber insurance policies contain specific provisions for E&O, most providers sell these as separate and distinct policies. E&O insurance doesn't cover third-party data loss, such as customer credit card numbers; customers needing such protection must purchase a cyber insurance policy that covers it.

Today, cyber insurance is essential for mitigating financial and reputational damage and ensuring a resilient digital environment.

Why is cyber insurance important?

The loss, compromise or theft of electronic data can negatively affect a business, resulting in the loss of customers and revenue. Business owners could be liable for damages stemming from the theft of third-party data.

In 2011, hackers breached Sony's PlayStation Network, exposing the personally identifiable information (PII) of 77 million PlayStation user accounts. The breach caused an outage that prevented PlayStation users from accessing the service for 23 days. Sony incurred more than $171 million in costs related to the breach. Cyber insurance could have covered portions of this cost, but Sony didn't have a policy in place. A court case ruled that Sony's insurance policy only covered physical property damage, leaving Sony to incur the costs related to cyber damages.

Similarly, in September 2017, consumer credit reporting agency Equifax suffered a data breach that exposed the personal information of 147 million people. In 2019, Equifax reached a settlement with the U.S. Federal Trade Commission. As part of the settlement, Equifax agreed to spend $425 million to provide free credit reporting, cash payments for those already enrolled with a credit monitoring service, reimbursement for time or money spent on recovering from identity theft and free identity restoration services. A cyber insurance policy could have paid for part of the cost of Equifax's settlement, assuming the circumstances of its data breach were covered by such a policy.

Cyber insurance provides the following benefits:

• Protection against cyber-risks. Cyber liability coverage is important to protect businesses against the risk of cyber events, including those associated with terrorism. Cyber insurance can provide network security coverage and assist in the timely remediation of cyberattacks and other incidents.
• Financial protection. Cyber insurance offers financial security against damage caused by cybersecurity incidents. This includes expenses for investigations, credit monitoring services and legal responsibilities, among other costs associated with data breaches. In addition, it can provide compensation for business interruption, loss of revenue and computer system restoration.
• Legal support. Cyber insurance frequently includes legal assistance, which helps businesses navigate the complicated legal system around cybersecurity events. It can pay for the costs of legal counsel, legal compliance with regulations and prospective lawsuits resulting from data breaches and privacy violations.
• Peace of mind. Cyber insurance provides businesses and individuals with a sense of security by guaranteeing their financial stability in a cyber crisis. This lets businesses concentrate on their core business operations without having to worry about the possible financial and reputational consequences of a cyberattack.
• Commitment to security. Cyber insurance coverage highlights an organization's dedication to safeguarding client data and being proactive with its cyberdefense. A commitment to cybersecurity can boost a business's reputation and confidence in it among customers, stakeholders and partners.

How does cyber insurance work?

Most insurance providers that offer business insurance, such as E&O, business liability and commercial property insurance, also sell cyber insurance. Policies typically include first-party coverage, which applies to losses that directly affect a company. They also can have third-party coverage, which applies to losses others suffer from a cybersecurity event or incident, based on the third-party's business relationship with that company.

As part of cybersecurity incident response efforts, cyber insurance policies can cover the financial losses that result from cybersecurity events. In addition, cyber-risk coverage often covers costs associated with remediation, including payment for legal assistance, investigators, crisis communicators, and customer credits and refunds.

Who needs cyber insurance?

While every organization's risk profile is unique, most companies could benefit from purchasing cyber insurance as part of their overall risk management strategy. A range of industries are good candidates for cyber insurance:

• Businesses of all sizes. Organizations that create, store and manage electronic data online -- such as customer contacts, customer sales, PII and credit card numbers -- could benefit from cyber insurance. In addition, e-commerce businesses can benefit from cyber insurance, since downtime related to cybersecurity incidents can cause a loss in sales and customers. Similarly, any organization, including small businesses, that stores customer information on a website can benefit from the liability coverage provided by a cyber insurance policy.
• Healthcare providers. Healthcare companies handle a range of sensitive information and patient data and are frequently targeted with data breaches and cyberthreats. According to IBM's annual data breach report, the average annual cost of a healthcare breach is nearly $10 million. To reduce the financial and legal risks connected to data breaches and Health Insurance Portability and Accountability Act violations, cyber insurance is essential for healthcare organizations.
• Financial institutions. Banks and credit unions are prime targets for cybercriminals because of the sensitive data they deal with, such as social security numbers, account numbers and other PII. Cyber insurance can help these institutions recover from financial damages caused by cyberattacks.
• Government agencies. Government agencies handle a huge amount of private information. Cyber insurance can help government institutions guard against cyberattacks and ensure the continuity of public services.
• Educational institutions. Educational institutions, such as schools, colleges and universities, store large amounts of personal and academic records for both employees and students, making them good candidates for cyber insurance.
• Companies with high revenue. Companies with significant revenue streams are hacker targets. To guard against the financial damages from cyberattacks and data breaches, these organizations should consider cyber insurance.

What is covered and not covered by cyber insurance?

Many major U.S. insurance companies offer customers cyber insurance policy options. Depending on the price and type of policy, the customer can expect to be covered for extra expenditure resulting from the physical destruction or theft of IT assets.

What's typically covered?

Many entry-level cybersecurity insurance policies only cover first-party losses; more extensive policies cover third-party liability losses. Expenditure covered by cyber insurance typically includes costs associated with the following:

• Meeting extortion demands from a ransomware attack.
• Notifying customers when a security breach has occurred.
• Paying legal fees levied because of privacy violations.
• Hiring computer forensics experts to recover compromised data.
• Restoring identities of customers whose PII was compromised.
• Recovering data that has been altered or stolen.
• Repairing or replacing damaged or compromised computer systems.
• Providing credit monitoring services for customers affected by a data breach.

What's not typically covered?

The following are among the exclusions and issues cybersecurity policies don't cover:

• Preventable security issues caused by humans, such as poor configuration management or the mishandling of digital assets.
• Preexisting issues and prior breaches and cybersecurity events, such as incidents that occurred before the policy purchase.
• Cybersecurity events initiated and caused by employees or insiders.
• Infrastructure failures not caused by a purposeful cyberattack.
• Failure to correct a known vulnerability, such as when a company that knows a vulnerability exists, fails to address it and then has a compromising situation related to that vulnerability.
• The cost to improve technology systems, including security hardening in systems or applications.
• The loss of intellectual property value, such as proprietary information, trade secrets or other priceless intangible assets.

How much does cyber insurance cost?

Typically, cyber insurance pricing is based on the insured entity's annual revenue, industry, extent and type of coverage, and the size of the organization. Organization size matters because more employees mean a larger attack surface for malicious actors, and more insurance coverage is required. Industry is an important factor, because industries such as healthcare and finance manage large amounts of sensitive data and deal with more risk.

The past few years have seen a surge in cyber insurance premiums and payouts, a trend attributed to the expanding attack surfaces and evolving adversary techniques. A typical policy can cost from $500 to $5,000 or more a year according to Progressive Casualty Insurance Company.

To qualify for cyber insurance coverage, an individual or entity typically must submit to an insurer's security audit or provide documentation from an approved assessment tool, such as one offered by the National Institute of Standards and Technology's Cybersecurity Framework. The results from a security audit or the documentation from approved assessment tools can factor into the types of coverage the insurance carrier provides, as well as the cost of the premiums.

How to choose a cyber insurance policy

Cybersecurity policies vary from one provider to another. To choose a policy, companies should review the policy details to ensure it contains the necessary protections and provisions. In addition, companies should evaluate whether insurance products protect against known and emerging cybersecurity incidents and threat profiles.

The various costs a plan might cover include forensic, legal and public relations expenses. In the event of a breach or attack, a forensic investigation is required, and any legal or regulatory fees resulting from a breach are often covered. Various plans also cover the costs of hiring public relations agencies to defend the policyholder's reputation. Some plans might outline coverage for specific types of attacks, such as ransomware, where a business is reimbursed for the ransom amount paid to malicious actors.

Cyber insurance vs. cyberdefense

Cyberdefense and cyber insurance aren't synonymous terms. Cyberdefense is a broad term that refers to any arrangement of security tools and policies a business chooses to implement to address cyberthreats. A cyber insurance plan is one policy a business acquires to provide remediation and financial reimbursement in the wake of a cyberattack. Cyber insurance complements other security tools and procedures.

Setting up a cybersecurity infrastructure precedes buying cyber insurance. A business that lacks security tools and policies might pay more for cyber insurance because it would be deemed to be at higher risk. However, if an infrastructure is set up prior to purchasing, risks are reduced and insurance plans have less to cover. Cyber insurance is just one component of a business's full cyberdefense strategy.

The cyber insurance industry is expanding but it comes with some pitfalls. Delve into four recommendations for securing the most suitable cyber insurance coverage for your requirements.