Cyber Insurance – What Do You Need to Know?
By Imran Ahmad
Partner, Miller Thomson LLP
Earlier this summer, when the University of Calgary was the victim of a ransomware attack, it publicly said that the cyber insurance it had purchased proved invaluable in dealing with the fallout of the attack. No doubt, organizations are increasingly looking at getting insurance that can help them in the event of a cyber incident. According to a recent PwC report, the cyber insurance market is set to triple to $7.5 billion by 2020.
With that background, should your organization get cyber insurance? If so, how should you make the business case and what steps should be taken to ensure that your organization gets a policy that is best suited to its needs?
Know Where You Stand
Before purchasing cyber insurance, organizations should, at a minimum, undertake the following steps to ensure that they are getting the right product based on their actual needs. This assessment should include the following steps:
Evaluate internal policies and protocols related to human, physical and network security, privacy and cyber-incident preparedness.
Identify potential exposure. This can be done in a variety of ways, including, for example, keeping a risk scorecard of the business’ divisions/departments, conducting a gap analysis of the business’ cyber incident response policies and protocols, and developing a risk map identifying and evaluatingkey privacy and information security risks.
Consider the various cyber-incident scenarios (from “mild” to “catastrophic”) and benchmark the costs associated with each scenario based on industry comparables.
Insurance coverage gap analysis:
Review the business’ current insurance policies to determine what’s covered and what is not.
Based on this assessment, the business will be well positioned to determine the types of cyber risks it is willing to seek insurance for (e.g., privacy and network security, regulatory liability, crisis management, network interruption, information asset coverage, extortion, etc.). Also, these steps will demonstrate to the insurer that the organization has taken steps to understand its cyber profile and may also help reduce the premiums associated with any cyber policy.
What Protection Does the Insurance Provide?
As a general rule, cyber insurance will provide coverage for first party loss and third party liability. First party loss coverage will include the following:
This covers the cost of investigating a cyber incident, notifying the regulators, affected customers and providing credit monitoring.
Coverage to respond to an hacker’s demand for money in exchange for unlocking or not damaging a company’s data or network. The most common example is a ransomware attack — which have significantly increased in 2016.
Coverage for experts to restore or recover data lost after a ‑incident.
Network interruption and extra expense:
Reimbursing lost income or expenses associated with restoring operations when your business goes down. In terms of third party liability, cyber insurance will typically offer the following types of coverages:
Technology and professional liability:
Coverage to defend and indemnify lawsuits for negligence related to a cyber incident.
Defending and indemnifying lawsuits by parties claiming a breach of privacy because of a data breach.
Coverage for lawsuits by a party for damaging its network as a result of a cyber incident.
Privacy regulation proceeding:
Coverage for regulatory actions arising out of a cyber incident.
An organization’s size, industry in which it operates, type of data it holds, potential risk exposures and other considerations will affect the scope of the cyber-liability coverage they seek. A clear understanding where it stands on the cyber-risk spectrum will be critical in ensuring that a business gets the right cyber-liability coverage. This exercise will inform organizations when negotiating premiums and the services that should be included in the cyber policy.
While standard commercial general liability (CGL), errors & omissions (E&O), and directors & officers (D&O) policies may already provide some of these coverages, if an organization is not careful, there may be cyber-breach exclusions in those policies that may limit the type of assistance that would be required to effectively deal with a cyber incident.
Cyber insurance should be part of any organization’s risk mitigation strategy. That said, not all cyber policies are equal and an organization should first assess its specific needs, risk exposure and then negotiate the best cyber-insurance coverage.