Transfer the risk of a security breach with a cyber insurance policy

November 1, 2017

Cyber insurance can provide peace of mind from cyberattacks.

There’s a good chance that technology and social media is playing a large role in how your company attracts new customers and employees. It may also be attracting another unwanted element: cyberattacks. The attack could be coming from a curious hacker, a criminal intent on profiting from your misfortune, or even a nation state looking for intellectual property and sensitive data.

Regardless of who the intruder is, you need to address these risks in your information system risk management plan. You may determine that a risk is unlikely, and you can accept it. Other risks will need mitigation in order to be avoided.

If you can’t avoid or accept the risk? This is where you may be able to transfer the risk by having a good cyber insurance policy.

What is cyber insurance?

Cyber insurance policies have been created to help offset recovery costs should sensitive data be exposed in a security breach. Policies started showing up during the early 2000s, and forecasts call for cyber insurance premiums to reach nearly $8 billion by 2020 with more than one-third of all U.S. companies having some type of cyber insurance.

According to a study by NetDiligence, a cyber breach for a mid-market company can cost between $1 million to over $3 million, depending upon the type of data that was lost. That high cost of recovery helps to explain the massive rise in popularity of these policies.

What does cyber insurance cover?

Typically, cyber insurance policies cover expenses related to first parties (damages sustained by your company) as well as claims submitted by third parties (such as your clients). Some of the more common expenses include:

  • How the breach occurred: Forensics investigators will determine how the breach occurred, how to repair any damage and prevent a similar breach in the future. These investigations may involve a third-party security firm as well as law enforcement and the FBI cyber investigations unit.
  • Notifications to impacted parties: You may be required to send notifications of the data breach to those impacted. In many cases, this notification is mandated by law. These costs also include credit monitoring services for those affected by the breach.
  • Legal expenses: Several larger companies saw class-action lawsuits when their data was breached. These legal expenses may be included in your policy, and may even include costs to cover ransomware extortion.
  • Business losses: A breach could potentially shut down your operations for an extended period of time, greatly impacting your bottom line. Network downtime, operations interruption, data recovery and crisis management can be covered in your policy, but keep in mind these costs add up fast!

Make sure you keep in mind the additional costs that may occur due to a security breach. If the public were to find out, there’s a good amount of time and money that you’ll need to spend repairing your brand name on top of all of the expenses listed above.

Getting started

Create an information system risk management matrix if you haven’t already. Keep in mind that risks can be physical (fire, tornado), digital (malware, ransomware, data breach), and even operational (finding talent for a legacy computer system, downturn in economy impacts your IT budget). Determine if each risk is likely, and the impact to the company if it were to occur. This will help you to prioritize which risks to address first. Be sure to have someone assigned to each risk and that they have a mitigation plan—whether it’s accepting, avoiding or transferring that risk.

When it comes to cyber insurance, a good first step is to create a list of expenses that you would want covered in the event of a breach. This can help you to determine the magnitude of the first-party and third-party costs. Many insurers also provide a calculator on their websites to help organizations create coverage lists and estimate costs.

Also be sure to read the fine print within the contract—you’ll want to know if there’s anything that denies coverage in the event of a breach. With all the commotion of a data breach, the last thing you need is all that risk transferred right back to you!

For more information on IT security, please contact us at 800-236-2246.