Intricacies Involved with Cyber-Insurance

Intricacies Involved with Cyber-Insurance
Today, no business is full proof against cyber-attacks and data privacy breaches. At the same time cyber criminals are growing more sophisticated day-by-day. The demand for cyber-insurance has grown as a result. Globally around 33% of big/mid/small size organizations have started opting for some type of cyber-insurance policy to reduce the impact of cyber-attacks. At present approximately #25 insurers offer this type of insurance and all these carriers offer coverage for first-party and/or third-party losses. The target coverage varies from insurer to insurer and at places the policy itself may not be tagged as a “cyber policy’ or a “cyber-insurance”.
Insurers offer both first-party and third-party insurances covering cyber losses. 
First-party coverage: This coverage insures losses to the policyholder’s own data, income or any other adverse impact to the business resulting from a data breach or cyber-attack.
Third-party coverage: This coverage insures the liability of the policyholder to third parties, including clients and governmental entities, arising from a data breach or cyber-attack.

Available First-Party Coverage Includes

  • Theft and fraud: Coverage for destruction or loss of the policyholder’s data as the result of a criminal or fraudulent cyber-attack. This also includes theft and transfer of funds.
  • Forensic investigation: Coverage for the cost involved in legal, technical or forensic services necessary to assess whether a cyber-attack has occurred, to assess the impact of the attack and to stop an attack.
  • Business interruption: Coverage for the lost income and related costs where a policyholder is unable to conduct business due to a cyber-attack or data loss.
  • Extortion: Coverage for the costs involved in the investigation of threats to commit cyber-attacks against the policyholder’s systems and for payments to extortionists who threaten to obtain and disclose sensitive information.
  • Computer data loss and restoration: Coverage for the physical damage to, or loss of use of, computer-related assets. Also includes the costs of retrieving and restoring data, hardware, software or other information destroyed or damaged as the result of a cyber-attack.

Available Third-Party Coverage Includes

  • Privacy liability: Coverage for liability to employees or customers in the event of privacy breach.
  • Crisis management: Coverage for crisis management and public relations expenses incurred to educate customers concerning a cyber-attack and the policyholder’s response. This also includes the cost of advertisement for this purpose.
  • Credit monitoring: Coverage for cost involved in credit-fraud monitoring or other related services to customers or employees affected by a cyber-attack.
  • Litigation and Regulatory: Coverage for the cost involved in civil lawsuits, judgments, settlements or penalties resulting from a cyber-attack.
  • Regulatory response: Coverage for the cost involved in legal, technical or forensic services necessary to assist the policyholder in responding to governmental inquiries relating to a cyber-attack. Also provides coverage for fines, penalties, investigations or other regulatory actions.
  • Notification: Coverage for the costs involved in notifying customers, employees or other victims affected by a cyber-attack. Also, includes the notice required by law.
  • Media Liability: Coverage for media liability, copyright, trademark or service mark infringement resulting from online publication by the insured.
The availability of coverage depends on the traceability of the crime source. Insurance for losses arising from a breach of customer or employee privacy is easier to find and hence in the insurance market for this type of coverage has many options. On the other hand, insurance coverage for the financial losses arising from data or privacy breaches, such as lost business income and loss of the value of destroyed information assets, is harder to find. Hence the availability of this coverage type declines.
Premiums for cyber-insurance vary widely. As per recent survey from Gartner, cyber-insurance premiums range from $10,000 to $35,000 for $1 million in coverage. While the coverage has become more available, insurers continue to develop their understanding of cyber risks. As a result, insurers have had difficulty pricing this insurance and there can be large differences between the premiums charged by two different carriers to insure the same risk.
Small and medium segment businesses are the ideal candidates for cyber-insurance as they may be less prepared for data breach and less able to absorb the costs associated with the same. Larger companies, however, having more substantial risk management and legal departments, are better equipped technically and financially to deal with a data breach. This makes insurance a less effective risk management tool for them.
As per .NetDiligence, insurers who have been in the cyber-insurance business the longest — ACE, AIG, Beazley and Hiscox — have large books of claims and are handling several claims per week in this insurance segment.

Important Tips for Considering Cyber-Insurance

  1. Identify unique business risks: Understand the nature and extent of the risks faced by company. E.g., For BFS and retails, the primary concern is the theft of personal financial information. Whereas the major risk for energy company is the disruption of critical businesses or physical operations through attacks on networks. 
  2. Risk Management as a Service: Many insurers offer cyber risk management services. Consider if the company needs these services. In affirmative scenario, work with a carrier that offers a robust risk management program.
  3. Understand existing coverage: Understand existing first and third-party policies coverage for cyber risks. Based on this study, top-up purchase for the necessary type of cyber-insurance as per company needs may assist.
  4. Buy as per need: Insurers today offer variety of coverage. Hence it becomes important to focus on the fundamentals of business needs and opt for policy coverage without the limitation.
  5. Secure appropriate limits and sub-limits: The most important a company should assess the value of cyber-insurance and compare the anticipated costs associated with a data breach liability and the related costs. 
  6. Beware of exclusions: Coverage for a loss or claim depends on the language in policy exclusion as opposed to that of the grant of coverage. Because cyber-insurance is a new product, the policy language is not standardized.
  7. Get retroactive coverage: Policies sometimes restrict coverage to breaches or losses that occur after a specific date. Sometimes, this is the inception date of the policy, which means that there would be no coverage for breaches that occurred before the inception of the policy. It is important to purchase coverage with the earliest possible retroactive date.
  8. Understand the “Triggers”: It is important to understand the coverage activation under the cyber-insurance policy. For some, the trigger is the date the loss occurred, while for others the trigger is the date that a claim is made against the insured. In order to provide proper notice, you need to understand coverage application under each policy purchased.
  9. Coverage for data restoration costs: Many cyber-insurance policies do not provide coverage for the costs to replace, upgrade or maintain a computer system that was breached. Data restoration costs are potentially prohibitive. Any company that faces the risk of a data breach should take steps to ensure that its policies provide coverage for the costs of putting the company back in the position it was in before the breach.
  10. Coverage for loss of information through unencrypted devices: Professionals today work on computers and tablets outside the office on encrypted/unencrypted, company-owned/personal laptops and storage devices. It is important for firms facing a loss of data through compromised unencrypted device to purchase insurance that provides coverage for such losses.
  11. Coverage for acts-omissions by third-parties: Many companies outsource data processing or storage to a third-party vendor. It is important that the company’s cyber-insurance policy provide coverage for claims that arise from misconduct by one of the company’s vendors.
  12. Dovetail cyber-insurance with indemnity agreements: Company’s indemnity agreements should work hand-in-hand with company’s cyber-insurance. E.g., many cyber-insurance policies have retentions and require that the retention be satisfied by the insured. Insurers may interpret this language to require that the insured pay the retention out of its own pocket and that a payment by a third party under an indemnity agreement would not satisfy the retention. This is subject to negotiation.
Authored By - Disha Pandit
TCS Cyber Security Practice
Rate this article: 
No votes yet
Article category: