Security Strategy, Plan, Budget

Five questions to ask about cyber insurance

Today’s columnist, Joseph Carson of Delinea, offers five questions companies should ask before purchasing a cyber insurance policy. (Credit: Stock Photo, Getty Images)

The Allianz Risk Barometer reports that global businesses are more concerned about cyber risks than the pandemic or other threats to their operations. Cyberattacks and data breaches can cause significant losses, not to mention damage to brand reputation from displeased customers.

So, how can businesses protect themselves? Like other types of insurance, cyber insurance can help businesses mitigate risk. It offers a safety net for businesses under the constant threat of cybercrime, and it’s evolving every day.

But before the company jumps on board with cyber insurance, it’s important to understand the specifics of an insurance policy and how a company’s own protocols factor into the process.

Cyber insurance defined

Cyber insurance covers business liability for a data breach involving sensitive customer data, such as customer payment information, account numbers, health records, and social security numbers.

Some businesses mistakenly believe that general liability insurance will cover this type of threat, but that’s often not the case. General liability insurance only covers bodily injuries or property damage caused by a product, service, or operations, not cyber threats. Here are five questions to ask about cyber insurance:

What does cyber insurance cover?

Along with legal fees and expenses, cyber insurance covers:

  • Notifying customers of a breach.
  • Restoring the identities of affected customers.
  • Recovering compromised data.
  • Repairing computer systems.

Some states require companies to notify customers of a data breach on sensitive, identifiable data, an expensive proposition. Most states don’t require companies to offer free credit monitoring after a breach, but this move can improve public relations.

Should a small business have cyber insurance?

Any business, whether large or small, should have cyber insurance if it handles sensitive customer data. If there’s a breach, the legal fees are often astronomical.

When it comes to the looming threat of a cyber breach, companies need to mitigatie the business risks and stay prepared to respond to a security incident. Here are some benefits of a cyber insurance policy:

  • Forensic assistance: Forensic services can uncover cyber incidents that originate internally, such as breaches caused by employees.
  • Protection from damage from hacks or viruses: Cyber breaches often cause a disruption to business processes, but cyber insurance may include a business interruption clause to cover lost income and compromised data.
  • Theft and data corruption coverage: Data recovery after a breach can be challenging, especially when it comes to recovering customer information or business data. Cyber insurance may include theft and data coverage to help with this process.
  • Public relations assistance: A cyber insurance policy may include public relations assistance, which can help the company rebuild its brand and maintain a positive image.
  • Coverage for stolen or damaged electronics: Cyber insurance may cover the cost of electronics, such as tablets, laptops, and mobile phones. This may include theft and loss along with a malware event.

What does cyber insurance not cover?

While somewhat comprehensive, cyber insurance doesn’t cover everything. Here’s what’s not covered:

  • Loss of future profits: Cyber insurance typically doesn’t cover lost profits, even with a breach.
  • Loss of value: Cyber insurance may not cover the cost to the business if intellectual property gets stolen.
  • Upgrades: These are typically aren’t covered by a cyber insurance policy.

There are also two different types of cyber insurance: first-party liability coverage and third-party liability coverage. Companies may purchase one or both.

First-party liability coverage protects the business from the expenses related to a breach, while third-party coverage offers protection when a vendor, partner, customer, or other party sues the business for allowing a cyber breach to occur, thus putting their data at risk.

Cyber insurance has been evolving, so it’s important to review all company policies and evaluate what the insurance covers, what it doesn’t, and how much insurance the company actually need.

Does my business need cyber insurance?

No matter the size of the business, it needs cyber insurance if the company:

  • Stores sensitive information for customers or clients.
  • Uses point-of-sale systems.
  • Provides hardware or software services.
  • Stores data on computers or the cloud.

Is cyber insurance the same as data breach insurance?

No, there’s a big difference between cyber insurance and data breach insurance. Cyber insurance covers the risk from first-party and third-party cyber incidents, while data breach insurance only covers damage to data.

How to apply for cyber insurance

Any type of insurer considers the risk it incurs when taking on a client, and cyber insurers are no different. Cyber threats are increasing, and cyber insurers want to know that the businesses are satisfying their rigorous security controls to meet the criteria.

Applying for cyber insurance requires scrutiny of the company’s risk management and security controls, including policies and protocols for multi-factor authentication and web content filtering.

Cyber insurers evaluate cyber risk using a variety of factors, including network segmentation, malware defense, administrative privileges, and access management. No matter the specifics, they’re all looking for rigorous, proactive cybersecurity risk controls. Depending on the industry, the company may face different criteria for risk controls or security measures. Fortunately, taking steps to implement protocols and controls increases the chances of the business being “insurable” and may lower overall insurance costs.

Here are some considerations:

  • Automate password management instead of relying on manual methods.
  • Implement a least privilege strategy to ensure privileges are only granted for required activities on a time limit, rather than offering blanket access.
  • Proactively rotate, monitor, and audit privileged account access with privileged access management solutions.
  • Implement security checks with multi-factor authentication to verify user identities before giving or elevating privileged access.
  • Train employees on cyber risks, security protocols, and protective measures.

Cyber insurance keeps evolving to address new threats and risks. Like protecting other aspects of the business with an insurance policy, cyber insurance gives companies peace of mind that they are covered from the negative impact of a breach, from the damaged electronics to the effects on brand reputation.

With the changing demands and rising costs of cyber insurance, it’s vital to maintain security controls to make the business more “insurable.” Solutions like privileged access management offer a significant advantage and show that the company has protected itself from external and internal threats.

Joseph Carson, chief security scientist and Advisory CISO, Delinea

Joseph Carson

-Chief Security Scientist at Thycotic
-Over 25 years’ experience in enterprise security
-Author of “Privileged Account Management for Dummies” and “Cybersecurity for Dummies”
-Cyber security advisor to several governments, critical infrastructure, financial and transportation industries
-Speaker at conferences globally

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.