What Is Cyber Insurance?
Cybersecurity insurance (cyber insurance) is a product that enables businesses to mitigate the risk of cyber crime activity like cyberattacks and data breaches. It protects organizations from the cost of internet-based threats affecting IT infrastructure, information governance, and information policy, which often are not covered by commercial liability policies and traditional insurance products.
Cyber insurance coverage works the same way as businesses would purchase insurance against physical risks and natural disasters. It covers the losses an enterprise may suffer as a result of a cyberattack.
Why Is Cyber Insurance Important?
Cyber insurance is increasingly becoming essential for all companies as the risk of cyberattacks against applications, devices, networks, and users grows. That is because the compromise, loss, or theft of data can significantly impact a business, from losing customers to the loss of reputation and revenue.
Enterprises may also be liable for the damage caused by the loss or theft of third-party data. A cyber insurance policy can protect the enterprise against cyber events, including acts of cyber terrorism, and help with the remediation of security incidents.
For example, hackers breached Sony’s PlayStation Network in 2011 and exposed the data of 77 million users. The attack also prevented PlayStation Network users from accessing the service for 23 days. Sony incurred costs of over $171 million that could have been covered by cyber insurance. However, it did not have a policy, so it had to shoulder the total costs of the cyber damage.
Working Process of Cyber Insurance
The cybersecurity insurance process works in a similar way to other forms of insurance. Policies are sold by many suppliers that provide other forms of business insurance, such as errors and omissions insurance, liability insurance, and property insurance. Cyber insurance policies will often include first-party coverage, which means losses that directly impact an enterprise, and third-party coverage, which means losses suffered by other enterprises due to having a business relationship with the affected organization.
A cyber insurance policy helps an organization pay for any financial losses they may incur in the event of a cyberattack or data breach. It also helps them cover any costs related to the remediation process, such as paying for the investigation, crisis communication, legal services, and refunds to customers.
What Risks Does Cyber Insurance Cover?
Insurance for cybersecurity typically includes first-party coverage of losses incurred through data destruction, hacking, data extortion, and data theft. The main areas that cyber insurance covers include:
- Customer notifications: Enterprises are usually required to notify their customers of a data breach, especially if it involves the loss or theft of personally identifiable information (PII). Cyber insurance often helps businesses cover the cost of this process.
- Recovering personal identities: Cybersecurity insurance coverage helps organizations restore the personal identities of their affected customers.
- Data recovery: A cyber liability insurance policy usually enables businesses to pay for the recovery of any data compromised by an attack.
- System damage repair: The cost of repairing computer systems damaged by a cyberattack will also be covered by a cyber insurance policy.
- Ransom demands: Ransomware attacks often see attackers demand a fee from their victims to unlock or retrieve compromised data. Cyber insurance coverage can help organizations cover the costs of meeting such extortion demands.
- Attack remediation: A cyber insurance policy will help an enterprise pay for legal fees incurred through violating various privacy policies or regulations. It will also help them hire security or computer forensic experts who will enable them to remediate the attack or recover compromised data.
Cyber Risks Excluded from Cyber Insurance Coverage
A cybersecurity insurance policy will often exclude issues that were preventable or caused by human error or negligence, such as:
- Poor security processes: If an attack occurred as a result of an organization having poor configuration management or ineffective security processes in place
- Prior breaches: Breaches or events that occurred before an organization purchased a policy
- Human error: Any cyberattack caused by human error by an organization’s employees
- Insider attacks: The loss or theft of data due to an insider attack, which means an employee was responsible for the incident
- Preexisting vulnerabilities: If an organization suffers a data breach as a result of failing to address or correct a previously known vulnerability
- Technology system improvements: Any costs related to improving technology systems, such as hardening applications and networks
Can Cyber Insurance Take the Place of Cyber Defense?
Cyber insurance should not be considered in place of effective and robust cyber risk management. All companies need to purchase cyber insurance but should only consider it to mitigate the damage caused by a potential cyberattack. Their cyber insurance policy needs to complement the security processes and technologies they implement as part of their risk management plan.
Cyber insurance suppliers analyze an organization’s cybersecurity posture in the process of issuing a policy. Having a solid security posture enables an enterprise to obtain better coverage. In contrast, a poor security posture makes it more difficult for an insurer to understand their approach, resulting in ineffective insurance purchases.
Furthermore, failing to invest in appropriate or effective cybersecurity solutions can result in enterprises either failing to qualify for cyber insurance or paying more for it.
Considerations for Selecting the Appropriate Cyber Insurance Policy
Pricing cyber risk will typically depend on an enterprise’s revenue and the industry they operate in. To qualify, they will likely need to allow an insurer to carry out a security audit or provide relevant documentation courtesy of an approved assessment tool. The information accrued from an audit will guide the type of insurance policy the provider can offer and the cost of any premiums.
Policies often vary between different providers. Therefore, it is best to review any details carefully to ensure the required protections and provisions are covered by the proposed policy. The policy also needs to provide protection against currently known and emerging cyber threat vectors and profiles.
Three Steps To Reduce Cyber Risk
Cyber risk is a significant concern for companies of all sizes and across all industries. Organizations need to take decisive action to strengthen their cyber defenses and manage their cyber risk through the combination of cyber insurance, secure devices, domain expertise, and technology.
- Step 1—Assess: The first step in reducing cyber risk is to assess cyber readiness with a respected professional services organization. This process includes carrying out a security audit before providing appropriate cyber insurance.
- Step 2—Implement: The next step is to implement technology that protects the elements an organization intends to take out cyber insurance against. This can include an anti-malware solution to protect the enterprise against the threat of malicious software.
- Step 3—Insurance: The first two steps enable an organization to prove they have the necessary processes and technologies in place to qualify for cyber insurance from a provider.
How Fortinet Can Help
Fortinet provides industry-leading technology, such as enterprise-grade ransomware and phishing solutions, that help organizations strengthen their cybersecurity defenses and prove they have the processes in place to qualify for cyber insurance. Fortinet technology protects organizations from advanced cyber threats like malware and distributed denial-of-service (DDoS) attacks and prevents unauthorized access to their networks and systems by cyber criminals.
FortiGuard Labs' Derek Manky and Jim Richberg, Fortinet Field CISO for the Public Sector, offer their perspectives on current ransomware trends, cyber insurance, ransomware settlements, and how organizations can better defend against and recover from attacks.
What does a cyber insurance policy cover?
A cyber insurance policy protects organizations from the cost of internet-based threats affecting IT infrastructure, information governance, and information policy, which often are not covered by commercial liability policies and traditional insurance products.
What is cyber insurance and how does it work?
Cyber insurance works in a similar way to other forms of insurance. Policies are sold by many suppliers that provide other forms of business insurance, such as errors and omissions insurance, liability insurance, and property insurance.
What is not covered by cyber insurance?
A cybersecurity insurance policy will often exclude issues that were preventable or caused by human error or negligence.