Cyber insurance is the fastest growing category of business insurance, for several reasons. The most obvious is so that you have a better chance of surviving a cyber attack if you have insurance. You might also need to carry cyber insurance as a condition of doing business with some companies and government agencies.
Cyber insurance has changed a lot just over the last few years. It used to be common to get certain kinds of cyber coverage added to your general business, legal liability, or medical malpractice. Not anymore. Claims skyrocketed throughout the pandemic and now it’s far more usual to buy cyber insurance seperately.
Another change is the number of exclusions and requirements cyber insurance carriers not demand before they will provide coverage, and what exactly gets covered is more and more specific. SO it makes sense to understand some different kinds of cyber insurance coverage.
Data Breach Response and Business Interruption Coverage:
Consider this worst-case scenario- a criminal gets inside your business email and file systems. They plant ransomware and steal a copy of all your data. They’ve got the names and addresses of everyone in your customer database. They’ve got financial records and other sensitive information. They poked around and found out someone in the company keeps a handy list of passwords on their desktop. They log themselves in and change those passwords then make accounts for all their friends. Now they trigger the ransomware and encrypt everything they can, making it impossible to get any work done.
Even with cyber insurance, this scenario is no fun. No matter what happens, you have to notify all your customers that you let a criminal get their data. You have to consult a lawyer and do it the right way, which can get expensive. Even if you have excellent backup practices and haven’t a safe copy of everything uncontaminated by the ransomware, it can still take days or weeks to get back up and running.
This particular kind of insurance helps cover the costs of notifying affected parties, conducting forensic investigations, public relations efforts, and credit monitoring services. Additionally, business interruption coverage can compensate for lost revenue, temporary relocation costs, and expenses related to restoring systems after a cyber incident.
Third-Party Liability Coverage:
Sometimes the organization that gets attacked is not the only one hurt in the attack. FOr instance, in 2020 a major vendor of nonprofit fundraising software was hit with a huge data breach. It was bad for them, but also for every nonprofit who had their donors’ personal data exposed and had to notify their supporters even though these nonprofits themselves weren’t hit. When some nonprofits sued the software provider, claims were paid out of a third-party liability policy. That’s just one example.
Third-party liability coverage protects against many kinds of legal claims from third parties. This coverage includes data breach liability, privacy liability, media liability, and network security liability. It covers costs associated with legal defense, settlements, judgments, and regulatory fines resulting from breaches, privacy violations, intellectual property disputes, or unauthorized access to networks.
Cyber Crime and Fraud Coverage:
Ultimately, what criminals want is a big payday. They want you to send millions of dollars to a bank account that is only one digit off. Or to believe a vendor just asked you to wire money somewhere new in a hurry. Even some very weathered CFO’s at very large corporations have fallen for elaborate fraud schemes that led to big financial losses.
This coverage protects against financial losses resulting from fraudulent activities such as phishing, social engineering scams, or fraudulent fund transfers. It helps recover stolen funds and covers legal expenses associated with investigating and resolving cyber crime incidents.
So now that you know what the major types of coverage are, let’s talk about what you need to do to qualify for coverage.
Qualifying for Cyber Insurance
Every insurance company has their own requirements set by their underwriters, but these show up in most applications:
Risk Assessment and Mitigation:
To qualify for cyber insurance, small businesses need to demonstrate their commitment to risk assessment and mitigation.
Written Cybersecurity Policies and Procedures:
Small businesses should develop and implement written cybersecurity policies and procedures. These documents should outline protocols for data protection, employee training, incident response, and vendor management. By demonstrating a proactive approach to cybersecurity, businesses can enhance their eligibility for cyber insurance coverage.
Employee Training and Awareness:
Insurance providers often require evidence of regular employee training and awareness programs. Small businesses should educate employees about the importance of strong passwords, email security, phishing awareness, and safe internet browsing habits. Keeping records of training sessions can demonstrate a commitment to cybersecurity and increase chances of qualifying for coverage.
Security Software and Updates:
Maintaining up-to-date software and implementing regular updates is crucial. Insurance providers may require evidence that you aren’t relying old hardware or softwre that can introduce unacceptable risk.
Data Backup and Incident Response Planning:
Small businesses should establish comprehensive data backup processes and incident response plans. Regularly backing up critical data and testing restoration processes showcases preparedness for cyber incidents. Developing a well-documented incident response plan that outlines roles, responsibilities, and communication channels can further strengthen eligibility for cyber insurance coverage.
Compliance with Regulatory Standards:
Adhering to industry-specific regulatory standards is an essential factor in qualifying for cyber insurance. Small businesses should ensure compliance with relevant regulations such as the General Data Protection Regulation (GDPR) or the Health Insurance Portability and Accountability Act (HIPAA). Maintaining documentation and records of compliance efforts demonstrates a commitment to data protection and enhances eligibility for coverage.