Cyber insurance has quickly become a necessity just like any other corporate insurance. It’s being added to an ever-growing list of insurance policies that already includes plans for professional liability, director and officer liability, workers' comp—the list goes on. Despite growing popularity, cyber insurance is a complete mess—but companies still need to figure it out to defend themselves against cyber attacks.
Learn more about what cyber insurance is and why your organization needs it in the following blog.
Insurance is Generally Heavily Regulated—But Not Cyber Insurance
Insurance is one of the most regulated industries there is, along with healthcare and the Payment Credit Card Industry (PCI). Underwriters for health insurance, auto insurance or professional insurance have set standards to abide by; but cyber insurance has no standards and is a mess as a result.
Small businesses are most vulnerable to data breaches. At the same time, they are the least likely to accept cyber insurance and could potentially lose their whole company in the event of a breach and its costs. Small businesses must look beyond the costs of cyber insurance and recognize its importance. However, the lack of standards makes it difficult to navigate your company to cyber insurance success.
>> Download now: Learn how to improve your IT security with better threat detection and prevention tool deployment.
Understanding Your Cyber Insurance Policy
Without set standards for cyber insurance coverage, service providers offer a wide array of policies. In the earlier days of cyber insurance, companies could buy fairly comprehensive policies. Now, businesses are left with a confusing mess of separate liability coverages to pick and choose from. According to the Cyber Insurance World Data Protection Report, these are:
The 6 Things to Consider When Choosing a Cyber Insurance Policy:
- How much insurance do you need and how much risk can you afford? As a reference, the average maximum financial exposure of security exploits and data breaches in 2013 (for the following two years) was $163 million.
- Review all the types of coverages available
- What kicks your policy into action?
- What isn’t included in the policy?
- Which data is actually covered?
- How is response handled? What costs and services are covered?
What You Need to Include in Your Cyber Policy
The disappointing answer to “How much cyber insurance should I buy?” is “as much as possible.” Just look at Target. They had over $100 million in cyber insurance coverage, $65 million of which was used for directors and officers liability coverage. Even with so much coverage, it won’t come close to covering the expenses Target is facing with potentially billions of dollars in civil damages.
These are Some Things You Need to Look at Covering When Creating Your Cyber Policy:
- Network security coverage, including hardware, software, physical and staff status
- Data breach incident response, including attack recognition, response planning and recovery planning
- Multimedia liability
- Laptop insurance
- Cyber business interruption coverage
- Coverage for cyber extortion and terrorism
- Litigation and enforcement proceedings, not including governmental fines
- Loss in association with 3rd party systems
- Lost/stolen data and digital asset
- Crisis management and PR
- Forensics
This is not a comprehensive list of the contents of a cyber insurance, but can give you an idea of just how much you need to include. This is why not having a set standard for cyber insurance is causing a giant mess for companies of all sizes.
The First Step to Cyber Protection Isn’t Insurance—It’s Visibility
There is a litany of circumstances under which cyber insurers won’t cover an incident. The biggest reason that cyber insurance won’t cover your data breach is because “you didn’t take the proper care.”
It’s like property insurance—if you didn’t bother to lock your door and someone stole all of your belongings, you’re likely to be found at fault. With cyber security, if you don’t take the proper precautions, you'll be in the same situation with insurance providers.
If you want the money you spend on cyber insurance to actually cover you in case of a breach, the first step you must take is to ensure visibility of your network. Being able to recognize network issues, mitigate a breach within 24 hours, respond and recover accordingly is essential to proving you’re doing your due diligence. However, as networks become more and more complex, companies are losing track of data traffic and letting malicious activity slip through the cracks. If you can’t see all of your traffic, you need to fix that before going to any insurance company.
Visibility and a proper response plan aren’t enough alone, though. Companies must also have all of the necessary security appliances in place for proper protection—firewalls, IDSs, IPSs, web application firewalls. Think those appliances are all you need? 80% to 90% of web apps are still vulnerable to attacks despite the presence of a web application firewall.
The truth is that every company needs to have both the proper network of security precautions and visibility as well as a strong cyber insurance policy. Neither can protect your business from sophisticated data breaches alone. Together, they can help you stand a chance against increasingly dangerous waves of cyber threats.
Looking to add IT Security solution to your security deployment, but not sure where to start? Join us for a brief network Design-IT consultation or demo. No obligation - it’s what we love to do!
