A cyber insurance policy protects organizations against data breaches and cyber security incidents. The insurance policy can help cover several financial obligations and damages that the organization occurs as a result of a breach. While at one time data breaches and cyber security incidents were relatively rare, they have become commonplace. In fact, even if IT leaders are vigilant about the firm’s security strategy, the assumption should be that a data breach will occur at some point. Yet, it can be difficult to determine what type of cyber insurance policy to select and what questions to ask during the selection process. According to Infiniwiz, a Chicago Managed IT Services company, the most important thing to consider is what risks the organization can afford to take on, which risks can be averted or contained, and which risks the firm needs the policy to cover.
What Does a Cyber Insurance Policy Cover?
The main reason why firms need to purchase a separate cyber insurance policy is that a general liability policy does not typically cover the financial damages and obligations that stem from a data breach. A separate cyber insurance policy can help cover financial obligations and damages related to a data breach, but since there is a not a standard umbrella of coverage it is important to determine what different policies cover. When selecting a cyber insurance policy ask if the following is included in the coverage:
- Repairs to equipment and infrastructure
- Data breach investigations
- Financial losses, downtime, and crisis management
- Litigation and legal costs
- Data recovery and system recovery
- Costs paid to any hackers related to ransomware
- Costs related to notifying clients, end users, and those impacted by the data breach
Of these potential coverages, determine which ones are the most critical to the organization, which would be good to have but are not critical, and which can be left out if needed. While it is possible that some cyber insurance policies cover all of these expenses and risks, these policies are also likely to be more expensive. Regardless of whether these costs are in the firm’s budget, assess the current IT security measures to determine which gaps can be filled outside of a cyber insurance policy and which gaps (both existing and potential) will need coverage.
Besides finding out what type of coverages are available, there are additional general questions that leaders need to ask when selecting a cyber insurance policy. These questions include what portion of expenses are covered by the policy, whether third-parties and vendors are included in the coverage, whether the policy is standalone or is added on to a current policy, whether the coverage includes damages from another firm’s data breach that impact the organization, what coverages do the firm’s third-party vendors have for data breaches, whether damages from social engineering tactics are covered, whether employee mistakes such as unintentional clicks on phishing links and the downloading of malware are covered, and how data breaches that are not discovered for some time are covered. As part of the process, consider whether the firm provides training to employees, what remediation and prevention techniques are a part of the current IT security policies, what IT security policies can be changed and implemented to mitigate some of these risks, and what coverages may be unnecessary due to overlaps or duplications.
For example, restricting the exchange and receipts of certain types of files through email can help reduce the unintentional downloading of malicious files. Is there a history of problems with zip files? If so, restricting the exchange and receipt of files with the zip extension can reduce the organization’s risk. Likewise, do third-party vendors ever have any type of access to the firm’s IT systems and infrastructure that could make those systems more vulnerable to an attack? If the vendors have good coverage, it may not make sense to include this in the firm’s own policy.
Selecting the right cyber insurance policy starts by determining what security risks exist, what risks can be further avoided, and what risks need to be covered. Start with the insurance company that provides the firm’s general liability coverage, but include other providers to compare coverage and cost options. Finally, assess what level of value each option provides in relation to the cost.