Since the mid-nineties, we have seen the consistency growth of electronic transaction. Brick-and-mortar business is starting to disappear. The continued development brings fundamental change in the way of business conducted. Despite its tremendous potential, it possible follow by unwanted risk for any parties. Organizations will proceed to analyze the risk. Address it with appropriate security and control measure. The day will be beautiful without DDoS, worm, malware, or ransomware. Within this process, organizations must decide which risk to accept, avoid, and transfer. Transferring this risk is the primary goals for Cyber Insurance.
What is Cyber Insurance?
Cyber Insurance or Cyber Risk Insurance or Cyber Liability Insurance has its root on Errors and Omissions (E&O) insurance. E&O provide coverage for financial damages caused by organization errors and omissions in providing professional services. E&O only operated provide coverage for third parties as a result of a cyber security breach. It is offsetting the cost involved with recovery after a cybersecurity breach or related events. Several years after being introduced, it is now having ‘Network Security’ and ‘Internet Liability’ as the add-on expand it coverage toward a first party claim. These add-ons got attention for any business that holds a considerable amount of customers data. The demand continues to rise as business requested separated coverage for network security and privacy due to the high occurrence of a recent attack. On network security coverage, the claim made toward the direct cost in responding privacy breach or security failures. The third party claim operates when people sue or the regulator request more information. The first-party claim consisted of forensic investigation, legal advice, communication of the breach, and loss of profit/business interruption (BI). While on the third-party, it made against counsel, liability to the bank, expenses in responding regulator inquiries, fines, and penalties. The first-party claim operated as small sub-limit from liabilities trigger by third-party. Despite its small percentage, this sub-limit are continually getting bigger every year for up to 50 percent of the total limit for the first-party claim. Also of varying amount of dollar deductible (depends on policy limit), a period is possible to apply before the coverage can operate. Some insurance policies put a restriction on 6-8 hours network impaired to security failure before the business interruption coverage to work.
How to get started with Cyber Insurance coverage?
Every organization has their unique business model and risk related. We can start by identifying the estimate related expenses you want to include in the coverage for every possible event. Then proceed with calculating the third-party cost in related with the particular event. This process defined as risk profiling.
After sending your risk-profile, insurance company, in general, you will have about hundreds of questions in relating with due-diligence. These question asking about the encryption, firewall, and how password authentication set up.
Comparing Cyber Insurance Quotations
Unless you are using a broker, it is advisable to request coverage from more than one insurers to have most economic value for insurance coverage. These are a general consideration in order comparing the policy coverage between insurers:
- Does the insurer provide stand-alone policy or as part of the extension of the current policy?
- How far can the policy be customized for your organization?
- What are the deductibles applied for the policy? The deductible is the easiest way to compare several policies.
- How do coverage and limit apply to both first and third parties?
- Does the coverage provide to any cyber attacks or only targetted attacks in particular?
- How does this coverage protect social-engineering or non-malicious actions taken by an employee?
How to Win Insurer approval for Cyber Insurance Coverage
By doing risk-profiling, insurance company assumes that organization is following industry best practices by maximizing defenses and controls to protect the perimeter, including employee awareness toward phishing and social engineering. For medium to enterprise level, performing threat intelligence and regular compliance audit are mandatory. Including investing on vulnerability assessment tools or engaging in organization-wide penetration tester. Moreover, can be done gradually while negotiating the best deal for acquiring cyber insurance policy. Failure to obtain these might result in lower policy limit. The premium is calculated using annual organization revenues multiply by applicable rate. The rate calculated toward the type of services provided to customers, data risks and its exposures, security posture, and company policies.
Having a cyber insurance policy might be a big help in offsetting the cost post cyber attack. Nonetheless, the cyber insurance is not operated to cover reputational harm, loss of future revenue (due to customer staying away after data breach), and cost of improving current security systems. The insurance company will carefully identify the risk and severity prior sending an insurance quotation. By bolstering our security systems, not only help to decrease the premium payment for the same policy limit, but also contribute to reducing the possibility of cyber attack.