Cyber Insurance | Evolving Coverage

A clear, concise and enlightening synopsis of the current state of cyber security insurance.

Ryan Ascenzo, RPLU, Burns & Wilcox Brokerage

ryanascenzo@burns-wilcox.com

It is a never ending cycle of improved cyber security defenses that spawns more sophisticated and damaging adversarial tactics. Cyber insurance, although not an absolute solution, can offer substantial assistance. Pre-breach services can help mitigate the likelihood and impact of occurrences while post-breach services and coverage can help deal with consequences of unforeseen, unbudgeted incidents and the return to stability.

Organization leaders struggle to determine which security investments to make given the ever increasing plethora of security products and services, regulations and liabilities. Contributing to that struggle is the inability to predict with any certainty the likelihood of incidents occurring and their impact (damages). A properly structured cyber insurance policy can provide loss mitigation before a breach occurs along with covering the costs, litigation expenses and indemnities owed after a breach.

The need for protection has and will continue to grow. It is estimated that in 2019 the number of data breaches in the U.S. was 1,473, which is a 17.0% increase from 2018 and exposed over 164.7 million records.* The average cost of a security breach was $3.86 million with an associated cost of $146 per record and 80% of compromised records contained Customer PII.** COVID-19 introduced massive remote working capabilities and 70% of employers believe that remote working would increase the cost of a data breach.***

Pre- and Post-Breach Services

A common opinion is that a cyber insurance policy is purely reactive and that is simply not the case. Many, if not most, of the preeminent insurance carriers offer policyholders pre-breach services as part of or in addition to the limit of liability. These can either be offered by the insurance carrier or by vendors the carrier has contracted with. Services can include:

  • Risk assessments

  • Security awareness training and education to employees

  • Vulnerability and penetration testing

  • Application security reviews including web, mobile and Internet of Things

  • Implementation and reviews of disaster recovery, incident response plans and procedures

  • Federal and State breach notification laws compliance

In the unfortunate event that a breach occurs, any insurance carrier worth considering will have contracted vendors to help your organization react quickly and smoothly. A part of or in addition to the limit of liability provided, services can include:

  • Access to legal firms with significant experience handling breaches to guide your organization through the breach response process

  • Computer forensic firms to determine the who, what, when, where, why and how to prevent it from happening again, network monitoring, data analytics/mining, eDiscovery and expert testimony

  • Notification services, regulatory and compliance communications and call center support services

  • Public relations and crisis management to help restore an organizations reputation

  • Cyber extortion and ransom firms to handle any exchange

  • Credit and identity monitoring support for impacted individuals

Before purchasing additional cyber services from vendors, organizations should be aware of what services they already have as part of their cyber policy.

Insurance Coverage

So what is the scope of insurance provided in a cyber liability policy? Generally speaking, it addresses the traditional areas of both 1st party and 3rd party coverages. 

1st Party Coverages

1st party coverages are costs, expenses and losses your organization incurs directly from a breach. These would include the post-breach services already covered but would also include the following:

  • Breach response, crisis management and public relations costs

  • Extortion payments

  • Business Interruption costs and loss of income

  • Contingent business interruption costs and loss of income (when your organization sustains a loss of income because your vendor or application provider network was compromised)

  • Data restoration costs

  • Systems integrity costs

  • Fund transfer fraud, i.e. cyber-crime or “social engineering” losses

3rd Party Coverages

3rd party coverages are more traditional liability and indemnity insurance coverages for when a lawsuit is brought against your organization by a 3rd party as result of a breach that occurred on your network. These would include:

  • The costs to defend and settle lawsuits brought by those affected by a breach that occurred on your network

  • Regulatory fines and penalties

  • PCI fines and penalties

Selecting a Carrier

There is an overwhelming number of insurance carriers that offer a comprehensive cyber insurance policy that contains most if not all of the coverages mentioned above. Despite the increase in breaches and costs, cyber insurance continues to be readily available and very affordable. A single carrier may be willing to offer $10 million in limits with an abundance of carriers offering excess coverage beyond that amount. 

An abundance of insurance carriers are offering aggressive terms that many organizations are taking advantage of to supplement an enterprise risk management program. 33% of respondents in the 2019 Cyber Insurance Market Watch Survey purchased some form of cyber insurance in the preceding six months, compared to 32% and 31% in 2018 and 2017 respectively. The number of first-time buyers of cyber insurance also remained steady. According to respondents, about 32% of those who purchased cyber insurance in the last six months were purchasing it for the first time and 43% of respondents increased their coverage, compared to 34% prior.****

As cyber crime continues to escalate, cyber insurance continues to respond with pre- and post-breach coverage and services. A qualified cyber insurance expert can keep you updated and help navigate through the the changes and nuances to provide the best solutions for your organization.

Sources:

* Identity Theft Resource Center “2019 Annual Data Breach Year-End Review”

** IBM Security “Cost of a Data Breach Report 2020”

*** IBM Security “Cost of a Data Breach Report 2020”

**** “Cyber Insurance Market Watch Survey February 2019” - The Council of Insurance Agents & Brokers