To Insure or Not to Insure, that is the Question – Cyber Risk Liability Insurance primer

Insurance in the world of cyber has come a long way but is not yet widely adopted globally. Some are moving towards mandatory cover in hopes of best practices, lowering risk, etc. However, just as in emergent technical fields, one should be careful to look at the fine print and reputation of any such company before making a purchase.

This article is not discussing say general contractor liability insurance, like what we have at 4D5A Security. That is it’s own beast and can be difficult as it’s not as easy to quantify and may involve a lot more risk from an underwriter perspective. In this article we are discussing cyber risk liability insurance designed to reduce risk in case of a breach, reputation loss, employee error and so forth. This is something insurance companies see with increased demand after a massive number of breaches and disclosures from virtually every industry globally in the past two years.

Terms and conditions matter. What exactly is covered? Third-party vendors infecting your network? What if regulatory actions are involved? It’s like having an insurance plan but no flood insurance coverage, and when that day comes you paid insurance for no coverage regarding your actual loss/need. Make sure you know exactly what you’re paying for, under what terms, and that the return on investment for reducing risk is acceptable. Word on the street is that some emergent insurance only covers a few types of attack, such as “targeted”, while more general attacks were not covered. If such language exists within your coverage you may then have a burden of proof to identify something as targeted in order to receive payment for coverage of loss. Did I mention that we provide expert witness support? Well you want to avoid that on every level so be preventative and check the fine print before you purchase an insurance policy. Even after all this troubling talk I’m glad to report that I have personal knowledge of instances where insurance companies paid on cyber risk loss and it was a worthwhile experience for all parties involved, as it should be for when you have loss and insurance accordingly.

Cyber risk insurance programs will also vary in rates and coverage based upon your risk profile. If you’re a small shop with little risk you won’t have much to worry about compared to say a larger shop with immature governance and tons of accepted risk as a publicly traded company. Of course that fictitious example doesn’t exist, right? /sarcasm. Seriously, the more mature organizations that are well managed, they know where their assets and risks are, crown jewels are protected, they audit and assess regularly, and so forth – they inherently have less risk compared to more immature ad-hoc organizations. Cyber Risk insurance isn’t cheap and could run into six figures annually if you require 50M or more in coverage for a larger company.

A few companies offer insurance with some positive comments from private parties about AIG, LLoyds, Beazley and others. The list below is by no means a recommendation but a starting place if you need to being your research on cyber risk liability insurance with vendors and brokers in the space: