Every company has cyber vulnerabilities. Even organizations with cutting edge cybersecurity tools, processes and a comprehensive standalone cyber insurance solution can fall prey to the whims of hackers, especially if their motivation (usually financial gain) is significant.
Companies from every industry and every size category are at risk. With such gloomy prospects, the only real objective for organizations today is to avoid being an easy target. Firms can dissuade hackers by engaging in simple blocking and tackling and implementing basic cyber security controls like multi-factor authentication (MFA), strong password hygiene, disenabling remote desktop protocol (RDP), and using endpoint detection and response (EDR) tools, but there will always be some risk.
Enter cyber insurance. Ross Ingersoll, executive risk & cyber account executive at Holmes Murphy, described cyber insurance as “the final safety net” for companies in the worst-case scenario that something happens to them. It cannot act as a replacement for the cyber security controls that all companies should be implementing. Rather, it is there to provide a financial safety net, as well as breach response, to help companies through the doomsday scenario.
“One of the most important things to know about cyber insurance is that not all policies are created equal, so a word of caution needs to be shined on what you’re buying,” said Ingersoll. “Historically, traditional property and casualty insurance was never really designed or intended to respond to cyber threats and cyber perils in general. So today, many standard property and casualty policies, such as general liability, property, crime, D&O, and professional liability do not cover any cyber- related events, or they sometimes exclude them altogether to ensure there’s no coverage available.
“Really, what companies need to do […] is supplement their P&C program with a dedicated standalone cyber solution. A robust cyber insurance policy is a hybrid product that incorporates elements of first-party reimbursement expenses (costs incurred that would directly impact your business’s balance sheet) and third-party liability costs in the event that there are lawsuits or allegations made against you.”
First-party reimbursement expenses typically cover the cost to get a business back up and running, the cost to pay a ransom, and any bottom line impact a business could have from a cyber incident. A couple of newer first-party coverages that have been added to comprehensive cyber solutions in recent years include: cybercrime – things like social engineering, phishing and fraud schemes, where people are deceived into sending money to a fictitious location; and breach notification expenses – costs tied to notifying impacted individuals, providing credit monitoring, conducting a forensic investigation, and hiring a breach coach. Meanwhile, the third-party liability coverage reimburses insureds for the cost of responding to lawsuits and defending against allegations of wrongdoing.
“People purchase insurance in the hope that it’s going to pay out in the event that a covered claim happens. That’s really what insurance is for, but really the biggest value-add to a cyber insurance policy is the crisis management and breach response services that are provided in the event that an insured does have a cyber incident,” Ingersoll commented. “Most cyber insurance carriers have 24/7 hotlines, they have breach coaches on hand ready to help clients navigate the situation and get back up on their feet. That is, in my opinion, really the biggest value in cyber insurance policies.
“When your company suffers a breach, you don’t want to focus on navigating all these different state laws and trying to figure out which vendor to hire; you want to focus on running your business and getting your business back up and running. That’s also what we want you focusing on, so having access to those vendor networks and breach response coaches is a critical component to a robust cyber insurance policy.”
A final layer to consider is that most carriers also offer some proactive risk mitigation and management resources, such as employee training modules, sample policies and procedures, and help with how to implement an incident response plan or a business continuity plan. That’s critical because, as Ingersoll stressed, the human element of cyber risk “will never go away”. He added: “That’s probably the biggest vulnerability that businesses face, so having those resources available to you through the cyber insurance policy is another really nice value-add.”