January 12, 2022
How much insurance does my business need? What are the differences in each policy? Am I ever fully covered? Sorting through the insurance maze can be a full-time job. Trying to figure out the right level of insurance for your business that offers protection without overpaying for coverage is a nightmare. Unfortunately, you never know how good your insurance coverage is until you need to use it.
We all know cyber insurance has become part of the insurance mix due to the continued sophistication of ransomware attacks. The first time a ransomware attack hits your company is unlikely to be the last for some small to mid-size businesses. Per Cybereason, “80% of organizations that reported having previously paid ransom demands said they’d been exposed to a second attack. Nearly half of those companies targeted twice said they were attacked by the same actors that initiated the first strike”.
Although you can take steps to mitigate an attack, having the proper insurance coverage is vital if an attack does occur. It is imperative to understand the exclusion clauses of any given policy with cyber insurance. Research shows there is often a disconnect between expectations and insurers’ coverage regarding what types of incidents are covered and which ones are excluded. Most businesses want to make sure data breaches, ransomware payments, data restoration, and compensation for business interruption are covered. Most cyber insurance policies have a list of exclusions, including regulatory ﬁnes, funds transfers, intellectual property (IP), and lawsuits from the propagation of forwarding malware.
Even when you think you are covered, most policies exclude “an act of war.” Malware developed by a nation-state-backed organization is not covered. For example, the NotPetya attack used a unique method of infecting patient zero. It used three methods of propagating through a network like a computer worm to infect other computers and networks. The outbreak resulted in immense financial losses for over 2000 organizations. Cyber insurance companies have refused to pay for any losses from the attack citing the ransomware incident triggered the act of war clause in the policy.
It is essential to know and understand all your organization’s insurance policies. Different policy types may include a cybersecurity or business interruption provision. Some cyber insurance policies cover recovery costs from a security incident and not any business interruption losses. You may have the opportunity to trade expensive cyber coverage for much less costly criminal coverage since both may be applicable during a signiﬁcant incident. To help you understand the different types of policies and coverage below is a comparison of the most common types of insurance:
Cyber insurance protects against data breaches at your company where technical E&O protects a company that makes a mistake or forgets to do a critical task that hurts a client financially.
To determine if you need cyber liability insurance, consider how much customer data you store on your network. If that’s a significant part of your business, you’ll want this policy to help cover costs if credit card numbers or other client data is exposed. If you don’t store much customer data, your first-party risk may be small. However, if the technology services you provide have a strong bearing on your clients’ network security, your third-party liability may be significant. In that case, you may have a strong need for technology E&O insurance.
Cyber insurance typically covers business income loss after a business is impacted by a privacy or security breach. It typically covers the difference between the typical income and the reduced generated income during the shutdown caused by a cyber event. However, all cyber policies do not include BI insurance.
In conventional property insurance, business interruption coverage is based on a breakdown of the insured’s planned operating expenses and fixed costs. Insurers revert to a predetermined daily compensation rate to simplify the process in cyber insurance.
Another important consideration of BI coverage is the magnitude of the interruption. Some policies require the business to be completely shut down before coverage kicks in. Other policies respond to a partial interruption or a slowdown. Be sure to read the definition of Business interruption, loss, and any applicable exclusions to understand the extent of the coverage.
–Usually not covered under either cyber insurance or general policies
The best defense against cyber-attacks is not your cybersecurity insurance policy. It is having a good security program with standards and processes in place and followed. If you are unsure how good your current security program is, we suggest a security assessment to measure your controls against industry standards. The assessment can identify gaps in your current environment and recommendations to reduce those gaps. Insurers can deem organizations uninsurable due to a lack of security controls. Even if insured, they may be reluctant to pay out if an incident occurs due to poor security controls. Contact one of our security experts to help navigate the maze of policies or an independent assessment of your security controls.