More companies are opting into cyber insurance as a means to offset financial risk. For insurance companies, the number of existing clients adding cyber policies had risen from 26 percent in 2016 to 47 percent in 2020. However, the days of leveraging cyber insurance as a safety net for breaches are coming to an end. Insurance companies expect organizations to provide due care in protecting their networks or risk non-payment after a data breach. Insurers are beginning to look for security hygiene validation and no longer rely on the questionnaires that have long been an industry standard. Security Rating Services have emerged as a class of security vendors that collect public information and assign a rating to your company. Risk management must include all of a company’s options, including investment in better protection and detection technologies.
Increases in Carrier Risk
Ransomware incidentshaverisen considerablyin bothfrequency and severity, as cybercriminals deploy new tactics and techniques to achievea straightforwardgoal: to make money.Toputthis rise in incidentsinto perspective,in 2021,the cost of ransomware attacks alone will be around $20 billion. In 2015, the number was $325 million.
Insurers arenowmaking adjustments totheir approach to market risk. Accordingto Gartner,“the insurance market has hardened in 2020 following the withdrawal of capacity from it, as insurers are faced with rising loss costs and pressure on underwriting profitability”.
Agencieslike the NYS Department of Financial Services (DFS)issued a circular insurance letter in Februaryaddressed toall“Authorized Property/Casualty Insurers.”Here are some passages that demonstrate the severity of the challenge facing insurers:
“The damage done by many types of cybercrime – such as business email compromises – continues to rise. But the biggest driver is an increase in the frequency and cost of ransomware attacks... The cyber insurance industry has reported escalating costs to create pressure to increase rates and tighten underwriting standards for cyber insurance.”
Types of Business Risks
While technology can provide solutions that assist in mitigating risk, it cannot eliminate it. Risks can be addressed in four ways: avoid, mitigate, transfer, or retain. In the context of cloud adoption and cybersecurity, avoiding risk is probably not the best option as it means limiting the business advantages digital transformation provides. Mitigating risk has been the default response for most organizations and includes technology, people, and processes built into a company’s security program.
That leaves us with retention and transfer of risk.Retaining risk includes the financial costs associated with recovery during a cyber breach, which can be staggering these days.The average ransom demand for the second half of 2020 was $1,304,743 andleveledto $1,193,159 in the first half of 2021. That isn’t a small price to pay for any company, and it’s a nearly 170% increase in just one year.
Thisleads us to the subject of this blog post:Transferring risk through cyber insurance.
The Role of Cyber Insurance in Incident Response
Acouple of weeks ago,ProArch’sincident responseteam was engaged with a client that had suffered a significant attack.Systems and accounts had been compromised, malware andmalicious PowerShell scripts were running,which led to a recommendation requiringacompleterebuild and restorationof all workstations and servers.
However, the evaluation, containment,andrecoveryelementsof incident response are only one side of the effort.There is a business side toincident response, which includes notification and inclusion in decision-makingfromcriticalstakeholdersthroughout the recovery.
The first questionsour team of security expertsasksare:
- Has senior leadership been notified?
- Has legal counsel been engaged to provide attorney/client privilege and provideregulatory advice as needed?
- Do you have cyber insurance, and if so, has the carrier been notified?
If the answer to the last question is yes,we pause until a meeting withthe carrier can be arranged with legal counsel and business leaders present. This is extremely important since theinsurance coverage and terms need to be understood beforerecovery can proceed.
Onething to note:A clause can be added to a policy that allows a company to name the incident response team they prefer. This is usually the case with large companies that are working withsecurity partners butisavailable to all on request.
What Does Cybersecurity Insurance Cover?
Now that you understand some of the challenges let’s see whatis available.Below is a suggestion for cyber-insurancecoverageand suggested amounts tomaintain foreachfromour partner, Walsh Duffield Insurance Company.
Cyber Insurance Coverages | ||
First Party Coverages | Definitions | Recommended Coverage |
Cyber Incident Response Fund | Legal fees, forensics, notification costs, credit monitoring, public relations, etc. | $1,000,000 |
Accounting Costs Limit | This means the reasonable fees or costs of a forensic accounting firm | $1,000,000 |
Business Interruption/Dependent Business Interruption | Loss of profits & expenses from interruptions of insured’s systems; Contingent Business Interruption, adds losses from interruptions of others’systems | $1,000,000 |
Reputation Harm | Loss to the insured’s financial capital or damage to the Insured Entity’s reputation | $1,000,000 |
System Failure | Means an accidental, unintentional, and unplanned total or partial interruption of a Computer System | $1,000,000 |
Digital Data Recovery | Costs to restore or replace lost or damaged data or software | $1,000,000 |
Telephone Toll Fraud | Costs incurred as phone bill charges due to fraudulent calling | $250,000 |
Network Extortion | Payments to prevent digital destruction/impairment | $1,000,000 |
Betterment Co-participation | Reasonable costs incurred and paid by the Insured, with the Insurer’s written consent, for hardware or software to improve a Computer System after a Security Breach | $250,000 |
Third-Party | Definitions | |
Cyber, Privacy and Network Security Liability | Failure to protecttheprivate or confidential information of others, and failure to prevent a cyber incident from impacting others’systems | $1,000,000 |
Payment Card Loss | Contractual liabilities owedas a result ofa cyber incident | $250,000 |
Regulatory Proceedings | Defense for regulatory actions and coverage for fines and penalties | $1,000,000 |
Media Liability | Copyright and trademark infringement within scope of defined media content | $1,000,000 |
Cyber Crime | Definitions | |
Computer Fraud | Third-party accessing insured’s computers tomake money | $250,000 |
Funds Transfer Fraud | The third-party tricking a bank into transferring funds fromtheinsured’s account | $250,000 |
Social Engineering Fraud | Third-party tricking an employee into transferring money | $100,000* |
Telecom Fraud | Means the unauthorized access to, or use of, the Insured Entity’s telephone system by a person or entity other than an Insured Person | $250,000 |
The list above is a sample of the types ofcyber insurancecoverageofferedbutisby no means comprehensive.Different insurance carriers will have a variety of choices available. Makesuretoevaluate multiple insurance providers to determine the best fit for your organization.Before choosing acarrier, your organization should perform a risk assessment to determine what types of attacks and the impact those attacks might have on the company.
Finally, recommendedcoverage isjusta guideline,andthe final decision should be based on quantifying the impact of a breach as best possible.For instance:
- Whatwould the daily productivity loss amount to if a ransomware attack occurred?
- Are there fines and penalties that would be incurred?
- Whatwould the totalrecovery costbe for a complete rebuild of all systems?
Based on the risk assessment, the correct coverage amount can be determined.
Closing Thoughts
Ifyousigned up for acyber insurance policya few years back, it is time to review and potentially update yourcoverages. The cyber landscape continually evolves, and what might have been appropriate three years ago may not be sufficient today.Make sure that the broker you are working with is advising you onall ofyour options.