Management, compliance & auditing

A cyber insurance policy checklist

Penny Hoelscher
January 16, 2018 by
Penny Hoelscher

Use this checklist to help you purchase the best cyber insurance policy for your company.

Step 1. Determine if you need cyber insurance. Things to consider include:

  • Your company handles sensitive information which includes, but is not limited to, ePHI or PII. Sensitive information ranges from stored contact details to health information, from financial information to personal  preferences. The most innocuous information is often very useful for attackers. For instance, a watering-hole cyber attack is a strategy that attackers use to target a particular group, organization, industry or region. In this attack, the attacker makes an intelligent guess or observes which websites a particular group visits often and infects one or more of them with malware. The group could be members of a book club, plus-size shoppers, pharmacists or volunteers for UNICEF. Importantly, they all have something in common.
  • You host a public website that interacts with customers and stores their login data. This point is not exclusive to e-retailers. If you have a blog and store your visitors’ email addresses, your readers’ private information is vulnerable to cyber theft.
  • You use a third-party vendor to manage your database, provide an online shopping facility, or as a supplier of the goods you sell. Unfortunately, despite an SLA, you never actually know what level of security a third party provides.
  • You own or use a website or online application, and rely on the security of your business for your income. Experts suggest that after the disclosure of two massive data breaches in 2016, Verizon managed to bring down the prize of its Yahoo purchase by $350 million less than originally planned, to $4.48 billion.  
  • Your staff use BYODs. Lost and stolen devices may contain valuable information and provide easy access to core information, including intellectual property, in your company. Do you trust your employees to manage your information as they would their own? Or would common curiosity and the human nature to gossip tempt them to share confidential data?
  • Do you have a nest egg tucked away that will cover the cost of a cyber attack? The U.S. Securities and Exchange Commission estimates that half of the small businesses that suffer a cyber attack go out of business within six months.
  • Your business relies strongly on confidentiality, e.g., you run a dating site or mental health practice.
  • Loss of information you gather from customers could result in an invasion of privacy, embarrassment or bullying. The Ashley Madison debacle springs to mind.
  • You are a prime target for ransomware or extortion. Imagine you run a medical facility and a hacker manages to cripple your system enough to threaten the lives of patients hooked up to life-saving equipment. What do you do?

Check any of the boxes above and you need cyber insurance. Remember, standard business liability insurance policies do NOT cover cyber liability.

Step 2. Consider these questions before selecting a cyber insurance provider & policy:

Insurance is a very regulated industry but cyber insurance has no real, set standards. It's quite difficult to know exactly what you need to be looking for in a policy. Consider these questions:

  • How much insurance do you need and how much can you afford? Consider the average cost of a stolen record containing sensitive or confidential information at around $158, and then multiply that by the number of sensitive records you store.
  • What are your unique risks and what type of coverage do you need? For instance, do you store details of your customers’ credit cards or only their personal details? If the former, you will need to be PCI-compliant.
  • What should trigger your policy, e.g., only a deliberate cyber attack or any type of attack including an unintentional error by internal staff?
  • What should your policy exclude, e.g., unintentional human error or BOYD device theft?
  • What data must be covered and where is this data stored? Do you collect contact and financial details, but not personal details like age or gender?Is information saved on your network and not on personal devices?
  • What does the provider offer, e.g., a first responder service, legal costs and support over any downtime periods?

Step 3. Create a custom policy outline

We’ve covered some of the basics of what you need to look out for above. Here are more details to consider when creating your policy outline.  

What is your risk level?

In 2015, the Federal Financial Institutions Examination Council (FFIEC) released its Cybersecurity Assessment Tool (CAT). Use it to determine your preparedness for a cyber attack and identify what kind of insurance will best suit your needs. Also, the more prepared you are, the lower your premiums will be.

What type of policy is best suited to your business?

  • Package policies are general, all-purpose liability policies and you can mix and match parts to suit your own needs. These are well-suited to low-risk businesses.
  • Standalone policies provide specific coverage and have their own terms and conditions. Standalone policies are better for organizations that want to tailor their cyber insurance. Unfortunately, they are also a little pricier.

Who should be covered?

  • First-party coverage applies only to the policyholder, in this case, you!
  • Third-party coverage applies to anyone else who has been affected, e.g., your customers, third parties and innocent bystanders.

What kind of coverage do you need?

  • Network security coverage includes the cost of data breaches to third parties, theft of intellectual property and sensitive data, ransom demands and network failures.
  • Privacy liability coverage includes pretty much everything that network security doesn’t, including less tangible losses and vulnerabilities like human error and the theft of devices. It includes the costs related to notifying affected parties of a breach, regulatory fines, crisis managements costs and forensic investigation.
  • Media liability coverage includes things like copyright and trademark infringements, malicious defacement of a website and libel.

How much coverage do you need?

There is no formula written to calculate the precise amount of cyber insurance coverage you need. One way to get an approximate figure is to calculate the cost according to how many records with sensitive data your business stores. Average costs for a compromised record are often estimated at anywhere from $150 to $200.

Adopting a slightly different approach, Verizon takes into account the variances in reported losses and the actual amounts companies pay looking at the average number of records (what it calls the base count) breached at companies. Using this model, their calculations estimate the forecasted average loss for a breach of 1,000 records is between $52,000 and $87,000 ($52 to $87 as record). However, as the number of records stolen increases, so does the cost PER RECORD to a company. Their average forecasted cost for 10,000 records is $143 to $223 per record.

The lesson to be learned: before taking out cyber insurance, make sure that you only store data you really need. When Mr. Joe Blogs dies, is it really necessary to retain records of his purchasing history over the past 10 years?

Step 4. Ask your potential cyber insurance provider important questions, including:

Armed with the outline of what you’re looking for, here are some questions you need to ask your potential provider:

  • What types of incidents are covered? For instance, does your provider cover unintentional and non-malicious attacks?
  • What are the deductibles? In this area, cyber insurance works similarly to health, vehicle or home insurance.
  • Exactly how does coverage and limits apply to first and third parties? For instance, do legal costs cover you business liabilities only or are your customers covered, too?
  • Consider the watering hole example above. Does the policy cover any attacks on your company, including as an unintentional victim, or only those which were targeted directly at you?
  • What are the timeframes within which you are covered? Some cyber attacks are not discovered for years. Are you covered six years down the line?
  • Are any third-party vendors, suppliers and business associates you do business with covered?
  • What is excluded from the policy, e.g., BYODs?
  • Does the policy cover you globally? For instance, it may exclude data theft or loss that occurs outside national borders.
  • What kind of response time can you expect in the event of a data breach?
  • Remember that nice, no-claim bonus you received from your vehicle insurer after four years? Will your cyber insurance provider increase your premiums if you ever have to make a claim?
  • Even at home, you will have noticed you have to update your computer’s virus protection software every few days. How does your (soon-to-be) new provider handle evolving cyber threats?
  • What are your responsibilities in this relationship, e.g., auditing or compliance obligations?

While insurers themselves won’t help you safeguard your data, abiding by the terms of your policy can help you minimize security risks.

Step 5. Follow this advice to increase your chances for a successful claim:

Many insurance companies will try to avoid paying cyber insurance claims. Follow this advice to increase your chances for a successful claim:

  • Ensure you have read the small print before you purchase a policy. Remember, cyber insurance policies are very negotiable because, as we’ve learned, there is no real underwriting standard. Yes, you can actually tailor your own policy. Do get your own legal counsel and make use of the FFIEC’s CAT to assess your own vulnerability.
  • Make sure you have complied with any regulations that are your responsibility and, if necessary, complete required audits regularly. Remember, most states in the U.S. have mandatory requirements for data breach notification. Late notification of a breach is perhaps the most common reason a claim is denied by a carrier.
  • Take steps to mitigate your data risk. Ensure your software is up to date and your employees receive regular security awareness training. Institute your own incident response guidelines and pentest your system. You may find that, in terms of your policy, you have to upgrade your software regularly and not just patch it.
  • Use the section What to Ask Your Potential Cyber Insurance Provider above to close any gaps between your expectations and what your policy actually provides.

 Sources

Penny Hoelscher
Penny Hoelscher

Penny Hoelscher has a degree in Journalism. She worked as a programmer on legacy projects for a number of years before combining her passion for writing and IT to become a technical writer.