7 Things You Need to Know Before Buying Cybersecurity Insurance
Cybersecurity insurance, also known as cyber risk insurance, cyber liability insurance or data-breach liability insurance, helps an institution recover from the financial losses related to a security breach or other cyber event.
Cybersecurity insurance isn’t required.
Regulators don’t require cyber insurance. That doesn’t mean you don’t need it, though. The global average cost of a data breach is $148 per lost or stolen record and costs $3.86 million, according to a report by Ponemon Institute. Meanwhile, the creativity of hackers and other fraudsters have caused cybersecurity attacks to steadily increase. Regulators have an opinion on cybersecurity insurance. The Federal Financial Institutions Examination Council (FFIEC) members, including the OCC, FDIC, Fed and NCUA, offer best practices for buying .
Your general liability or business interruption policy may not cover cyber events.
Some insurance policies specifically exclude cyber events. Review your current insurance coverage to understand what is and isn’t covered. You can purchase cyber insurance as standalone coverage or as a rider to an existing policy. Shop around because prices can vary dramatically among carriers.
Your cybersecurity insurance policy may not cover every breach.
Just as with car and home insurance, every policy and insurer is different. Understand the scope of the cybersecurity insurance policy you’re buying. For instance, a policy might cover a cyber breach at the institution but not a third-party vendor breach. It may also exclude cyber terrorism.
Cybersecurity insurance doesn’t always cover your institution the way you expect. When fraudsters accessed debit card numbers and stole $2.4 million from a Virginia bank by tricking employees into opening a fraudulent email, the bank’s insurance company said that under the debit card rider the bank was only eligible for $50,000 in reimbursement. The bank argued the computer and electronic claims rider, which provides full reimbursement, should apply, American Banker reports. The insurance dispute is currently being decided by the courts.
There is a difference between first-party and third-party coverage.
First-party coverage includes direct expenses, such as customer notification, event management, business interruption, denial of service attacks, and cyber extortion from ransomware. Third-party coverage includes claims made by customers, partners or vendors due to a cyber incident. Some polices just cover first-party expenses, while others cover both. Know which category and amounts of coverage you need, and make sure you note policy exclusions.
Not every policy uses the same terms making it tricky to compare.
Because cyber insurance is an evolving field, terminology and other elements of underwriting vary between providers and can change. Meanwhile, every institution is different, making a careful cyber risk assessment critical when purchasing cyber insurance. You can’t just copy a peer bank’s policy. Identify, measure and monitor the potential risks your institution faces, estimate the potential costs of an event, and determine how likely an event is to occur before buying a cybersecurity insurance policy.
The financial strength of your insurance company is extremely important.
Due diligence of your insurance provider’s financial stability and past claim payouts is especially important, particularly if multiple institutions end up filing a claim to a large-scale event. If a big breach hits many firms, the company needs the resources to pay out all the claims.
Cybersecurity insurance is no substitute for risk management.
Your institution must be able to meet the insurance company’s risk management requirements to purchase cybersecurity insurance and remain eligible for coverage and any potential payout. That includes identifying, measuring, mitigating and monitoring cyber risk exposure. Strong controls are a must.
Also, while cybersecurity insurance can make your company whole financially, it can’t repair reputation damage and the loss of revenue from missed product and service sales or dissatisfied customers.