Article: Cyber Insurance

What is the history of cyber insurance?

Cyber insurance was first offered in 1997 as Internet Security Liability by the American International Group (AIG). Even then there was a recognition that risk was difficult to estimate due to the rapidly evolving internet environment. Initially, it was supposed to protect retailers who collect credit card data, like Amazon, offering $250,000 for legal costs and settlement fees. Since then, it has become the fastest growing sector of the insurance business.

What does cyber insurance cover?

Cyber Insurance comes in two general types: first-party coverage and third-party coverage. First party coverage protects data (including employee and customer information). This coverage includes:

1. Legal counsel.
2. Recovery and replacement of stolen data.
3. Customer notification and call center services.
4. Lost income due to business interruption.
5. Crisis management and public relations.
6. Cyber extortion and fraud.
7. Forensic services to investigate the breach.
8. Fees, fines, and penalties related to the cyber incident.

Third-Party Coverage protects you from liability if a third party brings claims against you. This type of coverage usually includes:

1. Payments to consumers affected by the breach.
2. Costs for litigation and responding to regulatory inquiries.
3. Claims and settlement expenses relating to disputes or lawsuits.
4. Other settlements, damages, and judgements
5. Losses related to defamation and copyright or trademark infringement.
6. Accounting costs.

Regardless of these general guidelines, you should carefully read the provisions of the insurance as there are variations and exception in all policies.

(Source: National Association of Insurance Commissioners. Ftc.gov/small business)

What do insurance carriers demand of you?

As this insurance type has developed and as the risks are better understood insurance companies are demanding a set of security controls for insurance. This includes:

1. Multi-factor Authentication: MFA is increasingly seen to be the “gold standard” for network access. This system uses more elements than the usual ID and password to identify approved users.
2. Security Awareness Training & Testing: To ensure employees are up to date on cyber threats. Phishing simulations reinforce the training.
3. Separate Backups: One backup set is not considered enough, two are needed to ensure redundancy. It is important that backups be in different locations.
4. Endpoint Protection and Response (EDR): This is critical to stopping and limiting the effects of malware and ransomware.
5. Vulnerability Management: this refers to a continuous process of detecting and mitigating exposures.

(Source: Aldridge https://aldridge.com/5-requirements-to-get-cyber-insurance/)

Do You Need This?

Every organization needs to consider their own risks and vulnerabilities. Consider the information you keep and what the consequences of data loss and exposure to your organization’s operations and liabilities. Consider whether your information is privileged in any way: personally identifiable information or HIPPA compliance issues should be considered.