Executives are increasing their cyber insurance coverage after watching the growing number of ransomware reports, business email compromise, and other cyberattacks.
But cyber insurance remains a challenging product for insurers and customers alike. Actuarial data is still evolving. Several sources report buyers should expect price increases, especially with many people still working at home, away from the security protections in a corporate environment.
Harvard Business Review recently warned that companies also should consider using self-insurance mechanisms to cover potential exposure.
Companies “should still invest in coverage, in part to help the market grow, but they also need to look for other ways to cover their potential exposure, including self-insurance mechanisms that range from simply carrying additional capital to address future cyber-attacks through the creation of specific risk-financing activities that function like insurers,” HBR said.
What kind of cyber insurance should you buy? Experts recommend you consider looking for a standalone policy instead of coverage bundled into property or other coverage. Standard coverage left some companies exposed to losses following 2017’s NotPetya malware attack.
Insurers denied claims, saying NotPetya was an Act of War. (Security researchers believe Russia developed the NotPetya malware to disrupt the Ukrainian government. Global companies that did business in Ukraine got the malware as well.)
“There is a fundamental difference between dedicated cyber policies and this idea of either silent cyber or partial coverage grants,” reported Insurance Journal in August. “What NotPetya really laid bare was this idea that if you’re selling a half-baked cyber coverage grant inside of some other policy, you’re playing with fire. And if you’re an insured, you’re not buying a product that’s fit for purpose.”
What coverage do you need to protect against a breach?
Cyberattacks, especially those sponsored by rogue nation-states, usually do more than lock up your data for ransom. Among the other costs you could face are:
- Replacing bricked equipment, including your servers, phones, and laptops.
- Extra help and overtime to reconstruct encrypted and therefore lost business records. (Not all hackers supply valid decryption keys when their ransom is paid.)
- Costs of required notifications to the tens, hundreds, or thousands of people affected by your breach, whom you may have to expend considerable effort to find.
- Legal fees to protect you and your organization when affected parties file lawsuits.
- Forensics and remediation costs to discover the malware source and ensure its full removal from your systems.
- Potential regulatory and prosecutorial investigations and fines.
- Losses if major customers halt doing business with you because of your breach
- Reputation management and public response campaigns by a professional PR firm, especially if the hackers decide to post your customer records or other business data publicly.
Further, cyber insurers are tightening their requirements. Applicants may have to implement “reasonable” security steps, including having multifactor authentication, access management, data backup, and other measures.
Companies that fill out paperwork for cyber coverage may have to attest to their security measures. If those measures lapsed or were never initiated, insurers could deny subsequent claims for losses due to a breach.
Among the top insurers writing cyber insurance policy are Chubb, Beazley, AXA, AIG, and Travelers. A good agent will help you define your coverage needs – and the cybersecurity measures you’ll need to have – to get the cyber insurance you need.