Brian Greenberg, CIO/CTO & Partner at Fortium Partners. Adjunct Professor at DePaul University, Board Member, Trusted Advisor, and Speaker.
As incredible as it may seem, people have been getting insurance for thousands of years. The Code of Hammurabi, written in 1755 B.C., is the first known legal text to describe the concept of insurance. Today, people and companies alike purchase insurance to protect themselves from financial loss. It’s a way to manage the risk that we experience in everyday life, such as auto insurance for car accidents or health insurance for when we get sick. Companies purchase insurance to manage the risk of running a business, like protection in the event of a fire with commercial property insurance or a workplace accident with workers’ compensation insurance. We use insurance to hedge against the risk of significant loss. These days, companies have been buying and exercising their cyber insurance policies for more than anyone would like or would have imagined.
What Is Cyber Insurance?
Cyber insurance is a special kind of insurance that protects organizations from the costs of technology-based risks such as ransomware, hackers, data breaches, etc. These kinds of threats are usually not included with traditional insurance policies.
A cyber insurance policy should include coverage for hacking, theft, the destruction of data and denial-of-service attacks, as well as protection against losses caused to others, including public relations costs, security audits and investigative expenses. Cybersecurity insurance is in addition to all the other steps that a business should take to protect an organization’s digital assets. To qualify for cybersecurity insurance and control the insurance costs, organizations usually have to complete a checklist of their cyber defenses, not unlike having smoke detectors, sprinklers and fire alarms when applying for insurance in case of fire.
What Does It Cover?
Typically, insurance companies write policies based on well-defined situations, such as a flood or fire event or how a person should operate a motor vehicle. These familiar situations allow insurers to cover specific risks based on their likelihood, allowing them to write policies that have a relatively predictable exposure for payouts. Cybersecurity, on the other hand, has not been defined in any static, meaningful manner as the technology landscape and the threats are constantly evolving.
With exposures such as zero-day vulnerabilities, organizations can’t eliminate the possibility of data loss or business disruption. Every organization should opt for cybersecurity insurance as a sound business practice similar to fire insurance. The challenge is understanding the policy’s language to understand their coverage for the types of cybercrimes they may experience. There are four broad categories of potential losses due to cybersecurity breaches: business and operational disruption costs due to recovery activities, ransom demands, legal liabilities and lawsuits.
It is essential to have specific language to address the recovery expenses and the loss of income for ransomware events. An insurance policy may only cover the cost of the ransom, which could be minimal compared to business losses due to the operational disruptions and the effort to recover the systems.
Insurance Companies Refusing To Insure?
Well-crafted cyber insurance will clearly define each category that will outline the coverage and spell out the risk assessment and necessary controls and systems for policy compliance and any potential exemptions. Several possible scenarios might cause an insurance company to refuse coverage in case of a cybersecurity event:
• Failure To Maintain: One potentially confusing aspect of cyber insurance is defining what is necessary for the policy to be valid. For example, traditional policies for fire have specifically outlined equipment and procedures for testing and certification of fire prevention equipment and processes. However, cybersecurity is an ever-evolving domain. Due to new, yet to be deployed attack vectors by hackers, it is difficult to define the minimum requirements necessary for prevention. Therefore, an insurer can claim any blanket “failure to maintain” exclusion to deny coverage. There is another challenge to businesses where there has not been an actual breach of any systems caused by “failure to maintain.” There have already been a few lawsuits filed against some businesses when their clients discovered already published security vulnerabilities that they had not remedied. Unless this type of event is explicitly covered, a typical cyber insurance policy will not cover any expenses related to the lawsuits.
• Act Of War: Political conflicts may affect a business in several unexpected ways. An “act of war” can be interpreted in various ways, making space for another possible exemption clause resulting in a denial of coverage. This clause, and its lack of clear definition for cybersecurity, can claim a breach was an act of war if the hackers are related to state-sponsored activities. This reasoning can also be applied if the group demanding the ransom can have suspected links to terrorism, making it illegal for insurance companies to make the actual payments. That would put them in violation of specific laws against funding terrorist organizations.
Cybersecurity insurance should be another item on every organization’s checklist next to secure backups, especially as cybercriminals employ more sophisticated methods to access organizations’ digital assets. This way, they will be able to ensure that if and when their business-critical systems and information are compromised, they have the proper safeguards to minimize the financial impact of any security breach.