From both current and prospective cyber insurance policy holders, we are frequently asked about what should be considered when purchasing a policy—what terms should be included, what are the important aspects and why. The answers to these questions are extremely complex, as cyber insurance is in its early infancy stages. Quantifying the risks of loss associated with those policies is extremely difficult. Understanding the effects of breaches and what all needs to be covered is complex. These things are not easily answered and some can’t be answered adequately today, but here’s a high level overview of what we feel are the key things to consider when purchasing a cyber insurance policy.
It takes an organization an average of 256 days to identify a cyber attack. Ask for retroactive coverage when first signing a contract. Some insurers will cover this (often at an additional premium), some will not. One way to lower the risk associated with this is to Advanced Penetration Test. Numerous times through those test, previous breaches or attempts at attacking the network are identified. This will lower the risk of having to make a claim retroactively.
The high-profile Target breach in 2013 opened organizations’ eyes to the importance of vendor management. Make sure to get coverage for claims resulting from vendor errors in addition to your own. Similarly, if you handle any sensitive data for others, you need to make sure your liability to them is covered.
While we often think about cyber breaches as theft from cyber criminals, sometimes the threat is “inside the house.” Make sure to include coverage for any loss of data due to employees or others who could unintentionally contribute to a data breach or loss.
We are repeatedly finding that cybersecurity is no longer just related directly to an organization’s server and PC environment. It crosses into nearly every physical asset of an organization as well. Door locks, security cameras, phone systems, HVAC, and all types of control systems are routinely accessible and exploitable by our team on a network. This adds another level of complexity to cyber insurance policies, as the lines become very blurred on which insurance product covers the physical aspect of a breach. Make sure to clearly understand your policy’s coverage related to if a “cyber-attack” on your physical systems leads to an additional physical breach of some sort.
Finally, cyber risk is extremely difficult for insurers to quantify, leading to policies that are more customized than non-cyber policies, and therefore could potentially be more costly. Our clients ask us regularly, “If we get the Advanced Penetration Test, will our insurer give us a break on our cyber policy?” While the answer is often “no,” we have recently been hearing “yes” on this by a few insurers as they begin to understand the benefits of this offensive approach to cybersecurity. So, be sure to ask your insurer for a lower rate after an advanced penetration test is conducted and findings have been remediated.