Cyber Insurance is a broad term that refers to insurance protection from risks related to a
business’s information technology systems particularly with regard to its data and internet
exposure. Common examples include a data breach in which personally identifiable information
is exposed or a cyber-attack in which a company’s network is disabled.
Cyber-attacks and other security incidents involving personally identifiable information are increasing. A survey by Price Waterhouse Coopers found that, “the number of detected information security incidents has risen 66% year over year since 2009.”
Businesses that collect or maintain personally identifiable information (data that could identify a specific person) as well as those that would be harmed by a network failure should have some type of cyber coverage. Business that processes credit card transactions should also consider obtaining cyber-insurance coverage.
Cyber-insurance can provide first party and third party coverage. First party coverage provides direct protection for the insured for losses incurred. Examples of first party coverages would include:
- The cost of notifying customers after a breach
- Legal costs involved with regulatory compliance after a breach
- Business interruption costs
- Data restoration costs
3rd party coverage protects the insured by agreeing to indemnify a 3rd party in the event of a liability loss (liability coverage). Examples would include:
- Legal settlements related to the release of customer data
- Legal defense costs
- Government fines
Recommendations for purchasing cyber-insurance coverage:
- Evaluate the risks your business faces and purchase the coverage that’s appropriate to cover those risks. For example, if your company maintains personally identifiable information consider obtaining network security or enterprise privacy liability coverage to provide protection in the event of a data breach. If your company would suffer a loss in the event of a system failure due to a network attack consider purchasing network interruption, business income and extra expense coverage.
- Obtain coverage for retroactive events. Many policies provide coverage for claims that “occur” during the policy period. Policies can also be written to provide coverage for claims that are made during a policy period even if they occurred prior to the inception of the policy. This is important for cyber coverage because breaches may go undetected for a long period of time.
- Understand what you’re covered for. Unlike many other lines of business, cyber-insurance policies are not standardized. A policy from one company may have coverages and exclusions that are completely different from a policy issued by another company.