What does Cyber Insurance protect you from?
Cyberattacks affect businesses of all sizes and even protected businesses fall victim
In times when an attack by cyber criminals is not a question of “if” but of “when and how hard” it will hit (you), companies are putting all their efforts into preventing potential threats. There is a lot that can be done in this regard at any time, as cyber security is an ongoing process of ensuring that your protection always stays up to date with the latest threats. Over and over again, even protected businesses fall victim to security breaches, whether by ransomware, phishing, business email compromises or even through their supplier network. And that costs them money – huge sums lost through interruption of their operations, fines to third parties, fines for breaches of data protection regulations or simply by paying to get their data back or prevent it from being published.
The truth is, cyberattacks affect businesses of all sizes, not just large ones. And the more critical and regulated the industry, the worse the consequences can be. Imagine a bank suffers a data breach that compromises its sensitive customer data or access details. But what if, despite the damage incurred in case of a serious breach, you have a contingency plan that minimizes your losses and probably saves your business from facing insolvency? This backup plan is called cyber insurance.
Cyber insurance covers a company’s liability in the event that a cyberattack damages its infrastructure, disrupts operations and service delivery, exposes or blocks confidential information about business processes or private data of clients, etc. Indeed, the insurance does not minimize the risk of an attack or prevent IT-admins from many sleepless nights and overwhelming stress. However, it covers the resulting financial losses in the event of its occurrence and helps ensure the survival of the company. In other words, cyber insurance is an additional step in cyber risk management that complements the deployed cyber security mechanisms. Such multilevel security strategy is particularly recommended for high-risk sectors that are constantly exposed to hacker attacks, such as healthcare, education, retail, banking and finance, service companies, manufacturing and the public sector.
Coverage of cyber insurance
Cyber insurance can be offered on stand-alone basis, or as part of a business insurance package. Here are the most common aspects that a cyber-insurance for businesses can cover:
- Cost coverage in the event of damage to the company
- Cost coverage in the event of third-party damage – affected customers of the company are compensated and unjustified claims fended.
- Reimbursement of costs for data recovery – recovery and rebuilding of the damaged computer systems
- Reimbursement of costs for IT experts and IT forensic experts – The insurance company sends specially trained IT experts to investigate and assess the damage and prevent possible subsequent damage. In some cases, an IT forensic expert is needed to collect the evidence.
- Reimbursement of costs and commissioning of specialized lawyers – covers the fees for insurance lawyers who are well versed in IT and data protection law
- Reimbursement of costs for crisis management and PR – Since such breaches can cause immense image loss, the insurance company will assign your PR department a crisis management team to mitigate the damage.
- Insuring persons (from managing director to working student) – insuring people who might be responsible for damages.
- (Ransom demands)
Companies can choose their most critical aspects to insure, depending on their needs and even add some specific ones. Accordingly, the right type of insurance may save their business from the ruins or at least reimburse them for their main losses, so that the business can recover quickly and regain its competitiveness without compromising on its development plans. The policy value will depend on various factors, such as the company’s annual turnover, number of employees, number of data sets, type of data, industry.
But the level and transparency of cyber security resilience and data protection is the main and crucial aspect.
Requirements for qualifying for cyber insurance
In order to be eligible for cyber insurance, companies must meet several important requirements:
- Implement continuous assessment and evaluation of risks
- Minimize risks in advance
- The risk potential is decisive for the amount of the policy!
- Good provision saves costs!
- Ensure basic technical protection
- Check infrastructure
- Keep virus protection always up-to-date
- Build firewalls
- Back up data (encrypted) daily on physically separate systems.
- Test restoring backup
- Manage permissions (be careful with admin rights)
- Encrypt data storage media
These requirements clearly show that a company must provide at least a satisfactory level of cyber protection in order to be eligible for cyber insurance. Again, cyber insurance is not an alternative or replacement, but an addition to a comprehensive IT security concept.
Cyber insurance does not cover intentional damage and damages of insured companies and persons. Insurance companies do not usually pay (in full) for gross negligence.
Does Cyber Insurance work?
Amidst all kinds of uncertainties, it is no surprise that the cyber insurance sector finds itself on the upswing. Although the majority of the market is still in the USA, it appears that Europe and the rest of the world are becoming increasingly interested.
At the same time, the high percentage of policies paid out has caused insurance companies to assess their customers more cautiously, driving up policy prices and security requirements. In market tests, the reliability and overall performance of cyber insurance is mostly rated positively. Insurance companies with an overall rating of “satisfactory” due to a higher policy received “very good” in terms of fairness. In the rating of cyber insurance policies, around 60% scored “very good” and “good”, but also almost 20% with only “sufficient” or worse.
It has to be noted, that insurances do not provide coverage in cases of war. The NotPetya attack that hit snack and chocolates manufacturer Mondelez in 2017 is considered a milestone in cyber insurance. The company suffered a disruption of its operations, logistics and services, as well as the theft of thousands of credentials, causing a loss of around 140 million US dollars. However, when Mondelez made insurance claims, the insurer Zurich Insurance denied it. The reason cited was that the malware attack was a result of the cyber war between Russia and Ukraine and therefore the exception for “warlike acts in time of war or peace” was applicable.
In order for insurance companies to determine the risk (and therefore the policy price) and security maturity of a prospective policyholder, they will look at things like malware defense, backup procedures, security controls, threat monitoring solutions, endpoint protection and access rights, and vulnerability to social engineering. Securing inbound and outbound email communications and your collaboration platforms is one of the most important items that will be put under scrutiny. A centralized solution that automates all critical activities to protect your communications provides the visibility and control over your system that insurers expect to see.
Secure your business and meet the Cyber Insurance requirements with iQ.Suite
iQ.Suite is an Email Management and Collaboration Security platform that provides enterprise-level security, productivity and compliance for your communication. It ensures that your email communication is protected and meets all corporate, industry and regulatory requirements. This is made possible by its comprehensive features such as advanced threat protection for email and collaboration platforms (Teams, SharePoint, OneDrive) with up to 4 scan engines, encryption, data loss prevention, content recognition and malicious link detection, domain whitelisting/blacklisting, etc. By increasing the resilience of your business and significantly reducing the risk of security breaches, iQ.Suite not only meets cyber insurance requirements, but also lowers the price of your policy.
Author: Uwe Dingerkus