Discovering that a hacker just conned your business out of a large amount of money is probably one of your worst nightmares. For one organization, this nightmare came true. In December 2018, the Connecticut-based Save the Children Federation revealed that it fell victim to a business email campaign (BEC) scam the year before. The charity unwittingly transferred nearly $1 million to the hackers’ account.
Fortunately, the charity had cyber insurance, which covered most of the stolen money. The charity ended up losing only $112,000.
With BEC scams and other types of cyber attacks increasing in number and sophistication, more and more organizations are turning to cyber insurance to mitigate the risks and offset the costs of cyber attacks and other Internet- and IT-related liabilities. The cyber insurance market is expected to become a $10 billion to $15 billion sector in the next decade.
If you are considering purchasing cyber insurance for your business, here are five things to keep in mind:
Cyber insurance is not new. Its roots are in errors and omissions (E&O) insurance policies. Around 20 years ago, add-ons were attached to tech companies’ E&O policies. These add-ons covered incidents such as a tech company’s software program bringing down another company’s network. Eventually, the add-ons evolved into separate policies that covered a lot more types of incidents (e.g., data breaches). As the kinds of coverages increased, so did the interest in these policies by companies outside the tech industry.
Nowadays, there are many different types of cyber insurance policies being purchased by many different kinds of businesses. And as the Internet, cyber crime, and IT systems evolve in the future, so too will the cyber insurance policies.
Cyber insurance policies can be hard to compare because there is no set standard for underwriting this type of insurance. It is up to each insurance company to decide what it will cover and how to market that coverage. As a result, you might find that:
Although there is no standard for underwriting cyber insurance policies, they cover many of the same types of expenses. Insurance companies typically cover cyber incidents caused by both internal actors (e.g., errors and omissions by employees) and external actors (e.g., cyber attacks by hackers). Examples of items usually covered include:
As this list shows, cyber insurance usually covers expenses incurred by the insured business as well as third parties adversely affected by the cyber incident. This is referred to as first-party coverage and third-party coverage, respectively.
There are some costs and types of incidents that are not typically covered in cyber insurance policies. They include the loss of future revenue due to a cyber incident, costs to improve internal IT systems, bodily injury, and property damage.
In addition, it is important to know that a claim can be denied if a company misrepresents its security measures. Businesses are usually required to fill out an application that includes questions about the security measures they have in place. If a company submits a claim and the insurer can prove that the business did not have the specified security measures in place, the insurer can deny the claim.
Before shopping for cyber insurance, experts recommend that you start by identifying the following for your business:
With this information, you can get an idea of the types and amount of coverage needed.
I.T. is complicated. We make I.T. easy. If you have any questions related cyber insurance we can direct you to helpful resources or can assist in the process of gathering qualifying information to obtain cyber insurance, please contact us.