The purpose of any type of insurance is to protect your most valuable assets so in order to combat the prevalence of cyber attacks and data breaches, an increasing number of businesses in the health-care, financial services and technology industries have purchased cyber insurance policies to protect themselves from the crippling cost of a data breach. Cyber insurance is especially popular among start-up tech companies in Silicon Valley in order to safeguard their intellectual property (IP) since their IP is the backbone of their livelihood1. Since small businesses generally don’t have a risk manager and IT department dedicated to data security, a good cyber insurance policy can help mitigate cyber security risks.
Although accepted in some sectors, cyber insurance is still not an established part of many companies’ IT data security strategies. This is commonly due to a lack of agreed risk management standards and the challenge of substantiating and quantifying losses, in addition to finding objective data to back up cyber insurance claims. Some security experts feel that the federal government needs to kick start growth in this market by requiring government contractors to purchase cyber insurance to set a standard for other businesses, sending a message that any company who has cyber security insurance is a signal that the company is competently managing its data security.
As the cyber insurance industry evolves, here is a list of what cyber insurance policies generally cover and what to look for when considering cyber insurance:
- First-party claims – Costs incurred by the loss of trade secrets and intellectual property.
- Third-party claims – Damages a business must pay to customers who sue them for lost or compromised personal information.
- Business interruption coverage – In the event a data breach incident prevents the company from operating or functioning, the company would receive payment reimbursement for expenses incurred due to loss of business.
- A forensic IT investigation – Policies can cover the cost of an examination into how the data breach occurred and some may even cover the costs of regulatory fines and penalties in addition to the crisis management control which includes data breach notification letters.
Security professionals stress that cyber insurance is not meant to be a substitute for data protection and security policies. In fact, before underwriting a policy, an insurance company will be hyper vigilant in determining that their customers have proper protections and policies in place since the insurance company will want to reduce its own risk. And since insurance has been a positive influence on other industries to improve performance and safety due to risk mitigation, the theory is if a company has cyber insurance, the hope is they will implement proper preventative measures to ensure that they will never have to use it.