In this article, I will explain what cyber insurance is, how the insurance works, its features and benefits, what's normally covered and excluded, and how insurers can provide an instant response service. This article is “Cyber Insurance 101 for Beginners”.
The cyber threat to small businesses has never
been greater than now and the financial livelihoods of small business owners
could be severely impacted by a cyber-attack. Hey, it's John Byrne here,
entrepreneur, insurance professional, online educator, and founder of Surviving
Cyber, where I help small business owners get to grips with cyber risk. This
short series of articles about cyber risk and cyber insurance will help you
prepare for an incident and keep your small business and your people safe. Now,
today, as we near the end of this series, we'll investigate cyber insurance 101
for beginners. Make sure you stick around to the end because I'm also going to
share some interesting findings from a 2022 report about cyber insurance that
you'll want to hear.
So here's what I will cover in today's article.
- I'll begin by explaining what cyber insurance is in simple terms.
- Then I'll move on to the cyber insurance process and I will look separately at the underwriting and the claims handling.
- Next, we have the features and benefits of cyber insurance, including what's covered and what's usually excluded.
- In the fourth section, I look at claims and specifically incident response within the claims process.
- And I'll finish by talking about some interesting findings from a 2022 UK report on cyber.
What is cyber insurance?
So, what is cyber insurance? Well, it is a specialist standalone insurance policy designed to protect companies against the financial effects of a cyber incident. It provides both first-party and third-party cover and access to specialist value-added services. First-party losses are losses that the insured company suffers directly, while third-party losses are losses that others suffer because of the cyber incident for which your company is responsible.
It might be helpful to think of this type of insurance as a combined property and liability insurance that provides both financial cover and value-added services for cyber losses. The cover is provided in three separate phases: pre-incident, during the incident, and after the incident. Cyber insurance policies are complex documents and to get a good understanding of the content, they need to be considered carefully. A good place to start is the insurance product information document or the IPID. For today's article, I'll explain some of the main features and benefits of cyber insurance, concentrating on what's covered what's excluded, and the claims obligations under the policy.
The IPID sets out all of the main issues of the policy as a
mandatory disclosure requirement under European Union law. As we consider what's
covered by a cyber insurance policy, it's vital to understand that no two cyber
policies are the same and the coverage can vary widely. Therefore, you need to
read the policy to establish the extent of the cover that you're getting.
What’s covered by cyber insurance?
In general terms, the coverage of a cyber insurance policy tends to include the following:
- We'll begin with access to an incident response manager and an expert incident response team when you have a cyber incident. This access has to be around the clock, not just during business hours.
- Next, we have data breach costs - these are the third-party costs that are incurred to manage a data breach, including IT forensics, legal services, public relations consultants, data subject notification costs, (because you will have to tell people whose data has been impacted by the cyber event), a call center costs perhaps if there are lots of people involved, the costs of regulators and credit monitoring costs for the people involved if their credit has been affected.
- Next, we have the cost of ransom or cyber extortion payments, and these could arise from a ransomware attack.
- We can't forget about third-party claims also, because we could be liable for damages and legal defense costs that would be incurred in defending a claim by a third party because of our cyber-attack.
- Business interruption can be a huge issue in a cyber incident and the business will certainly suffer a loss of income and extra costs involved in dealing with the cyber event.
- Dependent business interruption was added to cyber policies in recent years and it's not always available. This covers loss of income when a cyber-attack leads to an IT disruption of our IT systems when these systems are operated by an outsourced IT provider.
- Another cover that may be available is E-theft, which would be the loss of financial assets due to a cyber-attack.
- We may see social engineering-based theft referred to in these policies and this is caused by the psychological manipulation of people to get people to do things that they wouldn't ordinarily do. A social engineering-based theft may be referred to specifically in the policy as either covered or not covered, and this is where people are manipulated into doing things that they wouldn't ordinarily do.
- Data loss mitigation should be covered in the policy. This covers the third-party costs that you need to incur to restore your damaged data or software and to prevent further damage to your systems.
- Cover for regulatory actions may be available in a cyber policy. This would be your legal costs to defend yourself, and perhaps fines and penalties imposed by a regulator. This cover is generally only available where it is insurable by law.
Again, it’s important to state that no two cyber policies are the
same so when considering cover, you must read the policy carefully.
Some Common Exclusions
The exclusions to cyber insurance policies tend to be issues dealt with in other forms of insurance.
- Damage to property, and bodily injury, illness, or death, tend to be covered by property policies or liability policies, respectively.
- Claims or circumstances known to the insurer that Inception should not be covered.
- Core internet infrastructure failure could be an exclusion in some of these policies, simply because the risk is too great for an insurer to bear.
- Personal liability of directors would be covered by a Directors and Officers policy and professional liability would tend to be covered by a professional indemnity or errors and omissions policy.
- Uninsurable fines have been referred to earlier.
- Dishonest acts should not be covered by policies, because it would be against public policy to be able to insure your own dishonesty.
- Cyberterrorism may or may not be covered by the policies. There is a growing trend to exclude terrorism from cyber insurance policies and this is a very topical issue.
- And finally, events that occurred prior to the retroactive date should not be covered. These are events that take place before a date specified in your policy. This is important because cyber events take up to 18 months to discover on average, so you must check if a retroactive date applies to your policy.
How the insurance process works
Now we look at the ways in which an insured company will deal with its insurer. The two main areas are underwriting and claims handling.
On the underwriting side, it's important that the insurer gets all the relevant information to do an insurance risk assessment and that's mainly done through proposal forms. Increasingly, cyber insurers are collecting technical data on the risk also. So, financial, and technical details will be collected, including the data type that your business deals with, the volumes, the extent to which you have outsourced IT, and other security measures in place, and all of this information will form part of the underwriting.
What the insurer is looking for is evidence of your cyber posture, and issues such as your business continuity plan, and especially any incident response plan will be vital. They will also review your claims experience for prior cyber incidents. When the analysis is done, a quotation will be issued by the insurer usually through an insurance broker. You may have the option to deal directly with your insurer or you may choose to use a broker. Cyber insurance tends to be a specialist area that requires the help of a specialist cyber broker.
On the claim side, it's important to stress that cyber claims can be very complex. The insurer will either have an in-house claims team or they will deal with external claim handlers who are specifically appointed for cyber insurance. There will also be an insurer-appointed expert Incident Response panel to provide all of the services that will be needed to deal with the cyber incident. The insurer will either have in h-use or externally the forensic IT support and all the other services that are required. And finally, the claim reporting obligations will be important, and we'll talk about those separately.
Cyber insurance claims obligations
It's important that insureds understand the claims obligations under their cyber insurance policies. For example:
- You must tell the insurer as soon as possible if there are changes during the policy period, which might materially affect this policy. A material change is one that might affect the insurer's decision to insure the risk in the first place, or the terms offered or the premium charged. This is a very broad clause, but it puts the onus squarely on the insured to keep the insurer informed.
- You must provide notice to the insurer as soon as reasonably practicable after an event occurs, which could result in a loss or a claim. So, that means you can't deal with a cyber event on your own and tell the insurer later.
- You must not admit liability or make any offer or payment to a customer or a third party without prior written consent. That's a standard clause also. Again, you can't just go and deal with the event and come back to the insurer with the bill.
- You must provide full and accurate information and assistance and cooperate with the insurer in the event of a claim. That's to be expected.
- Finally, if you think that a crime has been committed, you must report it. This is often found in a cyber insurance policy.
Again, every policy is different, and you've got to read the policy carefully to understand what your claim reporting conditions are. Finally, you must consider any plans you have already in place and make sure that they tie in with the cyber insurance claims obligations.
Benefits of an Insurer Incident Response Panel
In the event of a cyber incident, you get near immediate and confidential support from an expert panel of responders provided by the insurer on a 24/7/365 basis as a benefit of insurance protection. The objective of the expert panel is to minimize the damage by acting decisively and quickly to get you back in business, as soon as possible. The interests of the insured and the insurer are aligned to a large extent, because both want to minimize the loss arising from the cyber event and the disruption to the business, so the insurance covers the incurred costs of these experts including:
- IT forensic investigation costs to establish all the technical aspects of the cyber-attack and, for example, whether the event is still continuing and which systems have been impacted.
- Legal service fees for general legal advice and legal advice on regulatory issues.
- Breach notification services, call center services, credit monitoring for customers, public relations advice, and some crisis management advice if required. The services needed will depend on the severity of the cyber-attack.
The main point is that, as many experts as are needed should be provided by an insurer through an expert panel and this help should be urgently available on location, online, or by telephone or email depending on the circumstances of the cyber event. The insurer's help with the incident response is one of the major benefits of cyber insurance. This is especially true when it would be hard for small companies to independently arrange access to these highly specialized experts, especially in a crisis situation.
The alignment of interests with the insurer to minimize damage is a
valuable benefit. Also, the insurer is handling many cyber events through its
expert panel every year. They have the experience of what to do and what not to
do in a cyber incident that most small companies won't have. In fact, I recently
heard from an expert that 70% of his emergency calls came from lawyers after
they had been engaged by clients to help deal with an incident. In most cases,
there was no contract provision with their IT support for a cyber incident
response service. This shows how poorly prepared many small businesses are to respond to a cyber incident.
And finally, it must be noted that the insurer has significant input
on how the incident will be handled through the claims process, but the cost of
those experts will be covered by the insurance policy.
Some Interesting Findings about Cyber Insurance
Earlier in the article, I said I was going to share some
interesting findings about cyber insurance from a 2022 report that you'd want
to hear. All of these findings come from the Hiscox Cyber Readiness Report
- 64% of companies now have cyber insurance, either as a standalone or as part of another policy. And this was up from 58% two years previously. 35% of larger firms, with 250 or more employees, and a slightly lower 28% of smaller firms, have a standalone cyber insurance policy.
- The top three reasons for taking out cyber insurance were concerns about data security, the ability to access expertise, such as crisis management or IT forensics services, and the need to show clients that the firm is serious about cyber protection. So those three reasons are interesting, particularly the last one, as it shows that clients are looking for assurance that the firm is taking the need for cyber protection seriously.
- Insured firms are more likely to respond to a cyber-attack by stepping up their defenses than the uninsured. This could be because of pressure from insurance companies on their insured customers to take proactive steps to reduce cyber risk.
Thanks so much for reading today's article. I hope you found that helpful in introducing the topic of cyber insurance for small businesses. Now, before you go, I want to give you access to my free cyber resilience video workshop, “How Small Business Owners can Create their First Cyber Resilience Plan in Less than 30 Days”. It's full of practical tips that you can implement. You should use the link https://pages.survivingcyber.com/workshop to get access now.
I hope to see you again soon for the final article in the series when I explore the question, "Does cyber insurance have a future?"