The Why and How of Cyber Insurance

Gathering the Information Needed by Both Insurers and Insured

In a world where data breaches are a question of when, not if, getting cyber insurance seems mandatory. At the same time — and for the same reasons — insurers are raising the bar to get this insurance and adding more coverage exclusions.

Is cyber coverage worth the time and cost?

For almost every organization, yes. Even with the work required to obtain cyber insurance, and creeping coverage limitations, cyber insurance provides protection against losses that could be catastrophic. Cyber insurance generally protects you against losses in five primary areas:

• Breach notification expenses
• Business interruption (loss of revenue, increased operational expenses, remediation expenses)
• Liability for breaches (legal expenses and awards or judgments)
• Funds transfer fraud protection (specific to financial transaction fraud)
• Ransomware and extortion payment coverage

Any of these expenses alone — especially data-breach liability or ransomware — could severely set back an organization. And that is the very purpose of insurance: to protect against losses that could impair your operations.

Generally, premium rates for cyber coverage are based on factors such as the type of business or operations, the annual revenue, the employee count, the number and scope of sensitive records (such as social security numbers, payment card information, banking information or protected health information [PHI] under HIPAA), and geolocations (e.g., what regulatory protections are in place for your location). Underwriters then adjust the premium up or down — and may even decline to quote a policy — based on each organization’s professed cybersecurity practices.

And that’s why it’s important to do your homework before contacting insurers for quotes. Spending some time up front to gather accurate information about your current practices, and plugging obvious holes, will pay off in lower premiums, not to mention reduced risks.

What do you need to know about cyber insurance?

Just like any other insurance, as the risk of loss increases, costs and exclusions increase. Some policyholders have reported year-over-year increases as high as 100%. At the same time, coverage amounts are decreasing and insurers are writing-in more exclusions related to certain threat scenarios such as business email compromise (BEC) or state-sponsored cyber-attacks.

As part of a policy’s annual renewal, your coverage may be reduced to meet a targeted deductible or premium….which seems like a good way to save money until you need to make a claim.

Unfortunately, because of these changes, more policyholders are struggling to understand what threat scenarios are covered. They may not understand until after filing a claim, for example, that coverage limits or exclusions were updated when a policy was renewed.

From the insurers’ point of view, the struggle is to gain adequate information about their customer’s cybersecurity practices and risks. Do they have access to reliable insight regarding the volume and nature of data assets? How can they gain an understanding of their customer’s security controls and practices, and whether or how those practices evolve in the face of changing threats?

In order to assess whether cyber insurance is worth the cost, executives need the same information: What data assets exist, what security practices are in place, and what are the threats?

Gathering key information for an informed decision

What critical information is needed by insurers and customers to determine what coverage is needed and whether the cost is worth it? Generally, this information focuses on internal security practices, beyond simple yes/no questions such as “Do you have an incident response plan?”

Today’s cyber insurers are looking for more details, such as where organizations’ data are stored, the breadth of infrastructure supporting the IT environment, and who has access to tools and information. Like the “Safe Driver” plug-in for automobile insurance, more frequent and in-depth data regarding cybersecurity practices helps carriers understand risk and match their coverage to each specific environment. Insurers are also offering their customers more access to security tools, services and assessments to help customers improve their security.

While the specific questions may vary, there are a core set of IT and security related practices that carriers and underwriters consistently ask in policy applications. If you understand your organization’s current practices, you will be better prepared to answer these questions to ensure you have appropriate coverage. Hopefully, this will protect you from future claim denials or reduced coverage.

Use Weaver’s downloadable cyber-insurance questionnaire to help you gather information on these core practices — and maybe even self-address some important gaps — before requesting an insurance quote. A second tab in the spreadsheet gives you a convenient place to store key coverage information for future reference. Using this tool can help put your organization in a better position to get a competitive quote for cyber insurance.

If the questions seem overwhelming, or you need help assessing your current security practices, Weaver can help. Contact us for more information or assistance in protecting your organization from data losses or other cyber threats.

©2022