Part 1 of this series described the purpose and history of Cybersecurity insurance. With that in mind, Part 2 will lay out the advantages and disadvantages of this specialized type of insurance, based on what it does and does not cover.
Cybersecurity insurance typically covers the following losses:
1) Any damage or loss to Electronic Data. This includes any “damage, theft, disruption or corruption” to the Electronic Data that a business or corporation may possess. It even covers loss or damage to your employees’ workstations, laptops, or wireless devices. However, for coverage to apply, two criteria must be met:
- The Electronic Data that has been impacted must be the result of a Cyberattack.
- The Electronic Data must reside on company-issued devices.
This provision will also provide coverage to recover any hijacked, lost, or stolen Electronic Data, and even covers the costs associated with hiring a specialist to accomplish this task.
2) Any lost income or expenses experienced due to a Cyberattack. To a certain extent, many insurance providers will provide for any monetary loss resulting from a Cyberattack, whether it is lost revenue or extra expenses incurred because of it. However, this coverage is typically different than the normal coverage afforded by a standard Commercial Property Policy, which applies only to any monetary losses incurred to the physical property of a business entity.
3) Losses from Cyber extortion. This can be specifically defined as follows:
“Cyber extortion is the act of cyber-criminals demanding payment through the use of or threat of some form of malicious activity against a victim, such as data compromise or denial of service attack.” (Source: 1)
Ransomware is a typical example of Cyber extortion. Under this kind of Cyberattack, the hacker sends Malware to your computer or server, which will lock up the screen, and any other mission critical files that resides within it. The hacker will typically ask for a ransom, made payable by using a virtual currency, such as Bitcoin. Theoretically, once this is paid, the Cyberattacker should send you the decryption algorithm to decrypt and unlock your screen and files, but in reality, this rarely happens. Cybersecurity Insurance will cover this, from two perspectives:
- Any costs e associated with responding to the Cyberattacker.
- Any ransom money that you have paid them.
4) Costs of Notification. After a security breach has impacted an organization, many regulations now require for the C-Suite to provide written notification to the affected stakeholders, which typically includes the customers, suppliers, etc. Cybersecurity insurance will cover the following:
- The costs associated with notifying the stakeholders (such as letter preparation, the costs of sending the letters out, etc.)
- Any related legal expenses
- Providing credit monitoring services to the impacted stakeholders (this is typically for one year).
- In some cases, the costs that are associated with setting up a temporary call center to address stakeholder questions and concerns.
All of the above are known as “First Party Coverages” and are subject to a deductible based on the type of Cybersecurity insurance.
Cybersecurity insurance also provides what are known as “Third Party Coverages” which typically arise from claims that been filed by the affected stakeholders against the organization, as well as any monetary settlements that are subsequently agreed upon. Typical examples of Third Party Coverages include the following:
- Network Security Liability. These kinds of claims arise when lawsuits are filed against a business entity when there has been a major breach, and the Personal Identifiable Information (PII) has been hijacked as a result of a Distributed Denial of Service (DDoS) attack, Virus, Malware, or any unauthorized access to the database in which the PII resides.
- Network Privacy Liability. This is different than the above, in which the Cybersecurity Insurance policy will cover any claims on the grounds that the organization did not adequately protect the PII that was stored on the database. In adequate protection often refers to not deploying and applying the latest software patches and upgrades, letting unauthorized users gain access to the database when there was no need for them to in the first place, etc.
- Electronic Media Liability. Typical examples of this include:
- Copyright infringement
- Domain name infringement
Cybersecurity Insurance will only cover infringement if the copyrighted content or Domain name has been published and distributed maliciously over the Internet, without your prior knowledge.
Cybersecurity insurance usually does NOT cover the following:
- Anything in excess of your policy limit or sublimit. Any costs or claims that have been filed that exceed your current Cybersecurity Insurance policy will not be covered. In these cases, if more coverage is needed, you will have to get a newer policy, which means it will be more expensive. A sublimit can be specifically defined as follows:
“A limitation in an insurance policy on the amount of coverage available to cover a specific type of loss. It places a maximum on the amount available to pay that type of loss, rather than providing additional coverage for that type of loss.” (Source: 2)
For example, there may be a sublimit on the costs related to a forensics investigation, which would place a cap on that specific kind of activity.
- Loss of Intellectual Property (IP) or corporate Trade Secrets. At the present time, Cybersecurity Insurance does not cover this, because the industry cannot quantitatively gauge with certainty any losses that occur because of a devaluing in this area.
- Loss to reputation and brand damage. The insurance industry has no current financial methodology quantify the risk in these two areas. The present view is that it is up to the CIO or CISO to provide protections in this, as well as any financial expenses that are incurred.
- Expenses due to business interruptions or downtime. In this instance, any loss monetary loss incurred is not covered by a Cybersecurity Insurance policy.
- Any security breaches that have been caused by negligence. The insurance industry will not provide coverage for an organization that maintains a level of poor “Cyber Hygiene”. Although this is a qualitative term, this can stem from such things as not implementing a Security Policy, being out of compliance with regulatory agencies within the federal government, or even failure to maintain minimum standards that have been set forth by the insurance company that is providing the Cybersecurity Insurance.
- Threats posed by Nation State Actors, which can be specifically defined as follows: “They work for a government to disrupt or compromise target governments, organizations or individuals to gain access to valuable data or intelligence and can create incidents that have international significance.” (Source: 2).
- Insurance companies do not provide coverage for any hacks or Cyberattacks that have been ascertained as terrorist by nature. Typically, this will involve the Fortune 100 companies, that have a large international dominance, with a lot of Personal Identifiable Information (PII) at risk.
- Remediating IT Assets. Any costs that are incurred to make an IT Asset more fortified after a Cyberattack is not covered.
- Losses occurred to Physical Property. As described earlier, Cybersecurity Insurance will typically cover only those losses that are deemed to be digital in nature. Thus, in this regard, any expenses incurred to the Physical Property of an organization will not be covered. So, for example, if there was a Cyberattack that damaged the Critical Infrastructure to a city (such as the water supply, electrical power grids, oil/gas pipelines, etc.), these would not be covered.
The following illustrations depict what is and is not covered by a Cybersecurity Insurance policy.
What is covered:
What is not covered:
Insurance industry under fire
It is important to note at this point that the insurance industry is often criticized for the following reasons:
- There are currently no efforts underway to create quantitative financial models or development of other risk assessment tools so that more insurance coverage, especially for intangible losses, can eventually be offered to businesses and corporations.
- Insurance companies are only providing Cybersecurity insurance to make themselves more profitable. For example, a recent study by the Financial Times demonstrated that in 2017, the Loss Ratio (which is the monetary number of claims paid divided by the monetary amounts of premiums that have been paid in) was as high as 32%. For example, for every $1 million in premiums that are being paid by an organization, a mere $320,000 is being paid out in claims.
Armed with this knowledge about Cybersecurity insurance coverage, you may be ready to start shopping around for insurance for your own organization. The next article in this series will outline the factors insurance companies consider when providing coverage–and what you, in turn, should consider when selecting an insurance company to provide Cybersecurity coverage.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.