Cyber & Data Breach Insurance: What is it and how is it underwritten?

When evaluating potential solutions for your organization’s cybersecurity program, you are likely only considering the ones that directly protect your computer-related and information systems. This might include controls for network security, application security, and/or information-security. But what about financial security in the event an incident were to happen? Is there such a solution? The answer is YES and it can come in the form of Cyber & Data Breach Insurance.

Similar to other lines of property & casualty insurance, cyber insurance provides indemnification (financial compensation) to an insured (or a third party) in the event of a covered loss. This type of insurance policy is considered a specialty coverage designed to protect organizations from risks associated with cyber-related incidents. This could include a type of data breach, malware, hacking situation, network extortion or other types of events within cyberspace.

One scary truth about cyber insurance is that an estimated 69% of small to mid-sized businesses don’t have this type of coverage. This could be because of how relatively new the coverage is (at least compared to other lines of insurance). Nevertheless, the need for this line of insurance is becoming increasingly important for the survival of businesses large and small. The coverage consists of two main (but equally important) components; first party coverage and third party coverage.

First Party Coverage

In the event of a cyber-related incident, there will be many costs associated just getting the operation back to normal. These types of costs are covered under the first party coverage portion of a cyber insurance policy. Another way to look at this coverage, is the financial compensation to relieve the insured for the impacts direct to their organization. Some of the common elements include (but are not limited to):
● Incident Response Costs (Forensics, Client Notification, Credit Monitoring, Public Relations)
● Business Interruption Costs (Loss of Profits from Shutdown, Extra Expenses to Restart Operations)
● Costs to Repair or Replace Data and/or Software Applications
● Network Extortion and/or Ransomware Costs

Third Party Coverage

In the event of a cyber incident, your organization may be deemed responsible for the data of other entities (clients, customers, vendors, etc) that could’ve been compromised. This could come with additional costs for being liable. Third party cyber coverage is a liability insurance that covers the costs of being responsible for not protecting the data of others.

Similar to other liability insurance policies, third party cyber coverage will cover costs associated with legal defense, damages, settlement, regulatory proceedings, and sometimes even punitive damages. Another component of third party coverage is payments to credit card companies in the event that an incident resulted in payment card information being compromised. (Note: Some carriers will also include Media Liability in their third party cyber insurance coverage for intellectual property claims, like copyright or trademark infringement)

How is Cyber Insurance Underwritten?

Whenever an organization makes updates to their cybersecurity program, they not only enhance their security, but also make themselves more appealing to insurance underwriters. This is because the controls within an insured’s cybersecurity program is one of the determinants in an underwriter being willing to offer cyber coverage.

Underwriting Factors

Insurance carriers and their underwriters are not in the business of losing money, so they will only provide insurance to those they feel are a solid risk. In order to determine whether or not to provide cyber insurance coverage, they will evaluate the insured’s cybersecurity program, past incidents/prior claims, and what types (and quantity) of information/data the insured stores.

Regarding the evaluation of an insured’s cybersecurity program, different carriers will have a different set of criteria. Some of the main, universal requirements however are the following:
● Utilization of a network firewall
● Utilization of anti-virus and anti malware software
● Encryption of sensitive data and devices
● Software updates or patching procedures
● Formal incident response plan
● Security awareness training to employees
● Formalized organizational processes/procedures for information-security

Depending on the current insurance market and the carrier, they may decline coverage if even just one desired control is missing from the insured’s program. (Note: Some carriers will also require confirmation of compliance for legal information-security requirements if they are necessary (Examples include HIPPA and PCI compliance ). Of course if an insured has prior cyber insurance claims, or knowledge of information that could lead to a potential claim, underwriters will be less likely to offer the insurance.

The types of information that an insured has (or is responsible for) is also a critical factor. The more sensitive the information (and the more records stored), the higher the severity of the risk. So underwriters will want to ensure that proper controls are in place to prevent a potential incident.

Premium Rates Determination

Most liability coverages will use the size of the organization (in terms of revenue) to determine premiums, and cyber insurance is no different. Additionally, some carriers may provide premium credits or discounts for “checking boxes off” for the proper cybersecurity controls.

Also, just as other coverages will require a deductible to be paid prior to the coverage kicking in, cyber insurance does as well (though called a retention). There will also be a waiting period for any claim being made on business interruption (loss of income) coverage. Both the retention and waiting period will have an inverse relationship with the total premium cost (the higher the retention the lower the premiums).

If an insured has prior cyber insurance claims but the underwriter is still willing to offer coverage, the carrier may require high premiums and a higher retention amount to balance out the risk.

Disclosure: The information presented here is designed to be just a baseline for cyber insurance. Be sure to consult with your insurance agent to get a full understanding of the coverage and underwriting process.