Network Security: What is Cyber Insurance?
Network security related cyber insurance doesn’t protect your company from cyber crime like being hacked, but it mitigates loss should a significant security event occur.
A cyber insurance policy, also referred to as cyber risk insurance or cyber liability insurance coverage (CLIC), is meant to offset costs related to data recovery after a cyber-related hack.
Per CIO.com, the following are common reimbursable expenses:
- Investigation: A forensics investigation is necessary to determine what occurred, how to repair damage and how to prevent the same type of breach from occurring in the future. Investigations may involve the services of a third-party security firm, as well as coordination with law enforcement and the FBI.
- Business losses: A cyber insurance policy may include similar items that are covered by an errors & omissions policy (errors due to negligence and other reasons), as well as monetary losses experienced by network downtime, business interruption, data loss recovery and costs involved in managing a crisis, which may involve repairing reputation damage.
- Privacy and notification: This includes required data breach notifications to customers and other affected parties, which are mandated by law in many jurisdictions, and credit monitoring for customers whose information was or may have been breached.
- Lawsuits and extortion: This includes legal expenses associated with the release of confidential information and intellectual property, legal settlements and regulatory fines. This may also include the costs of cyber extortion, such as from ransomware.
In the wake of the the WanaCry ransom-worm, which mainly impacted Asia and Europe, CLIC insurance customers have started to file cyber-damage claims. Per CyberHeistNews.com, the estimated total financial damage caused by WanaCry in just the initial 4 days would exceed a billion dollars, looking at the massive downtime caused for large organizations worldwide.
Just as cyber threats are on the rise, cyber-security insurance policies are also growing, pundits predict 5 billion in premiums by 2020.
Are there “Pre-Existing” Cyber Conditions?
A billion dollars just as a result of one cyber-worm can impact insurers significantly. Just like medical insurance; “Insurers underwriting cyber-risk can handle ten loses or a hundred loses, but when there is a major systemic event that can lead to thousands or tens of thousands of simultaneous claims. At that point there are solvency issues that can threaten the future of an insurer.”
Limiting Network Security Pay-Out Risk in the Fine Print
There are three main discussions that might be considered pre-existing:
- Do you have a known vulnerability because you don’t keep up to date on your network updates and patches? In other words, should an un-patched system be covered under a clause for errors and omissions?
- Have you had repeating security breaches because of known issues that you’ve failed to clean up and prevent from re-occurring?
- Should employee errors, falling for a phishing link in an email or going to a virus laden website, be covered by cyber insurance?
Read your policy, or the fine print if you are considering a policy, and take your special circumstances into consideration. As an exception, WanaCry exploited a patched Microsoft vulnerability and spread like a worm, as opposed to 95% of ransomware that spreads through email and social engineering. Cyber insurance normally does not pay out when employee error was the cause of the infection.
Some companies have started sending employees through security training where they get trained/scared straight through frequent simulated phishing attacks. Learning to recognize the signs of a phishing email can protect company infrastructure.
Now is the time to inoculate your employees against ransomware attacks. Contact INC Tech to get a quote for your organization’s network security and find out how affordable this is. If you can’t educate your employees, the bad guys will take advantage of them, because email filters and browser security can’t catch/prevent it all.