The scale and sophistication of cyberattacks is growing each year. These cyberattacks range from debilitating DDoS attacks powered by massive botnets, to ransomware groups extracting multi-million dollar payoffs from the world’s largest corporations. These risks have only been compounded by new realities such as the acceleration toward remote work as a result of the COVID-19 pandemic.
Cybercrime is projected to cost the global economy a staggering $6 trillion in damages in 2021, before climbing to $10.5 trillion by 2025. Your organization’s capacity to survive and bounce back from a cyberattack may depend on having a reliable, adequate cyber insurance policy that reduces your costs and recovery times.
Cyber insurance is an increasingly essential policy. You need to be certain that the coverage you get is the one you need. Policies are not created equal. Asking the right cybersecurity insurance questions is crucial. Here is what you need to find out.
1. Have you been the victim of a cyberattack before?
If your organization has been the target of a cyberattack in the past, you already understand the potential impact it can have on your systems, data, budget, and reputation. Past attacks are important in the context of cyber insurance for two other reasons.
First, it should inform whether you go for first-party protection, third-party coverage, or both. First-party protection covers direct losses you experience following a breach. Third-party protection mitigates the costs of claims from customers and partners. If you have been the target of at least one attack in the past, it means some bad actors out there already have you in their crosshairs. Consider getting both first-party and third-party coverage.
Second, past data breaches may mean paying more on your premiums than you otherwise would have. That is especially true if your cyber defenses have been breached multiple times — and few or no attempts were subsequently made to close the security gaps.
2. Are you already covered?
This might seem an odd inclusion in cybersecurity insurance questions if you are already in the market for coverage. But you need to find out if your cyber risks are already covered by existing insurance policies. These include property or business interruption insurance.
These policies may provide some coverage for cybersecurity-related losses especially if they are historic policies. More recent policies may exclude certain types of cybersecurity-related incidents. Exclusionary policies are gaining traction as insurance companies seek to separate cyber insurance from other business insurance policies.
3. What defenses and controls do you already have in place?
Gather information on your technical, procedural, and staff cybersecurity controls so you can share these with the insurance provider. Identify the digital assets that require the highest protection and the kind of scenarios you would want to prevent.
You might get a discount on the policy if you can demonstrate that you have implemented best practice cybersecurity defenses.
4. Does the insurance provider understand industry risks?
Insurance companies have a long history of analyzing and responding to loan defaults, disruptive riots, natural disasters, and a wide range of traditional risks and threats. However cyber risks remain a relatively recent phenomenon and are continuously evolving. A sizable number of insurers do not fully understand the enterprise risks posed by malware, phishing, and social engineering.
Ask whether the insurance company understands the security and privacy requirements set out by general or industry regulations such as GDPR, CCPA, and HIPAA.
5. What does the policy cover?
Most cybersecurity policies will reimburse you for network security, restoring data, restoring operations, contracting a forensics vendor, and hiring legal counsel. Knowing what the policy does not cover is just as important as knowing what is included.
Find out the exclusions to the policy. Does the policy cover root cause investigation, breach notifications for stolen credit card numbers, credit monitoring, public relations and communications, and regulatory fines? Do not wait until your operation has been crippled by a ransomware attack, only to discover that the policy will not cover ransomware payments.
6. What is the cost?
You have a finite budget for your cybersecurity insurance premiums, so cost will always be an important factor. As usual, you get what you pay for. However, that doesn’t mean that the policy with the highest premiums is always the best for you.
It's important to make sure when you compare any two policies that you are comparing apples to apples. That unusually inexpensive coverage may have exclusions that leave your organization exposed in the event of an attack.
7. Is the coverage adequate?
Critical infrastructure providers such as utility companies, banks, technology firms, healthcare providers, manufacturers — along with local, state, and federal governments — are the primary target of cyberattacks. They therefore require more cyber insurance coverage than the average organization. Often these entities must satisfy specific regulatory and industry requirements which makes the repercussions of a cyberattack greater.
So your cybersecurity insurance questions must include how much coverage you will need. Quantify the risk. Certain types of organizations, especially those heavily dependent on customer data or in heavily regulated industries (such as banks), have often already done this.
Other sectors like manufacturing are typically less mature in their cybersecurity risk analysis. They are more likely to be under insured for their cybersecurity liability.
8. Who will assess the policy?
Enterprise insurance policies often contain jargon that may be difficult for an untrained eye to interpret. This is further compounded with cyber insurance, since you now have to contend with the technology terms.
It is important that before you sign on the dotted line, you have someone with the requisite expertise look at it. It's even better to have a team of stakeholders review it, such as legal counsel, IT, HR, and others. In case you don’t have this expertise within your organization, you may have to contract a cybersecurity consultant to help.
Before you ask cybersecurity insurance questions, do your homework
Ideally, you should ask all these questions in a meeting or call with the company representative. Find out if they write cyber insurance policies for companies in your industry, or industries that are similar to yours. But first, do your own background research. Sometimes you'll find this information is already on the insurance company website, the policy product sheet, or the policy form itself.