business Have You Considered Cyber Insurance in Your Cyber Risk Management Program? September 30, 2016 The increasing frequency and cost of cyber-attacks has sparked a high demand for cyber insurance. “There are only two types of companies: those that have been hacked and those that will be.” - Robert S. Mueller III, Former FBI Director Every business, regardless of size, is subject to various cyber security risks. In 2014, U.S. businesses suffered 43 million known security incidents, a 48% increase over 2013 which equates to roughly 117,000 attacks daily! As a result, the market for cyber liability insurance is expected to grow dramatically over time as businesses become aware that their current policies do not adequately cover cyber risks. Lloyds of London estimates that the cyber insurance market more than doubled to $2.5 billion in 2014 from less than $1 billion in 2012. Some have estimated that the market will grow to approximately $10 billion by the year 2020. Cyber Liability Policies Most standard commercial policies do not cover cyber risks (identity theft, business interruption due to a network being shut down, disclosure of sensitive information, etc.). To cover these risks, businesses should acquire a special cyber liability policy. Unfortunately, the Catch-22 is that insurance underwriters may have a difficult time in quantifying risks due to the limited historical and actuarial data available. This typically results in a more customized policy that will often incorporate a qualitative component comprised of an assessment of an organization’s risk management procedures. Types of Cyber Insurance There are generally two types of cybersecurity coverage available today, (1) First Party Coverage and; (2) Third Party Coverage. First Party Coverage First Party Coverage typically relates to the insured and encompasses costs directly related to the event. These costs could include: Forensic investigation of the security breach Legal costs relative to determining an organization’s notification and regulatory obligations Notification costs associated with the breach (i.e. think of those letters you have received from credit card companies, hospitals, retailers when they have incurred a security event) Credit monitoring for customers Public Relations expenses and; Lost profits and extra expenses incurred during the time that network systems were down. Generally, costs to upgrade systems to prevent future breaches or enhance security are NOT covered. Third Party Coverage Third Party Coverage typically relates to interested or impacted parties of the insured (customers, banks, regulators, etc.) and may include: Legal Defense Settlement Payments Damages and judgments Liability for costs incurred by third parties (for example, liability to banks for having to re-issue credit cards) and: Regulatory fines and penalties. Is Cyber Insurance Right for Me and My Organization? This is predicated on a number of factors based upon your business and industry. Industries that maintain significant amounts of personal data, such as financial institutions, health care entities, higher education organizations and retail companies face a greater risk of data theft that could result in significant reputational and financial damage. Cyber insurance may be a way in mitigating some of the impact of a breach. However, regardless of whether you purchase cyber insurance, you should perform a Cyber Security Risk Assessment to evaluate your organization’s vulnerabilities and address them accordingly. Remember, often the most significant costs of a breach, (and not typically covered by cyber insurance), is the reputational harm you will incur. Questions on Cyber Insurance and Cyber Security Risk Assessments? Reach out to our Information Security Experts today.