The Basics – What you need to know about Cyber Insurance

One of the hottest coverage questions we receive is related to cyber insurance.  Every day we wake up to news of another major corporation having been breached and all of the personal data that they have stored in their systems has been compromised.  We receive questions on a daily basis asking about the coverages for such breaches and if the policies that insureds currently have are protecting them from these breaches.  The truth is that the policies won’t protect you but they will help relieve some of the costs that would be incurred with such a breach.  But you need to work with your risk advisor to make sure you fully understand your coverages and what your cyber policy covers.  Cyber insurance is so new that there is not a standard policy form and each carrier has approached their cyber policies in different ways.  With that being said here are three things you should know about cybercrime and how it impacts your policies.

1.  Cyber insurance does not cover the loss of securities (money, stocks etc.). When we hear about cyber breaches in the news we always hear about the money that is stolen by hackers and the cost of the breaches. In reality these need to be viewed as separate scopes.  The cost of a breach referred to in the news is the cost of expenses incurred by the company to remediate the breach.  Items such as public relations costs, providing victims with credit protection as required by law, any fines imposed and defense costs due to civil suits from the breach.  These are usually the numbers we see in the news and are not related to money that was stolen by the hackers.  When you look at your cyber policy you should look for these costs to be covered.

When money is stolen due to a cyber breach the coverage for this loss would fall under your crime policy. 

2.  Cyber breaches aren’t only accomplished by breaching your network and stealing data. There are many ways a breach can occur.  I’m including this as you need to know that each policy covers the different types of breaches in different ways.  Some breaches may be covered on the base form while others will require an endorsement for coverage.  Make sure your advisor explains how each is covered in your policy.    

• Ransomware: Wired magazine defines Ransomware as Malware that locks your keyboard or computer to prevent you from accessing your data until you pay a ransom. The malware has been developed by attackers to the point that it will now encrypt your data with a pin that only the attacker knows and your data will not be released until you pay the ransom.
• Social Engineering: As described by Techtarget: “A non-technical method of intrusion attacker’s use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures.  Attackers are generally relying on a person’s nature to be helpful.”  Examples of this are phishing emails, pretexting (requesting information for verification) or spam.
• Denial of Service (DOS) Attacks: This is a type of attack where the attackers attempt to prevent legitimate users from accessing the service. (Techopedia) Essentially what it does is prevents access to the network by flooding the network with invalid messages and data which then dramatically slows or disables the network. 
• Theft of mobile devices: Most companies never even consider this a threat.  But think about it for a second.  How easy is it for a phone, tablet or even a laptop to be stolen?  Most companies have some security on these devices to keep them from being open.  But the one item that seems to get over looked is a flash drives.  How many flash drives do you have that are encrypted.  Do you know what data your employees are putting on those flash drives?   Make sure to work with your risk advisor to ensure that your cyber policy covers the loss of data through these devices.  Which brings me to my third point:

3.  Each cyber policy is different: Due to the ever changing technology and nature of the cyber environment cyber exposures are changing daily.  It’s important to find an advisor that is knowledgeable in cyber insurance and has conducted an analysis of the different policies to make sure that you are properly covered for your exposures.  You also want someone that is going to stay up to date on the changes in cyber insurance as you are way too busy to do it yourself.  You’ll want an advisor who has spent time to understand your business so that they can match the policy and the coverages that it offers to your business model and the exposures that affect your business.  A risk management advisor should help you to mitigate, transfer or eliminate the risk in the best way possible. 

There you have it!  Three cybercrime basics that you need to be aware of when considering cyber insurance.  Obviously this will never replace the advice you can receive from a qualified advisor but should get you started so you can start asking the right questions.  I hope you find this helpful.  Please feel free to reach out if you have any questions.