5 Considerations When Purchasing Cyber Insurance

There are certain basic questions that both current and prospective cyber insurance policy holders will ask you when purchasing a policy. What terms should be included? What are the important aspects? And of course, why? The answers to these questions are extremely complex, as cyber insurance is in its early infancy stages. Quantifying the risks of loss associated with those policies is near impossible. And understanding the effects of breaches and what needs to be covered isn’t exactly straight forward.

There are simply no easy answers (sometimes no answers at all), but here’s a high level overview of what you should consider when purchasing a cyber insurance policy.

Ask for retroactive coverage when first signing a contract. It takes an organization an average of 256 days to identify a cyber attack. Some insurers will cover this (often at an additional premium), some will not. One way to lower the risk to do advanced penetration test. Through those tests, previous breaches or attempts at attacking the network are often identified. This will lower the risk of having to make a claim retroactively.

Make sure to get coverage for claims resulting from vendor errors in addition to your own. The high-profile Target breach in 2013 opened organizations’ eyes to the importance of vendor management. Similarly, if you handle any sensitive data for others, you need to make sure your liability to them is covered.

Make sure to include coverage for any loss of data. That especially includes incidents due to employees or others who could unintentionally contribute to a data breach, exposure or loss. While we often think about cyber breaches as theft from cyber criminals, sometimes the threat is “inside the house.”

Make sure to clearly understand your policy’s coverage. Of course, claims relating to a “cyber-attack” on your physical systems are evident. But what happens when that also leads to an additional physical breach of some sort?We repeated find that cybersecurity is no longer just related directly to an organization’s server and PC environment. It crosses into nearly every physical asset of an organization as well. Door locks, security cameras, phone systems, HVAC, and all types of control systems are routinely accessible and exploitable. This adds another level of complexity to cyber insurance policies, as the lines become very blurred when it comes to which insurance product covers the physical aspect of a breach.

Be sure to ask your insurer for a lower rate after an advanced penetration test is conducted and findings have been remediated. Cyber risk is extremely difficult for insurers to quantify, leading to policies that are more customized than non-cyber policies, and therefore could potentially be more costly. So will your insurer give you a break on our cyber policy if you get the advanced penetration test? While the answer is often “no,” we have recently been hearing “yes.” A few insurers are beginning to understand the benefits of this offensive approach to cybersecurity.

Cyber insurance is not a luxury, but rather a must-have in these turbulent times. The trick to getting the right coverage is a full understanding of your risk posture—and an advanced penetration tests to keep the costs down.