Many businesses now routinely make substantial investments in information technology, data aggregation, and online activities, yet they often fail to protect the value of that investment. An important tool that can be used effectively to maximize the value of those investments is cyber-insurance.
Cyber-insurance is business insurance that specifically protects companies from common cybersecurity threats that can have devastating commercial consequences. Those threats include: computer hacking attacks, online defamation, web site shutdowns, electronic transaction failures, computer and communications network failures, digital fraud, and loss or theft of data. Cyber-insurance is available from a wide range of insurance providers.
Businesses should take the following actions when considering cyber-insurance options:
The scope and economic value of your company's online and other digital activities should be assessed. The range and significance of the cybersecurity threats facing your business should be evaluated. The potential economic cost to the organization of cyber-security problems should be estimated. This type of assessment of risk is often required as part of the application process for cyber-insurance.
The current status and effectiveness of your company's computer and online security policies, practices, and procedures should be thoroughly evaluated. Your organization's computer and online security history should be assessed. The historical and current performance of your company's cybersecurity policies and programs should be compared with best practices for your industry and for peer organizations. Insurers generally require discussion of an organization's cybersecurity policies, practices, and procedures, along with its cyber-security history (including prior cybersecurity incidents) as part of the application process.
Insurers also frequently require disclosure of the organizations practices and procedures associated with pre-employment screening of employees, management of temporary employees and consultants, and termination of employees as part of the application process. Policies and practices governing confidential and other proprietary materials are also commonly reviewed by insurers.
Insurance for cyber activities can be handled through a variety of methods. In some instances, addition of riders to current policies can be sufficient. In other cases, it may be more appropriate to consider a separate policy addressing cyber coverage.
Cyber-insurance is commonly offered in two forms. One is often characterized as first-party coverage and the other, third-party coverage. In general, first-party coverage covers costs incurred by the insured party associated with cyber-threats, such as costs of investigating or remedying data security breaches. Third-party coverage addresses costs of liability to third parties (e.g., litigation costs and damage awards) arising from cyber activities.
It is important to recognize that insurers frequently require that applications for cyber coverage should be certified by the business' CEO or other appropriate member of the senior management team. Inaccurate information provided in insurance applications can result in termination of the insurance coverage.
For maximum effectiveness, cyber-insurance must be effectively coordinated and integrated with current and anticipated computer and online security policies, practices, and procedures. This integration often includes periodic audits of the effectiveness of policies, practices, and procedures affecting cybersecurity.
Cyber-insurance offers a useful and important method for managing cyber-security threats. All organizations that rely on data and electronic operations should give careful consideration to insurance options available to them.