In May, a piece of ransomware known as WannaCry paralyzed businesses, government entities and Great Britain’s National Health Service in one of the largest global cyberattacks to date.
The following month, it was Petya, another massive cyberattack that crisscrossed the globe, bringing Russian oil companies, Ukrainian banks and a mass of multinational corporations to their collective knees.
As the frequency of cyberattacks reach epidemic proportion, cyber liability insurance has evolved in kind. Yet many businesses still lack adequate protection.
Without the right cyber liability policy, one breach can put an otherwise stable company out of business. By taking the time to understand the threats, how to prepare, and what to look for in a cyber liability policy, you can ensure that your business has the coverage it needs to survive a breach.
The many faces of cybercrime
The problem is complex, with nation-state hackers, hacktivists, nuisance actors and cybercriminals all attacking companies in different ways and for different reasons. Although attacks vary, the type that most cyber liability insurance policies are designed to cover is cybercrime. Criminal actors penetrate company networks and monetize their access to that network or the data they steal while there.
In some cases, the criminals access and sell company data, like payment card or W-2 information, on an underground criminal marketplace called The Dark Web. In others, like a ransomware attack, criminals encrypt proprietary data and demand an extortion payment, often in untraceable currency and often with only days or hours for a company to respond.
An emerging type of ransomware attack, dubbed doxware, also encrypts company data, but instead of threatening to delete it, criminals threaten to post sensitive files on the internet for all to see. Like any business, these organize criminal enterprises are adapting their methods in a changing world.
Whether attackers demand a ransom payment or monetize a business’ intellectual property, these costs are often just the beginning for a victim company.
Post breach, companies have to engage a digital forensics and incident response (DFIR) company to understand the scope of the breach and get attackers off the network. Depending on the data that was stolen, such as W-2 data or client data, by law victims have to be notified and supplied with free credit monitoring services. More often than not, companies also have to engage outside legal counsel that specializes in data breaches, as well as a PR firm to mitigate reputational damage.
These direct, first-party costs typically run between $300,000 and $400,000. Worse yet, just when company leaders think the worst is over, they may be hit with a class-action lawsuit brought by breach victims or assessed regulatory fines and fees, all of which insurance brokers dub third-party costs.
Even if the company has the financial means to cover the losses, the time it takes to track down all the required post-breach resources can take so much focus away from daily operations that it, like the attack itself, can bring business as usual to a standstill.
That's where cyber liability insurance comes in. It is not just a means of protecting against financial loss, but it is a conduit to services to restore companies.
The right policy not only relieves companies of the cost burdens resulting from an attack, but provides a direct link to outside services needed for resolution. The key is making sure you have the right coverage and the right carrier.
What to look for in a cyber liability insurance policy
As cybercrime has expanded its reach, the marketplace for cyber insurance has gotten much broader.
Several years ago, there were only a few dozen carriers writing cyber liability insurance. Today, there are about 130. However, because it is not a standardized market, there is a great deal of variance between policies in terms of coverage, price and after-event support.
For example, some carriers have a 24-7 breach response team in place. These carriers have already contracted with the forensic providers, credit monitoring companies and specialized legal practices. So if your business gets hit, you call the waiting breach response team to start the remediation process. However, this level of service varies greatly by carrier.
Pricing is equally varied due to a lack of actuarial data and rapidly evolving breaches. Unlike auto policies with predictable and comparable pricing between carriers, cyber liability quotes can vary by tens of thousands of dollars.
It’s also critical to look beyond the overall coverage amount to each per-incident line item. Some carriers have sublimits, capping individual line items at a specific dollar amount. So for example, a $3 million policy could have a $100,000 cap on notifications and credit monitoring. If you seek out carriers that provide full limits and understand your industry and exposures, you’re not going to get caught with unexpected out-of-pocket costs.
Making sure your company is prepared
The reality is, there isn’t a business or an industry that is immune from cybercrime. So, take the time to educate yourself on the topic. Understand your business assets and where you may be vulnerable to a breach. Talk to your insurance broker about the different carriers that write this class of insurance, what they offer and their resources if a breach occurs.
The simple act of filling out a carrier’s cyber insurance application will help you see security gaps in your organization. A page full of “no” and “I don’t know” answers will help you pinpoint areas of weakness in your systems or processes.
Although most companies have disaster recovery plans in place, very few have a cyber incident response plan. Take the time to document a formalized process that details what to do if a breach occurs, including the internal team and outside resources involved, as well as contact information. Your insurance broker should be able to help in this process.
If a company is forced to react to a breach without ever having considered their plan, the remediation will undoubtedly be clumsy, take longer and be far more expensive. Countless organizations have been caught on their heels and never recovered at all.
None of us can prevent cyberattacks from occurring. But you can make sure that your company has assessed and hardened your infrastructure, considered your response and the protection you need to survive a breach and stay in business.
A little education, a solid plan and the right cyber liability insurance can make all the difference.