In a previous blog, we talked about assessing the need for cyber insurance. If your company has decided to seek coverage for cybercrime, these ten questions will help you through the rigorous process of finding the right policy based on your company’s needs and vulnerabilities.
- What types of cybercrime is your company most vulnerable to?
Determining what types of cybercrime your company is most likely to face will help you evaluate risk and save money when choosing a policy. Fraud, data breaches, extortion and network intrusion are common considerations for coverage. - What specific expenses are covered?
Thinking about the types of crime you’re most vulnerable to is just the beginning. Next, it’s imperative to think about what the most expensive consequences of these crimes are. Is it public relations to manage your reputation? Is it the cost of notifying customers? Regulatory fines? Business interruption? Investigations? Determine the aspects of coverage that are the costliest and most important to you. - What are the circumstances in which these costs would not be covered?
Many policies have exclusions that outline situations in which coverage would not kick in. For instance, acts of terrorism are often excluded. It’s important that acts of terrorism are defined in the policy and that it doesn’t exclude the types of attacks your company is most at risk for. Other exclusions involve negligence on behalf of the company and employees to maintain security tools and uphold security standards. For instance, they may not cover unencrypted data. Review these exclusions carefully. - What specific events trigger coverage?
A trigger is insurance lingo for an event that initiates coverage. In most cases, policies are only triggered once a specific type of claim is filed. However, there are some policies that trigger coverage based on loss. For example, from the moment you experience a data breach and loss of data, you are covered. Not having to wait for a claim to be filed and accepted before coverage kicks in is ideal, but expensive. - Is coverage retroactive?
Coverage usually initiates after an attack has already occurred, and many policies don’t cover any expenses prior to this date. That means, if you’ve already lost thousands of dollars from a denial of service attack before reporting it to your insurance company, you won’t be able to obtain coverage for these losses. Be sure to negotiate an appropriate retroactive date with your policy provider. This is especially helpful if coverage is only triggered after claims are made. - Does the policy take into account third-party providers your company uses?
Most companies these days rely on at least one third-party provider to store or manage data or to perform business operations. If your company experiences a data breach or other cybercrime because a third-party provider was targeted, the provider will normally compensate you for the damages. However, in some cases the third-party company may not have the means to compensate for damages, and the company may even go under. Some cyber insurance policies provide coverage for third-party data breaches. If this is a concern for your company, make sure this language is included in an “acts and omissions of third parties” section. - Does coverage depend on location and to what extent?
Many cyber insurance policies will restrict the area of coverage. Many policies cover U.S. territory only. Some limit coverage to incidents that occur on the company’s premises only. Consider how frequently employees travel outside the country and what information they access. Also consider how often employees work outside the office. These days, most everyone works remotely using portable devices at some point or another., - Does the policy include credit and identity theft monitoring?
Fraud through identity theft is a common occurrence for company leadership. Check to see if this is included in your policy and exactly who will be covered by it. - Is there coverage for corporations and organizations or just “persons”?
Many policies will include “covered persons” but not entities. However, it may not always be individuals that are affected by a security incident – it might be another company or organization. This is especially relevant for B2B companies. If you are responsible for another organization’s data, be sure language covering entities is included in your policy. - What crimes are potentially not covered?
Once you’re further along in the policy shopping process and you’ve narrowed it down to two or three policies, consider not only the crimes the policy will cover, but what potentially isn’t covered. Discuss these risks with your cybersecurity team to ensure you’ve made the best decision.
Remember, because it is still a new industry, cyber insurance is risky for both the insurer and the insured. It’s important to work with a broker and outside counsel who have experience in cybersecurity and cyber insurance. Involve your cybersecurity team in the decision process.
Having trouble getting the board on board with cybersecurity efforts? Read this blog post.
Sources:
http://www.riskandinsurance.com/analyzing-cyber-risk-coverage/
http://www.bankinfosecurity.com/10-concerns-when-buying-cyber-insurance-a-4859