January 26, 2022 | 4-minute read (794 words)
Following the best cybersecurity practices can help prevent the chances of a cyberattack from occurring. But there is no 100% guarantee your business won't be targeted by a cyberattack, even with the most stringent safeguards in place. The most effective protection for mitigating harm in the event a cyberattack does transpire is to carry cybersecurity insurance, which is also sometimes called cyber liability insurance.
Cybersecurity insurance is designed to protect your business against financial losses that may result from cyber incidents such as data breaches and theft, hacking, ransomware and denial of service attacks.
Here are four things to be aware of before integrating cybersecurity insurance into your risk management program.
Insurance coverage is not an alternative to a cybersecurity program
You wouldn't drive a car recklessly simply because you have auto insurance. Similarly, once you secure a cybersecurity policy doesn’t mean you can forgo measures to prevent a security breach. You must still protect your business data and systems.
You must fulfill all requirements of the insurance policy
In the event of a breach or other security event, you are obligated to meet your policy’s prerequisites before your loss will be covered through your cybersecurity insurance. Insurers usually first check whether the organization was negligent when the data breach occurred, as negligence is unlikely to be covered. Make sure you understand and are prepared to meet all conditions required by your policy.
Potential risks to your firm and the extent they could be covered
The first step to take when evaluating cybersecurity insurance, meaning determining whether the policy has the right inclusions for your company's needs, is assessing the potential risks to your organization and your ability to address them.
In a recent publication on cybersecurity, the U.S. Chamber of Commerce recommends first understanding and managing the risk factors of technology within your organization when evaluating insurance products and services.
Businesses increasingly depend on smart devices and other technology connected to the internet, which creates multiple potential entry points for a cyberattack. Assessing such risks is imperative to determining your organization’s particular insurance needs.
Understanding your organization’s cybersecurity risks, as well as your ability to manage them, will allow you to evaluate policy options and premium value and decide how much risk to assume — and how much to transfer to the insurer. You should also consider regulatory obligations with which your organization must comply if you fail to prevent a security breach.
Events that are covered by your insurance
Take the time to understand all the inclusions and exclusions in your cybersecurity policy. Consider the impact they could have on your business’s ability to manage risk.
Cyberattacks not only cause damage to a business; they also often affect the organization’s customers and clients. So, when deciding on an insurance provider, you must ensure that the policy provides coverage for both first and third-party claimants.
First-party coverage includes losses to the affected organization, while third-party liability coverage addresses legal actions taken by customers or partners. Third-party liability insurance is necessary for organizations that possess third-party data or that are responsible for developing, installing or managing the systems that secure third-party data, such as cloud software providers.
Cybercriminals often prey upon a company’s employees by using links, videos or pictures shared via emails or social media with the intent of tricking them into sharing data. Also, with the majority of employees working from home due to the pandemic, there has been a rise in phishing scams to access less secure-workstations with malware or ransomware. Make sure your insurance policy covers all such incidents.
Like most insurance policies, your cyber liability policy will have a time frame during which coverage is in effect, which is known as the retroactive date. Losses resulting from incidents that occurred before the retroactive date are not included in the policy. The retroactive date is of particular importance to cyber insurance policies, as it may take months or sometimes years to identify a cyber security breach.
Ask your policy provider these important questions:
A business insurance professional who specializes in cyber liability insurance can assess your company’s risk and recommend an appropriate policy and level of coverage. They can help ensure that your systems are secure against data breaches, impersonation, system security failure and forgery by implementing the best cybersecurity practices while also insuring your business.
Every entrepreneur should ask their cyber insurance professional these key questions:
• Will coverage apply if the event was caused by nonmalicious employee activity?
• Given that some cyberthreats take time to discover, will the policy include time frames during which coverage is in effect?
• Does coverage include both first and third parties?
• Does the policy cover incidents resulting from war, terrorism or insurrection?