Cyber insurance is one of the most cost-effective risk management solutions for any organization but all too often, management teams never purchase coverage or fail to effectively use it when a cyber incident is suspected.
For smaller sized companies with, for example, 100 employees, cyber insurance (also known as Network Security and Privacy Liability) can be quite affordable given the appetite in the insurance market to serve smaller to mid size entities. Considering the potentially extraordinary expense associated with a cyber incident, many policies can be a relative bargain for the amount of comprehensive coverage they deliver.
Not only do cyber policies pay the legal settlements and – in some cases – the regulatory penalties associated with cyber events, they also provide services to assist in the evaluation, response and recovery from cyber incidents. In fact, most policies will cover the cost of a breach response team and recommend vendors including IT and forensic specialists, crisis communicators, and legal experts who can greatly facilitate compliance with the regulatory and notification requirements. Beyond that, insurance policies can cover ransomware/extortion, digital asset recreation, and any resultant business interruption related to the cyber incident.
Importantly, this team of cyber first responders is pre-vetted and can be activated in less than 24 hours. If an organization had to negotiate separate agreements with each one, it could take weeks. Negotiating when your business is facing a catastrophic event is never conducive to securing favorable terms.
In our work with private and publicly traded organizations, we help business leaders understand the value of cyber insurance, the many ancillary benefits, and how to overcome the institutional fear of using it in a crisis. In this perspective, we outline best practices in executing a cyber response strategy, including the essential role that cyber insurance plays in comprehensive cyber risk management.
Why You Need Cyber Insurance
Most everyone is aware of the growing risk of cyber threats, but the magnitude and frequency of the attacks are greater than many realize.
An attack can be caused by a number of different breach situations. A breach could involve the sending of confidential information to the wrong email address, or having paper files in the trunk of a car that is broken into, or towed. Malware, ransomware, phishing, financial fraud and social engineering are all increasingly common. Scams involving point-of-sale hardware and software and other credit and debit transactions have resulted in outright fraud and/or the disclosure of confidential information of hundreds of millions of consumers.
The attacks are also increasingly sophisticated. For example, the obvious errors and hackneyed language common in bogus emails and invoices have been replaced with communications that look highly authentic.
According to The Global Risks Report 2019 published by the World Economic Forum in conjunction with Marsh McLennan and Zurich Insurance, cyber risk is growing each day:
• In 2016, 357 million new malware variants were released and “banking trojans” designed to steal account login details could be purchased for as little as $500.
• The cost of cybercrime to businesses over the next five years is expected to be $8 trillion.
Emerging and mid-tier firms are favorite targets of cyber criminals. That’s because they are perceived as easier prey than larger companies, which have become much more sophisticated after the headline-grabbing incidents of the past five years.
Despite the proliferating risk, one in five organizations does not currently have or plan to purchase cyber insurance, according to the 2017 Marsh-Microsoft Global Cyber Risk Perception Survey of 1,300 businesses.
Using Cyber Insurance
Cyber insurance is a must for businesses today, but equally as important is knowing when to use it. Unfortunately, many management teams are reluctant to officially declare that a breach has occurred for a variety of reasons.
First, some mistakenly believe that keeping an incident quiet is better than alarming customers and notifying regulators. Second, they fear that filing a claim might ratchet up the cost of coverage or lead to the cancelation of the policy. Third, many companies miss the fact that the cyber policy is triggered when the cyber event occurs and it is crucial to engage the policy’s breach response team right away.
One of the key benefits of buying cyber insurance is implementing, beforehand, the processes and procedures to reduce cyber risk and identify when a cybersecurity event has occurred. We regularly educate management teams about the necessity to move swiftly to report a security event and resist the natural tendency to lay low and wait it out. Step one is to call the policy’s 24/7 cyber hotline or your broker for guidance. If your system has been seized and you are awaiting a ransom demand to unlock it, you may be unable to email, search for contacts, etc. Considering whether to negotiate or pay the ransom should be discussed and approved by the insurer, as they may be able to unlock the system quickly.
If a firm suspects a breach but doesn’t take decisive action immediately, the organization could face even greater legal liability, reputational damage and regulatory penalties. Or, a small breach could spread undetected to other systems and cause widespread havoc for months or years. The effects can be residual, too. Publicly traded companies are especially vulnerable to not just a breach but a subsequent claim from shareholders that they have damaged corporate value by mishandling the breach response.
Now is an opportune time for businesses to purchase cyber insurance. Many insurers are offering coverage at discounted rates to win the larger business relationship – property casualty, E&O, workers comp. Cyber coverage can be broad and cost-effective and thus is an essential part of a larger risk management strategy.
Putting security processes, incident response plans, and insurance coverage in place before an incident occurs is one of the most prudent decisions an organization can make.
With offices across California, Marsh & McLennan Agency is a full-service business insurance and employee benefits brokerage. MMA can put together a comprehensive risk assessment for your organization and has access to leading providers of cyber insurance. To learn more and receive a complimentary program assessment, CLICK HERE.
Kevin Mirsky is a Principal in Marsh & McLennan Agency’s Business Insurance Division in San Francisco, specializing in global insurance programs, directors and officers, product liability, professional liability and cyber insurance.
Mike Grant is a Principal and Director of Marsh & McLennan Agency’s Technology Practice Group, based in MMA’s Orange County office. He specializes in risk management programs for technology and life science businesses, especially in the area of cyber and data liability.
For reprint and licensing requests for this article, CLICK HERE.