Cybersecurity insurance

An organization might need cybersecurity insurance if it:

• Uses computers and mobile devices
• Accepts credit cards and other electronic payments
• Records any confidential, medical, or customer data information
• Uses cloud-based accounting and financial reporting systems

What cybersecurity insurance policies cover

Policyholders can recover certain costs stemming from a targeted or an accidental attack, so it’s important for organizations to revisit their insurance coverage annually in order to verify that policies and coverage meet the ongoing needs of the organization. If shopping for a new policy, decision-makers will want to carefully examine all options and understand any exclusions.

It’s also important to identify items generally included – and not included – in cybersecurity insurance policies. This chart helps break down those categories:

Exhibit 1: Cybersecurity insurance: What’s typically covered?

Cybersecurity insurance coverage considerations

The size and complexity of an organization generally determine the costs and coverage options associated with a cybersecurity insurance policy. Most organizations can locate policies that allow them to tailor coverage to fit their budgets and their exact needs. A generic policy can range from as little as $500 per year to $100,000 or more. Coverage areas that can affect the cost of cybersecurity insurance include:

• Coverage limitations. Does the policy provide adequate coverage for costs associated with a data breach? Actual costs related to breach response might far exceed coverage limitations. Organizations should review their policies to confirm coverage limits and any sublimits related to triage services, forensics investigators, and ransom payments.
• Deductibles. What deductibles are attached to the policy? Cybersecurity insurance policies might include a retention in which coverage is provided only above the retention amount. Organizations should understand the policy’s retention and any applicable deductibles that might limit the recoverable amount.
• Waiting periods. Is a waiting period applied to coverage and appropriate for the size of the organization? A waiting period is the amount of time insured organizations must wait immediately following a breach before some or all of their coverage is triggered. The length of time defined by the waiting period is important as most losses are incurred in the hours and days immediately following an attack. Organizations should negotiate with their broker or carrier to limit the number of hours or days included in the waiting period.
• Regulatory requirements. Does the policy provide coverage for fines and penalties imposed by the European Union’s General Data Protection Regulation? Certain cybersecurity insurance policies may cover the costs to improve technology, internal controls, or security systems in order to meet changing regulatory requirements. Organizations should identify their regulatory risks internally and understand the increased policy costs related to adding such add-on coverages.

Cybersecurity insurance in action

What could different features of an insurance policy look like when applied to real-life cybersecurity events? Consider these two scenarios of what can go wrong and how organizations could be covered:

Exhibit 2: Cybersecurity events and insurance coverage scenarios

Anticipating cybersecurity insurance needs

More and more, cybersecurity insurance is an integral part of most organizations’ security strategies and annual budgets. Organizations that take proactive steps and secure cybersecurity insurance policies that are specific to their unique needs before an attack occurs can help mitigate financial and reputational damage.