Cyber insurance is a relative newcomer to the field of corporate general liability coverage. Because it is a newer product, forms and coverages have not yet been standardized. That lack of standardization can be confusing for organizations that are comparing two or more different cyber insurance packages.
An organization can do an effective comparison by following a six-step process:
- Where are the organization’s exposures to cyber risks?
An insurance carrier should be able to help an organization to identify and monetize these risks. They can include things like credit monitoring costs that will be incurred to alleviate customer concerns, potential fines and penalties from regulators, data loss and business interruption, cyber extortion through ransomware, and legal defense costs and claims.
2. Sort the exposures according to coverage categories.
Applicable categories might include regulatory proceedings, litigation, data recovery, media liability, and network interruption. The carrier can suggest other categories that are applicable to a specific business. Sorting the exposures will give the organization a better opportunity to compare specific costs and expenses among various policies. It will also help the organization to understand whether the identified risks are insurable risks.
3. Estimate costs and potential losses associated with worst-case scenario data breaches.
An organization might not be able to second-guess a hacker’s specific ransomware demand, but it can determine the likely cost of restoring databases and systems that have been frozen by ransomware. It can also place a reasonable estimate on costs for legal services and public relations, and replacement if damaged systems. These numbers will only be estimates, but they key an organization into how much cyber insurance it may need. If costs are too difficult to estimate, the organization can use industry average numbers for losses due to cyber attacks.
4. Read the proposals.
Insurance policies might not be the most exciting reading material, but everything in the policy should be clearly explained in a cyber liability insurance carrier’s proposal. Pay close attention to how and under what circumstances coverage becomes effective, and when insurance reimbursements will be made.
5. Summarize all proposals in a single spreadsheet.
The spreadsheet gives an organization a chance to compare specific components against similar components from all proposals. Again, because cyber insurance policies have not yet been standardized, the organization needs a tool to facilitate comparison of common elements. A spreadsheet is an easy way to accomplish this task.
6. Review the proposals and select the best fit.
The best fit might not be the least expensive or the proposal that covers the largest number of insurable cyber risks. An organization needs to evaluate its risk tolerance and those aspects of its business that would most be harmed, for example, by an unauthorized incursion into a network or a ransomware attack that shuts down operations. The proposal that addresses these concerns will be the best fit.
This selection process is time-consuming, but it will take an organization down a path to selecting the right cyber insurance policy. Organizations that do not have the time or that would prefer not to devote time to this process can instead rely on one of the selection tools that cyber liability insurance carriers have developed to streamline this process. CyberPolicy Inc.’s selection tool, for example, leads prospective insured parties through a process that collects basic information about an organization, including its operations, the type of data it maintains, and its cyber breach history and experience. The tool then uses that information to prepare a customized proposal for the organization. In many cases, this process can be completed in less than 10 minutes.
In any case, the time that an organization dedicates to selecting the right cyber insurance policy will benefit that organization if and when it experiences a data breach. An organization’s failure to insure against cyber attack losses can be catastrophic, and cyber insurance can be the last line of defense to help the organization survive!