The threat of loss of an entire company from a cyberattack is real. Technology and user education help, but not enough.
Cyberattacks are damaging businesses all over the world, and some are going as far as to shut down in their wakes, leaving employees without jobs. On TechRepublic’s sister site ZDNet, contributor Catalin Cimpanu wrote about an Arkansas company that shut down because of a ransomware attack just before Christmas 2020. He provides additional examples of companies that failed to recover from serious data breaches and shut down forever.
“Over the past two years, there have been many cases where smaller companies decided to shut down for good, lacking the funds to pay a ransom demand to get their data back or lacking the funds needed to rebuild their IT infrastructure,” Cimpanu wrote.
You can sense the frustration of business owners and those responsible for securing the digital infrastructure of businesses. They cannot forgo an internet presence, yet it’s highly likely that a serious cyberattack would cripple the company beyond all hope of recovery.
SEE: Identity theft protection policy (TechRepublic Premium)
Can cyberinsurance help?
Unless you are extremely optimistic that a fool-proof preventive solution will be found before your organization gets attacked, cyberinsurance might be something to consider. But that will likely require a shift in thinking. Some may consider getting cyberinsurance akin to giving up. Others may have had a bad experience in which cyberinsurance was of little or no help.
“In its early days, cyberinsurance coverage was offered through either expensive, highly manuscripted policy forms or cheap, sublimited endorsements to other policies,” said Dan Burke, senior vice president at Woodruff Sawyer and Company, in his article Cyber 101: Understand the Basics of Cyber Liability Insurance. “Today the cyberinsurance market has advanced from a very niche risk transfer tool to a critical requirement for enterprise risk management.”
But it’s important to be realistic, in that cyberinsurance protects against the costs of cyber breaches, not the actual attack.
SEE: Checklist: Security Risk Assessment (TechRepublic Premium)
What to look for in cyberinsurance coverage
Companies, no matter what size, must contend with cyber risk. Burke said cyberinsurance should include the following components.
Network security: Cyberinsurance must cover security failures of the organization’s network, including data breaches, malware infections, cyber-extortion demands, ransomware, or business email compromise.
Privacy liability: Liability resulting from a cyber incident or privacy-law violation must be considered. “Third-party costs can arise, for example, from liabilities required in a contractual obligation, all the way to regulatory investigations by governments and law enforcement,” he said.
Business interruption: This component is often overlooked: Could the organization still function without digital technology? Business-interruption coverage provides a safety net if the answer is no. “When your network or the network of a provider that you rely on to operate goes down due to an incident, you can recover lost profits, fixed expenses, and extra costs incurred during the time business was impacted,” he said.
Errors and omissions: This insurance covers claims related to improper performance of services. “This can include technology services, like software and consulting, or more traditional professional services like lawyers, doctors, architects, and engineers,” he said. Error and omission insurance should also cover ensuing legal defense costs or indemnification resulting from a lawsuit or dispute with affected customers.
SEE: Ransomware attack: Why a small business paid the $150,000 ransom (TechRepublic)
With cyberinsurance, one size does not fit all
Burke said most cyberinsurance policies contain a combination of the above coverage elements; however, he cautions that one size does not fit all. Cyberinsurance needs to be more nuanced. Here are areas where additional coverage is suggested by Burke.
Social engineering: This coverage can be found on crime-insurance policies, and at higher coverage and monetary limits than on cyber-specific insurance policies. “It’s important to work with your broker to understand how cyber and crime insurance policies can work together on social-engineering coverage to the organization’s benefit,” he said.
Reputational harm: Brand reputation is important, and news—especially bad news—travels fast in the digital age. There is coverage to help limit the profit impact from a loss in reputation.
Bricking: There are cyberattacks that render equipment useless or introduce doubt as to whether all malware code is eliminated. This can get expensive at a very inopportune time.
What cyberinsurance usually does not cover
Cyberinsurance policies generally do not cover:
- Potential future lost profits;
- loss of value due to theft of your intellectual property; and
- betterment–the cost to improve internal technology systems, including any software or security upgrades after a cyber event.
A realist, Burke also warned about what he calls “Silent Cyber,” where traditional insurance coverage is silent on whether the policy will cover some or all of the damages incurred from a cyberattack.
Other things to look for in cyberinsurance
Burke offered additional suggestions as to what to look for when shopping for cyberinsurance.
- Ensure the company being considered is up to date on current threats and is willing to build policies that take that into account.
- Seek a willingness to make sense of every aspect of the policy in understandable language.
- Insist that a personalized approach can be counted on, with account managers at the ready to help when they are needed.
Learn more about cyberinsurance
For additional information about cyberinsurance, read these TechRepublic articles: Top 5 things to know about cyberinsurance, Cybersecurity insurance: Read the fine print, and The FTC’s cyberinsurance tips: A must-read for small business owners.