Cyber crime insurance is still an emerging field of insurance. With many providers still coming to terms with the risks and costs involved, it is important to do your due diligence to ensure their policies will meet your needs.
To help you choose a cyber insurance provider, here are six details to consider before you sign up:
1. Capacity
Check how much you can claim on your cyber insurance cover. Weigh up how much you can afford to pay against the risk and potential damages of a breach. Failing to do so can have serious consequences in the event of a cyber security incident.
Target, for example, had a $100 million cyber insurance cover. Seems like a lot. However, factor in that 40 million customers had their details hacked, and that the average cost per piece of data lost or stolen is $148 and it’s clear that $100 million won’t cut it. The cost could be closer to $5 billion—and that’s a conservative estimate.
2. Targeted to industry
Are there unique cyber security risks prevalent in your industry? When assessing potential cyber crime insurance providers, look at whether or not they can underwrite your policy so it is specific to your industry. The technology industry is not the same as the health or retail sectors—each has different risks and data they want to keep secure.
For example, in the health industry, you may be concerned about data security and potential breaches that could compromise patient information. Whereas a government agency may want to ensure their systems are not compromised or rendered unusable by ransom or malware, as what happened to the Inland Revenue after a crypto-locking attack.
3. Territories
Not all providers cover territories outside New Zealand. This is particularly important if your business has offices and/or customers beyond the New Zealand territories. You cannot assume that one cyber insurance policy will cover all countries you operate in—even if your head office is based in New Zealand.
4. Exclusions
Before signing a policy, always check what exclusions are listed by the insurance provider.
“As technology risks continue to evolve, many carriers are starting to pull back on the types of industries and risks they will cover,” says Christine Marciano, president of Cyber Data Risk Managers.
Common exclusions include:
- Bodily Injury / Property Damage
- War and Terrorism
- Telecommunications services
- Racketeering
- Fraudulent, dishonest and wilful acts
- Fines /Penalties
- Insured V Insured
- Insolvency
- Physical Damage
- Business activities and intellectual property
- Discriminatory damages
- US data breaches
- Prior knowledge
- Merchant losses
“Most policies are nowhere near inclusive of all costs associated with breaches,” says Wendi Rafferty, vice president of services at CrowdStrike, “but they can certainly offset the cost of the response and first-party monetary loss for breach victims.”
5. Claims process
Check what events will trigger a claim. Does it have to be a deliberate attack from outside the business, or will you be covered if your staff are taken in by a malware email? While a targeted hack may seem by far the more serious of the two threats, both can have disastrous consequences.
6. Time frame
Security breaches can go undiscovered for months, sometimes years. Does your policy provider have limitations regarding the amount of time that can pass between incident and discovery? If so, it’s wise to take this into consideration.
Beware the cookie-cutter policies
Blanket policies are common, but the reality is that they can provide a false sense of security. If they are not tailored to your business and industry, you could be leaving yourself exposed.
Are the doors of your business open to cyber criminals? Download our cyber security risk assessment checklist to make sure you're covered on all fronts.