With the world fast linking itself with the internet and India undergoing rapid digitization, a new domain of challenges has surfaced i.e. Cyber Security. Data theft and manipulation of people through its analysis, as in case of Cambridge Analytica or Hackers holding business and websites to Ransom or Data Mining or infecting your computer hardware and software with Virus by the hackers, are the few examples of where cyber security is needed.

Everyone today seems to have a Facebook profile or Twitter profile or Instagram profile or other social media profiles which contain your private data, this data needs to be protected. So, most companies and business firms employ IT experts to do the encryption and firewalling of their servers.

However, every code can be broken, which is why most of these companies employ ethical hackers to find out flaws in their codes and rectify them. Now, if a company’s website/data is hacked and you are a client of that firm, your data also becomes vulnerable, including your financial transactions, your legal data etc. and therefore affecting you as well.

Which is why, all sizeable and standard business organizations who have internet operations for transactions or use cloud computing are natural customers for this policy.

What does cyber insurance cover?

Though it is for the IT department or associated IT firm to help protect the Company’s data, what insurance does, is, cover the company’s financial risks after the data breach. With its roots in errors and omissions (E&O) insurance, cyber insurance began catching on in 2005, with the total value of premiums forecasted to reach $7.5 billion by 2020. According to PwC, about one-third of U.S. companies currently purchase some type of cyber insurance.

The numbers above indicate that companies now are seeing value in cyber insurance, which covers the claims by first party as well as third party claims along with PR losses incurred.

The Cyber Insurance is fairly new in the field and therefore, there still is no standard underwriting for its policies, however it covers the following:

·      Investigations: A forensic examination would be needed to ascertain the cause & source. Program changes would need to be made to repair and avoid similar future breach. The firm might need to coordinate with 3rd party security firms and the law enforcement.

·      Business Losses:  A cyber insurance policy may include similar items that are covered by an errors & omissions policy (errors due to negligence and other reasons), as well as monetary losses experienced by network downtime, business interruption, data loss recovery and costs involved in managing a crisis, which may involve repairing reputation damage.

·      Privacy & Notifications: It requires data breach notifications to be sent to customers and all 3rd parties affected. This is mandated in many jurisdictions. It also mandates credit monitoring of customers whose data may have been breached.

·      Lawsuits & Extortions: This includes legal expenses associated with the release of confidential information & IPR, legal expenses & regulatory fines. This may also include the costs of cyber extortion, such as from ransomware.

One should keep in mind that the industry is still in a nascent stage and still evolving just as the threats are still evolving. The organizations breached often tend to hide the full impact to avoid negative publicity and breach of trust with the clients rendering the underwriters with limited data to determine the impact and nature of attacks.

I am a buyer, what should I look for in this policy?

Along with the four aforesaid criteria’s, one should also look for the following:

·       How many types of cyber insurance policies does the company offer or is the coverage simply an extension to an existing policy? In most cases, a stand-alone policy is best and more comprehensive. Also find out if the policy is customizable to an organization.

·       What are the deductibles? Be sure to compare deductibles closely among insurers, just like you do with health, vehicle and facility policies.

·       How does coverage and limits apply to both first and third parties? For example, does the policy cover third-party service providers? On that note, find out if your service providers have cyber insurance and how it affects your agreement.

·       Does the policy cover any attack to which an organization falls victim or only targeted attacks against that organization in particular?

·       Does the policy cover non-malicious actions taken by an employee? This is part of the E&O coverage that applies to cyber insurance as well.

·       Does the policy cover social engineering as well as network attacks? Social engineering plays a role in all kinds of attacks, including phishing, spear phishing and advanced persistent threats (APTs).

·       Because APTs take place over time, which can be months to years, does the policy include time frames within which coverage applies?

*Use a checklist to compare different insurers.

What do the companies look for??

They would want you to have assessed your vulnerabilities to cyber-attacks and follow best practices by employing defense and controls as much as possible, employee awareness to phishing and social engineering along with regular threat assessments (Ethical hackers can be employed).

As cyber insurance coverage becomes more standardized, an insurer might request an audit of an organization's processes and governance as a condition of coverage. And don't be surprised if an insurer agrees to provide coverage but at a level below (sometimes far below) what you feel you need. If so, keep interviewing insurers to find the best deal.

Who should buy cyber insurance?

If you maintain/collect online payments or use cloud computing, you should definitely consider Cyber Insurance.

Small or big, all businesses should consider cyber insurance. A data shows, 30% of the phishing attacks had companies with less than 250 employees as their victim and that small businesses constituted 43% of the victims.

The global cost of cybercrime is around $375bn-$575bn and $3mn on average for individual large firms if affected by it. Are you ready to bear that kind of burnt? If not, you are a customer for this policy.

The General liability insurance covers only property damage while a cyber-insurance covers both 1st party and 3rd party losses. Case in study will be Soni versus Zurich American insurance company, 2011, Play-station Hacker Breach, which cost Soni roughly $171m.

Regarding costs, cyber insurance coverage and premiums are based on an organization's industry, type of services provided, data risks and exposures, security posture, policies and annual gross revenue. As examples only, premiums may range from $800 to $1,200 for consultants, tax preparers and small organizations with revenues of $100,000 to $500,000, to $10,000 to over $100,000 for those with revenues in the millions.

Getting started

A good first step is to create a cyber-risk profile for your company, and to create a list of expenses you want to have covered in the event of an incident. Then, you can determine an estimate for third-party costs. Many insurers provide an insurance calculator on their websites to help organizations create a list of coverage and estimate costs. Then, you can begin researching cyber insurance providers. Trade associations in your industry might have some information to share as well as the Chamber of Commerce.