by John Bandler
Cyber insurance is an important area of consideration when evaluating cybersecurity and organization risk management.
Cybersecurity is about risk management, planning, and decisions
First let's lay some groundwork about what cybersecurity is. Cybersecurity is about people making decisions about how to protect the organization from cybercrime, about protecting data and systems. Cybersecurity requires planning and risk management and this requires prioritizing and making good decisions. We can never eliminate all risks, we have to realize the many threats and harms we face, and then work to manage them efficiently.
We manage risks in three main ways:
- Mitigate and reduce risks (e.g., improve our cybersecurity to reduce the risk of a cybercrime occurring)
- Accept risks (e.g., an event is unlikely to occur in the first place, or if it occurs we will just deal with it)
- Transfer risks (e.g., we will transfer some of the risks to a third party).
Organizations can seek to transfer risks to a third party through contractual clauses (e.g., indemnification, limitation of liability, hold-harmless clauses, etc.) and through obtaining insurance. An insurance policy is a contract in which the insurer promises to pay certain financial costs if specified events occur, and other conditions are met. We now see that evaluation of cyber insurance is one component of a comprehensive cybersecurity program.
Risk management includes evaluating insurance
Clearly, we need for insurance in many areas of life. The question is which areas, how much, and which coverage is right for us. Insurance means that if certain events occur, the insurance company will pay the costs.
Health insurance is essential because health care is extremely expensive. Sooner or later, every one of us will need expensive medical care, and we hope to have good health insurance that covers it. Some of us may be faced with medical conditions or accidents that require extremely expensive medical care. Without insurance, we may not be able to afford that necessary medical care, or we could be bankrupted by the bills.
Auto insurance is essential and a legal requirement in almost every state. Laws requiring auto insurance were passed because automobile collisions can cause devastating injuries, and the insurance helps ensure that victims of negligent drivers on the roads obtain compensation, and that medical costs are covered.
Cyber insurance is an increasing requirement. Some organizations require that suppliers of goods or services obtain cyber insurance policies -- they include this as a contractual provision.
According to some insurers and brokers, every organization needs cyber insurance. (I would not go so far).
Everywhere, providers seek to sell insurance. Some insurance is necessary, some is not. A supplemental warranty plan is a type of insurance. Buy a new TV or appliance, or as a new car ages and the new car warranty expires, consumers may be solicited to buy the insurance or warranty. Some companies sell identity theft protection plans, which purportedly will cover certain losses there. Of course, not every insurance policy or warranty plan is as comprehensive as promised. Making claims can be difficult and contract terms (the "fine print") may limit their value.
Insurance is a contract
Remember, insurance is a contract. That contract has terms about what claims will be paid if certain events occur, and those terms also mean that certain claims will not be paid.
The policy (contract) is issued based upon certain representations, and if those representations were not accurate, the contract may be difficult to enforce. Consider:
- An automobile insurance policy is issued based upon the car being garaged in location A, driven by driver B, about 2,000 miles per year. After an accident, it is revealed that the car was garaged in another state, driven by a different driver for commercial purposes about 50,000 miles per year. The insurer could disclaim coverage.
- A cyber insurance policy is issued based on the organization holding 100 items of personal information, having a comprehensive cybersecurity program, and employing multifactor authentication. After a data breach, it is revealed that the company held 10,000 items of personal information, they did not have any substantive cybersecurity program, and they did not employ multifactor authentication. The insurer might not cover the losses.
As with any contract, one must consider what the terms of the policy are, and decide accordingly.
Finding the right cyber insurance
Here are some general tips to find the right cyber insurance for the organization:
- Find good organizations and good people that broker, issue, and underwrite the insurance. Good organizations and people usually give helpful and accurate advice, have good products, and will stand by them.
- Provide accurate information to the broker and insurer about your organization
- These applications can be dozens of pages and need to be prepared carefully and reviewed.
- Read the terms and policy
- What does it cover
- What does it exclude (not cover)
- I have seen cyber insurance policies that specifically exclude coverage if the insured violated a data protection law. This raises the possibility that there will be no coverage provided whatsoever if the insurer (or a regulator) claims such a violation occurred.
- The devil is in the details. And there are a lot of devils (details) within these voluminous policy documents (contracts). Some approach 100 pages.
- Evaluate your risks and needs and how the policy fits in.
Realize that your main goal is always to prevent the incident, so as never to have to file a claim in the first place. But insurance is there to protect in case those terrible events happen. So do the proper diligence and get the policy appropriate for your situation and risk tolerances.
What should come first: a cybersecurity program, or cyber insurance?
To me the proper chronology is clear. First an organization needs to build a cybersecurity program, then they can consider cyber insurance.
But in life, sometimes the motivating chronology is different. Sometimes an organization receives an external requirement to obtain cyber insurance, they consult about obtaining this insurance, and then the insurance provider inquires about their cybersecurity program. They realize they now need to build one.
Whatever the motivating chronology, the organization does need a proper cybersecurity program in order to properly complete an application for cyber insurance, and to obtain an insurance policy that properly covers them.
Every now and then an organization realizes their cybersecurity insurance applications were not as precise as they could have been, or their cybersecurity program is not as developed as it could be. This is the time to build and improve on cybersecurity to prevent an incident and before a claim event occurs.
We have cyber insurance, so we can rest easy, right?
Of course not. Having cyber insurance does not mean we can now ignore cybersecurity and related risks. Cyber insurance only protects us from the financial costs of certain events, and there are many other costs which cyber insurance cannot touch. Besides, good cybersecurity (and accurate representations in your application) is often a prerequisite to having a cyber insurance policy that will pay a claim. Good cybersecurity is also a part of good organization management.
Thus, even with cyber insurance, we must continually evaluate and address cyber risks. We know this thanks to the more traditional areas of our lives. Many of us have health insurance, almost everyone who owns a car has automobile insurance. Even with this safety net, we know the many costs, inconveniences, and stresses that come with a health issue or automobile accident. None of us would ever say:
- "I have good health coverage, let me see what happens if I throw myself down these stairs."
- "I have great automobile insurance, let me try drive blindfolded, under the influence of alcohol, or into this hurricane."
In practice most people take reasonable steps to maintain their health and drive safely, even though they have insurance.
Similarly, organizations should take many reasonable steps to ensure they create and maintain a comprehensive cybersecurity program.
Evaluating cyber insurance is an important area for many organizations. This article helps provide a framework to analyze and then make good decisions. As a best practice, the comprehensive cybersecurity program should come first, then evaluation of cyber insurance. As a common practice, application for cyber insurance requires the company to think about and ultimately implement that cybersecurity program.
This is a brief summary with simplifications, attempting to bring complex subject matter to all readers in an understandable and accessible manner. This is not legal advice nor consulting advice, and is not tailored to your circumstances.
If your organization needs help evaluating cyber insurance, to protect from cybercrime, improve cybersecurity, create or improve policies, or comply with cybersecurity related laws and regulations, please contact me.
- Introduction to Cybersecurity and Information Security
- Five Components for Policy Work (meaning organization internal rule policies, not cyber insurance policies)
- Cybersecurity Laws and Regulations Part 1 (general legal overview)
- Introduction to Law
- Contract law
- The Three Priority Cybercrime Threats
- Build your cybersecurity program
- Helpful Legal Resources and Links
- Federal Trade Commission (FTC) on Cyber Insurance
This article is hosted at https://johnbandler.com/cyber-insurance. Copyright John Bandler, all rights reserved.
A version of this article is available on Medium.com, at NOT POSTED YET (though not kept as current).
Originally Posted 4/3/2022. Updated 7/18/2023.