Cyber Insurance: The what, why and how
Michael Kirby II | Head of Managed Risk and Security Services, FIS Paul Campbell | Sr. Director, Risk, FIS
October 03, 2022
What is cyber insurance?
Cyber liability insurance, cyber risk insurance, cybersecurity insurance and cyber insurance – all names for the same kind of insurance policies that are designed to help businesses recover in the event of a data breach. Cyber insurance is a hot topic right now, and for good reason. Adoption rates and insurance premiums have skyrocketed in the last 18 months in part due to the sheer volume of ransomware events and ensuing widespread media coverage bringing them to the forefront.
Cyber insurance can be compared to the now prolific and often mandatory adoption of brick-and-mortar property coverage, and it has become a key to long-term resilience for companies of all sizes in today’s digital age. Similar to how property insurance is a requisite to ensure that your business continues to operate in the event of a physical disaster, cyber insurance provides businesses an additional layer of protection and peace of mind in the event of a negative cyber event such as a ransomware attack.
In today’s world, no matter what kind of business, every company is a data company. At its core, what drives a business is data; how it is used, who accesses it and how it is combined with key processes to drive and operate the business. Securing that data and having a path to recovery following a cyber event with the help of cyber insurance coverage has become more critical than ever.
What is cyber insurance?
It may sound cliché, but every type of business can benefit from cyber insurance coverage. Every company has exposure to cyber threats, but not everybody understands them. Cyber criminals are professionals now with malware development and data breach hacking emerging as highly organized, criminal enterprises. Ransomware as a Service (RaaS) has grown exponentially in recent history, further cementing the need for recourse in the event of an attack. And while large enterprise businesses typically have mechanisms in place to protect themselves, smaller businesses may not.
What does cyber insurance cover?
Simply put, cyber insurance mitigates damage caused by a data breach /cyber-attack. While it is looked at and viewed as something new and different, it is really nothing more than a key insurance coverage that you need to protect your organization in today's digitized world.
Cyber insurance is not a replacement for cybersecurity defense – it does not directly protect businesses against cyber threats or data breaches on the front-end. Rather, cyber insurance is predominantly focused on recovery in the event of a cyber-attack or negative data event. It is important to note that cyber insurance coverage often carries exclusions/exceptions, which highlights why businesses need to be aware of all the terms and conditions attached when picking a cyber insurance policy (more on this below).
What to look for as a cyber insurance buyer
Four in five mid-size organizations have cyber insurance today. However, many businesses, especially smaller ones, still don't currently have a cyber insurance policy. And those that are covered often have trouble managing claims in the event of an attack.
There are many different factors and players involved in a cyber insurance claim, from PR teams and forensic auditors, to breach coaches and negotiators. If a business has a cyber insurance policy in place, it should feel confident in reaching out to the broker or insurance company so that their cybersecurity professionals can provide guidance and help handle the situation.
Many organizations do not fully understand the nuanced exclusions/exceptions to their coverage – and there are always exclusions with every policy. Insurance providers may include endorsements to policies that effectively limit or eliminate certain coverages within their policies. There are also several procedures that policyholders must follow in terms of claim notification, loss mitigation and more. And if a business does not understand how to and even if they should submit a claim, they run the real risk of an insurance provider not paying anything out.
As a business in the market for cyber insurance, you want to understand the insurance company that you're buying from.
- What is their level of expertise within cyber insurance?
- What is their track record?
- How long have they been in the market?
- Is their business model built to last?
For example, if you buy a policy from a provider that then decides to exit the cyber insurance market the following year, you will be left high and dry without a cyber insurance provider. Another aspect to understand is what services you get access to with the policy such as experts like breach coaches and forensic auditors, teams with cybersecurity expertise that you can contact if you suspect you are being targeted by a cyber-criminal or fear that there has been a potential breach.
More questions to consider when performing your cyber insurance due diligence:
- Is this organization reputable and do they have real cyber expertise to back them up?
- Do their insurance agents have the cyber-specific knowledge needed to fully evaluate the policy and explain the pros and cons to you?
- Are they selling multiple types of insurance without a focus on cybersecurity?
Understanding what you have access to and knowing that the decisions you make could impact the claim is critical. This includes using the teams that are assigned to a specific policy or insurance provider. Policyholders typically cannot use services that aren’t approved by the insurance provider unless those services are pre-approved at the time of policy purchase. There are most likely pre-approved lists of forensic experts tied to each insurance provider that buy-side businesses must be aware of when deciding on a policy. Retainers are no longer as valuable as they once were because of this fact.
And although cyber insurance is focused on recovery and claim payment in the event of an attack, there is also an important element of prevention. Cyber insurance should be purchased as a preventive action to gain additional peace of mind. It is the job of cybersecurity experts to monitor for, provide countermeasures and increase an organization’s response to any type of cyber-criminal looking to attack the business. Cyber insurance coverage is designed to help the business recover in case a threat slips by those defenses and a data breach occurs.
Small and medium businesses may fall into the trap of working with a “jack of all trades” insurance agent as opposed to a cyber insurance broker who is, by definition, an expert in the field. At FIS®, our Managed Risk Services (MRS) team ensures that businesses of all sizes are given the benefit of an expert who can help and advise them. You have access to leading experts, competitive pricing and the complete power of FIS Grade Security, in turn leading to lower cyber insurance premiums.
What do insurance companies look for when deciding coverage?
Cyber insurance firms will ask very in-depth, probing questions as they determine what level of coverage a business can be offered and what kind of risk that business and its digital assets carry for the provider. Coming back to the analogy of property insurance and physical security versus cybersecurity, a business’ first line of cybersecurity defense is like a lock on the door. But that’s not enough protection in today’s modern age. An additional layer would be like a closed-circuit camera around the building. Better, but again, not foolproof. These insurance providers will likely be very specific in their line of questioning and will want you to prove that your data is secure.
Insurance providers are going to key in on what kind of cybersecurity platform or vendor a business uses to protect its digital assets. Cyber insurance premiums are assessed based on the policyholder’s risk level, and a company’s risk level would be significantly reduced, for example, if it was working with FIS’ Managed Risk and Security Services and deploying FIS Managed XDR. FIS Managed XDR provides exceptional, recognized protection against cyberattacks. All our tools and services undergo regular regulatory scrutiny, and our comprehensive cyber insurance add-on provides additional protection in the event of a cyberattack.
Cyber insurance providers have the expertise to help mitigate the effects of cyber-related breaches or losses. Such a situation has downstream effects, affecting not only you as a business, but the other businesses that you interact with and any other connected stakeholders. The fact that data can be transmitted or transferred across so many different entities makes the claim process very complex and potentially very expensive. The true goal is to never reach a place where the business’ data is accessed or infiltrated.
Whatever the size of your business, there can be no doubt that cyber criminals continue to grow as a tribe, mounting more concerted and serious attacks.
“Hackers aren't looking to pick a lock – they're looking for open doors where they can do the most damage with the least effort,” says Paul Campbell, FIS Sr. Director, Risk.
“Cyber insurance is not something to be ignored for a later date or considered a nice to have. It has become a critical business need for all organizations.”