Although cyber insurance isn’t new (the first policies were created in the 1990s), the ongoing rise in security attacks has made it even more important. Today, many companies demand their vendors to have an active cyber insurance policy. Increased demand for cyber insurance plans, as well as an increase in claims, has caused providers to rethink their procedures, making coverage more complicated and expensive for businesses.
Buying cyber insurance is a decision that should be carefully considered. You must clearly understand what cyber insurance covers, what costs are involved, what requirements should you meet to get covered is critical.
Here’s a cyber insurance policy checklist that you can find useful when determining whether to purchase cyber insurance or not.
Step 1. Determine whether you need cyber insurance.
You must consider purchasing cyber insurance if:
- Your company handles sensitive information ranging from stored contact details to health information, from financial information to personal preferences. The most innocuous information is often very useful for attackers.
- You host a public website that interacts with customers and stores their login data.
- You use a third-party vendor to manage your database, provide an online shopping facility, or as a supplier of the goods you sell.
- Your use their own devices for remote work. Remember, that lost and stolen devices may contain valuable information and provide easy access to your internal IT infrastructure.
- You are a prime target for ransomware because of your industry specific.
If you ticked any of the boxes above, you need cyber insurance. Keep in mind that standard commercial liability insurance policies do not cover cyber liability.
Step 2. Make your own policy outline.
Prior to deciding on a cyber insurance provider and policy ask yourself the following questions.
- How much insurance do you need? Consider the average cost of a stolen record containing sensitive or confidential information, which is approximately $158, and multiply that by the number of sensitive records you store.
- What are the specific risks of your business? What is your risk level?
- What additional risks should your policy cover? Consider such risks as unintentional human error or stolen BYOD devices.
- What information must be covered, and where is this information stored?
Step 3. Discuss such important questions with your potential vendors.
- What types of incidents are covered? For instance, does your provider cover unintentional and non-malicious attacks?
- How much do the deductibles cost? Cyber insurance functions similarly to health, vehicle, and house insurance in this regard.
- How long will it take to get covered? Keep in mind that the average time it takes to identify a cyberattack is over 200 days.
- Are your third-party vendors, suppliers and business associates covered?
- Are there any exceptions from the policy?
- Does the policy cover you globally?
- What are your compliance obligations?
Step 4. Increase your chances for a successful claim.
- Before you buy a policy, make sure you’ve read the fine print. Remember that cyber insurance policies are highly negotiable because, as we’ve seen, there is no universal underwriting standard. You can, in fact, create your own policy. Get your own legal counsel and use the FFIEC’s CAT to determine your own vulnerability.
- Check that you have followed any regulations that fall under your purview and, if necessary, conduct regular audits. The most common reason a vendor denies a claim is late notification of a data breach.
- Take steps to reduce the risk of data loss. Maintain up-to-date software and provide regular security awareness training to your employees. Create your own incident response procedures and test your system. You may discover that your policy requires you to upgrade your software on a regular basis rather than just patch it.