Cyber threats are increasing in volume across all industries. As a result, more and more businesses are investing in cybersecurity insurance to protect against potential cyber attacks. The cyber threat landscape is constantly changing, with new threats surfacing regularly. For example, recent zero-day vulnerabilities in Fortinet and Microsoft Exchange caught many security teams off guard, with both requiring rapid response and causing public relations headaches. 

• Cyber losses cost the global economy upwards of $1.5 trillion each year.

• Coalition’s 2022 Cyber Claims Report report reveals a sizable increase in claims, with frequency rising by 31%. 

• Cyber insurance policies can provide up to $15 million in financial, tangible, and intangible damage protection.

Cyber threats can often be difficult or impossible to predict. Systems and devices that appear in perfect health and working order may contain hidden threats and vulnerabilities that can pop up at any time without notice. In some cases, network security threats may lay dormant for months or even years before they’re discovered — giving cybercriminals ample time to steal sensitive data or conduct other nefarious operations. Making the decision to move forward with cyber insurance is the first step in protecting your organization from cybercrime. But cyber insurance coverage is complex with many factors to consider. This can make it difficult to pick the right coverage for your organization’s unique needs. Keep reading to learn more about the essential areas of cyber insurance coverage, including a comprehensive cyber liability insurance checklist designed to help your business start moving in the right direction.

As you begin your search for the perfect cyber insurance policy, you’ll no doubt want to consider things like pricing and how big your deductible will be. But even more importantly, you need to understand what your cyber insurance covers and ensure the plan you select protects your business against the most common attacks.  The easiest way to do that is to use a cyber insurance checklist to make sure you ultimately end up with a plan that meets your organization’s unique requirements.  To help get started, here’s a 5-step checklist for assessing your organization’s cyber insurance coverage needs.

1. Determine your business’ level of risk

While threat actors can target businesses big and small across all industries, certain organizations are more likely to be attacked than others. For example, a business that processes and stores customer credit card information and other sensitive data probably has a higher chance of being hacked than an individual running a local dog-walking business where most customers pay in cash. Before you begin shopping for insurance, the first thing you need to do is assess your organization’s level of risk.

• Do you store and process sensitive data that’s governed under PCI, HIPAA, GDPR, or other personally identifiable information (PII)? 

• Do you transmit that data to any third parties or store it in third-party repositories? If so, what risks do those platforms pose to your business?

Additionally, study your infrastructure and networks to determine what security mechanisms are already in place. If you are using a managed service provider to oversee cybersecurity responsibilities, find out whether they have any coverage that protects you in the event they’re hacked.  Lastly, gauge your team’s cybersecurity prowess. If you have a number of employees who aren’t the most technologically adept individuals, your level of risk is likely higher.

2. Know the cyber risks your insurance needs to cover

In today’s evolving cyber landscape, bad actors continue to use new methods to infiltrate networks and launch cyber attacks.  Let’s explore these different types of cyber incidents and the types of coverage you would need for your business. Your organization needs to make sure your cyber insurance policy protects you against the most common types of cyber attacks, including:

• Phishing

• Ransomware

• Funds transfer fraud, and 

• Business email compromise

As you determine which cyber insurance policy is the best fit for your business needs, you should also look for coverages that includes breach response and business interruption. That way, you’ll get your systems up and running as quickly as possible and you’ll be covered in the event you’re forced to incur extended downtime.  Additionally, you may want to consider a policy that covers data restoration costs and services that help protect your organization from reputational harm. After a breach occurs, it can be expensive to regain access to data, and you may have to launch a public relations campaign to restore your reputation.

3. Learn the difference between First vs. Third Party Coverage

Before you pick a cyber insurance policy, you first need to know about the two types of cyber insurance you can purchase — first-party coverage and third-party coverage — each of which covers different occurrences.  

First-party coverage

First-party cyber insurance policies cover direct out-of-pocket expenses resulting from a cyber attack. For example, such policies may pay to replace any computer systems rendered inoperable from malware or social engineering attacks. They may also cover costs associated with reputation repair, crisis management, PR, and digital asset restoration. 

Third-party coverage

Third-party liability coverage protects your business from liabilities that result from cyber incidents that affect third parties. For example, a SaaS product you use to store sensitive customer data may be hacked, and you may have some exposure to liability. Other examples include bodily injury and property damage, technology errors and omissions, network and information security liability, regulatory defense and penalties, and PCI fines and assessments. Unfortunately, all insurance policies don’t offer the same level of support or assistance. While many executives and small business owners assume that cyber insurance policies automatically cover things like business interruptions, funds transfer fraud (FTF), and cyber extortion, most actually don’t. As a result, companies are often left out to dry when incidents occur.  With all this in mind, it’s critical to partner with a provider that offers broad cyber insurance coverage across a range of areas and be cognizant of any exclusions. Don’t assume that a blanket policy will cover all expenses; otherwise, you might end up having to pay for certain items out of pocket after an attack.

4. Estimate the potential impact of not having cyber insurance

How much cyber insurance coverage does your business need and how much will it cost? These questions are no doubt difficult to answer. Imagine your organization was hit with a ransomware attack. 

• How much money would you have to pay to bring all of your systems back online and launch an appropriate public relations campaign? 

• Would you be able to pay the ransom out quickly?

  • If not, how long would it take you to secure the funds? 

• How much revenue would you lose if your business was forced to close for an extended period of time?

• What would happen if you were attacked, sensitive customer data was stolen, and those customers turned around and sued you?

  • Do you have the funds to cover the legal fees and potential settlements?

When it boils down to it, few businesses have the in-house resources needed to quickly and thoroughly resolve a cyber incident. Whatever your policy ends up costing you, the expense will pale in comparison to how much you’d have to spend to bring everything back online without any coverage.

5. Think about your cybersecurity and tech stack plan

As you begin thinking about cyber insurance, you should also evaluate your existing cybersecurity procedures and your tech stack to identify any weaknesses and take immediate steps to remediate them.  The easiest way to do this is by conducting a cyber risk assessment, which will give you the information you need to ensure you’re better prepared for a potential cyber attack. Once the assessment is complete, you’ll have a better understanding of how bad actors might be able to infiltrate your network and can prioritize any patches or upgrades needed to resolve those vulnerabilities. At the same time, you’ll also be able to identify and decommission any unnecessary systems, saving resources and giving bad actors fewer targets to exploit.  After conducting an assessment and taking action to fix any areas of concern, your organization’s security health will be in great shape, enabling you to reduce potential claims by proactively keeping bad actors out of your systems.

Businesses often rush into cyber insurance policies without fully understanding the details and implications. As a result, it’s common for teams to make mistakes when managing policies and filing claims. In this section, we’ll examine common mistakes companies make when managing cyber insurance and how to avoid them.

Failing to understand the policy

Insurance claims can be very complex and full of legal jargon. For many busy businesses, it can be tempting to breeze through the fine print and trust that an insurance provider has their best interests in mind. When shopping policies, many people fail to account for their insurance retention. In a cyber insurance claim, a retention — or self-insured retention (SIR) — is the amount of loss the policyholder must incur before insurance coverage takes effect. In other words, the insured is responsible for covering or paying for all losses, damages, and expenses up to the retention amount, after which the insurer begins making payments. Companies must take the time to go through their cyber insurance policies and understand the exact terms and conditions they’re agreeing to. It’s also a good idea to involve legal teams and scour the contract for hidden line items that could potentially cause problems.

Third-party errors

Many cyber insurance policies do not extend coverage to third-party providers. If your business depends on third-party vendors for things like cloud services and email, you could be liable for cybersecurity issues that stem from those products.  To avoid this issue, make sure your coverage extends to all hosted applications and computer systems. Otherwise, your company may be responsible for a breach that impacts customer data.

Not having enough coverage

Another common cyber insurance mistake is not having enough coverage. For example, a business may sign up for $1 million in coverage but then get hit with a ransom demand of $5 million or more. Always be realistic when setting up a policy and consult with your security and financial teams to predict what future cybersecurity expenses might look like. Simulating cyber attacks and forecasting potential damages can help ensure your business buys adequate coverage. 

Avoiding claims to keep premiums low 

In some cases, business leaders avoid filing cybersecurity insurance claims out of fear that submitting them will increase their premiums.  As it turns out, filing a cyber insurance claim won’t always impact a policy premium. Attempting to go it alone when remediating a cybersecurity issue can also make it harder to recover funds while preventing the business from fully eradicating the threat — potentially leading to future issues. As such, you should always report a cybersecurity incident when it's necessary.

Cyber incidents can happen out of nowhere and escalate quickly, creating a stressful and dangerous situation for your business. When every second counts, there isn’t time to think or plan. To accelerate your response, follow this checklist to prepare your team and make sure you’re ready to spring to action and file a claim the next time a cybersecurity incident happens. 

1. Align your organization around cyber

Time is of the essence when cyber attacks happen. Waiting 24 or 48 hours to file a claim can lead to permanent data loss and extensive damage to business systems or products. In some cases, your business may also face legal consequences for waiting too long to take action.  Proper training and education can help align your team and prepare them with the steps they need to take during a cybersecurity incident. Fast action can mean the difference between a small road bump and a severe business disruption.

2. Understand where your data lives

Your organization should always maintain proper data hygiene. Knowing where your data lives and who has access to it can save time and help ensure a speedy and thorough investigation. Your cyber insurance provider will determine if there’s sufficient reason to complete a forensic investigation. At the direction of counsel, a third-party vendor may need to complete forensic work and remediation where needed. You may need to supply evidence such as email login data, password changes, and new account information — which are necessary for telling a story and uncovering specific actions. It’s also possible that the cyber insurance provider will need to scan communications, such as malicious email headers or suspicious links.

3. Inventory your hardware and devices

It’s also possible that your business will need to provide access to hardware and devices — including company-owned smartphones, laptops, and servers — during an investigation. Automating hardware and device inventory will help ensure your business can provide all necessary items during a cybersecurity investigation. Companies that can’t produce certain items may be held accountable in the event of a data breach or security violation. 

4. Use identity access management 

More often than not, internal employees are responsible for security incidents. However, companies often have a hard time determining responsible parties because they lack visibility into their own employees’ activities.  Consider using an identity access management (IAM) service to monitor employee identities and gain better visibility into their digital activities. For example, an IAM tool will be able to track things like suspicious logins and attempts to lift or delete data. These types of insights can go a long way toward determining whether a security incident stems from a malicious insider or someone outside of the organization.