What Is Cyber Insurance? Why Is It Important? Risk Coverages | Fortinet (2024)

Cybersecurity insurance (cyber insurance) is a product that enables businesses to mitigate the risk of cyber crime activity like cyberattacks anddata breaches. It protects organizations from the cost of internet-based threats affecting IT infrastructure, information governance, and information policy, which often are not covered by commercial liability policies and traditional insurance products.

Cyber insurancecoverage works the same way as businesses would purchase insurance against physical risks and natural disasters. It covers the losses an enterprise may suffer as a result of a cyberattack.

Cyber insuranceis increasingly becoming essential for all companies as the risk of cyberattacks against applications, devices, networks, and users grows. That is because the compromise, loss, or theft of data can significantly impact a business, from losing customers to the loss of reputation and revenue.

Enterprises may also be liable for the damage caused by the loss or theft of third-party data. A cyber insurance policy can protect the enterprise against cyber events, including acts of cyber terrorism, and help with the remediation of security incidents.

For example, hackers breachedSony’s PlayStation Network in 2011and exposed the data of 77 million users. The attack also prevented PlayStation Network users from accessing the service for 23 days. Sony incurred costs of over $171 million that could have been covered by cyber insurance. However, it did not have a policy, so it had to shoulder the total costs of the cyber damage.

The cybersecurity insurance process works in a similar way to other forms of insurance. Policies are sold by many suppliers that provide other forms of business insurance, such as errors and omissions insurance, liability insurance, and property insurance.Cyber insurance policies will often include first-party coverage, which means losses that directly impact an enterprise, and third-party coverage, which means losses suffered by other enterprises due to having a business relationship with the affected organization.

A cyber insurance policy helps an organization pay for any financial losses they may incur in the event of a cyberattack or data breach. It also helps them cover any costs related to the remediation process, such as paying for the investigation, crisis communication, legal services, and refunds to customers.

Insurance for cybersecurity typically includes first-party coverage of losses incurred through data destruction, hacking, data extortion, and data theft. Policies may also provide coverage for legal expenses and related costs. Although policies may vary by provider and plan, the main areas that cyber insurance covers include:

1. Customer notifications:Enterprises are usually required to notify their customers of a data breach, especially if it involves the loss or theft ofpersonally identifiable information (PII). Cyber insurance often helps businesses cover the cost of this process.
2. Recovering personal identities:Cybersecurity insurance coverage helps organizations restore the personal identities of their affected customers.
3. Data breaches: incidents where personal information is stolen or accessed without proper authorization.
4. Data recovery:A cyber liability insurance policy usually enables businesses to pay for the recovery of any data compromised by an attack.
5. System damage repair:The cost of repairing computer systems damaged by a cyberattack will also be covered by a cyber insurance policy.
6. Ransom demands:Ransomware attacksoften see attackers demand a fee from their victims to unlock or retrieve compromised data. Cyber insurance coverage can help organizations cover the costs of meeting such extortion demands, although some government agencies advise against paying ransoms as doing so only makes these attacks profitable for criminals.
7. Attack remediation:A cyber insurance policy will help an enterprise pay for legal fees incurred through violating various privacy policies or regulations. It will also help them hire security or computer forensic experts who will enable them to remediate the attack or recover compromised data.
8. Liability for losses incurred by business partners with access to business data.

A cybersecurity insurance policy will often exclude issues that were preventable or caused by human error or negligence, such as:

1. Poor security processes:If an attack occurred as a result of an organization having poor configuration management or ineffective security processes in place
2. Prior breaches:Breaches or events that occurred before an organization purchased a policy
3. Human error:Any cyberattack caused by human error by an organization’s employees
4. Insider attacks:The loss or theft of data due to an insider attack, which means an employee was responsible for the incident
5. Preexisting vulnerabilities:If an organization suffers a data breach as a result of failing to address or correct a previously known vulnerability
6. Technology system improvements:Any costs related to improving technology systems, such as hardening applications and networks

Cyber insurance should not be considered in place of effective and robust cyber risk management. All companies need to purchase cyber insurance but should only consider it to mitigate the damage caused by a potential cyberattack. Their cyber insurance policy needs to complement the security processes and technologies they implement as part of their risk management plan.

Cyber insurance suppliers analyze an organization’s cybersecurity posture in the process of issuing a policy. Having a solid security posture enables an enterprise to obtain better coverage. In contrast, a poor security posture makes it more difficult for an insurer to understand their approach, resulting in ineffective insurance purchases.

Furthermore, failing to invest in appropriate or effective cybersecurity solutions can result in enterprises either failing to qualify for cyber insurance or paying more for it.

Pricing cyber risk will typically depend on an enterprise’s revenue and the industry they operate in. To qualify, they will likely need to allow an insurer to carry out a security audit or provide relevant documentation courtesy of an approved assessment tool. The information accrued from an audit will guide the type of insurance policy the provider can offer and the cost of any premiums.

Policies often vary between different providers. Therefore, it is best to review any details carefully to ensure the required protections and provisions are covered by the proposed policy. The policy also needs to provide protection against currently known and emerging cyberthreat vectorsand profiles.

Cyber risk is a significant concern for companies of all sizes and across all industries. Organizations need to take decisive action to strengthen their cyber defenses and manage their cyber risk through the combination of cyber insurance, secure devices, domain expertise, and technology.

1. Step 1—Assess:The first step in reducing cyber risk is to assess cyber readiness with a respected professional services organization. This process includes carrying out a security audit before providing appropriate cyber insurance.
2. Step 2—Implement:The next step is to implement technology that protects the elements an organization intends to take out cyber insurance against. This can include ananti-malware solutionto protect the enterprise against the threat of malicious software.
3. Step 3—Insurance:The first two steps enable an organization to prove they have the necessary processes and technologies in place to qualify for cyber insurance from a provider.