Cyber insurance helps ensure business profits in case of data attacks: Here’s what you need to know.
Cyber insurance is business insurance that covers costs associated with data attacks, offered by insurers and via plans with certain vendors. When many companies hear about that, the automatic thought is, “Yes, that is exactly what I need!”
That may be true – but it’s important to note that cyber insurance is not cyber security. It will not actually protect you, and there are strict limits to what it can do. So let’s go over some facts about this type of data insurance that you need to know about.
Coverage Does Vary Based on the Policy
Cyber insurance isn’t as strictly codified as some types of insurance, and its coverage can vary greatly between policies. What one standard policy covers may be very different from what another insurer or vendor offers (we’ll talk more about this later). In other words, you can’t really count on any particular coverage without reading the fine print, so get ready to put on your glasses. Fortunately, like other types of insurance, you can usually attach various riders and clauses to create coverage for the specific events or costs that you are worried about. This will, however, raise the price of the coverage.
Human Error Is Not Covered
Basically, cyber insurance doesn’t really cover people being dumb, and this can cause a whole lot of problems with making claims. For example, let’s say that one of your employees opens a phishing email and downloads some really nasty malware. Will cyber insurance cover that? Quite possibly your claim would be declined because the problem has its roots in a human mistake instead of an attack that your company couldn’t avoid. It’s even more unlikely to find coverage for poor password management or leaving a computer unattended and logged in. Take this as an important reminder that employee education should be a best practice no matter what type of insurance you have or what you want to protect again.
Known Vulnerabilities are Rarely Covered
Here is where matters of liability become tricky. You see, few cyber insurance policies will cover problems that result from known vulnerabilities. That means that if a security policy is known, and the provider or manufacturer announces a patch to fix it, it is on you to download the patch and fix your security. If you do that, coverage shouldn’t be a problem. But of course, a vast number of data attacks happen because businesses have not patched known vulnerabilities (just look at WannaCry) even though patches have been made available.
There may be additional, customizable add-ons for protection even from known vulnerabilities, but it’s going to be a lot more expensive. So, once again, even with cyber insurance, you still need smart security practices and a strict update policy to protect your company. Are you getting the theme here?
Data Restoration May Not Be Covered, Either
Yeah, this one throws a lot of companies off balance: Isn’t cyber insurance supposed to recover data restoration? Isn’t that the point? Well no, it isn’t. “Data restoration” is a complex process that may or may not work, no matter how much money you throw at it. It usually relies on things like proper data backup, which is a company responsibility, not an insurer’s responsibility. It’s not really an area that an insurance policy is well-equipped to deal with. So cyber insurance focuses primarily on interruption costs – on “refunding” you the profit that your company lost while dealing with the data attack. Don’t make the mistake of thinking that all associated costs will be covered.
Third-Party Insurance is Different From First Party
Typical cyber insurance covers the first party – that is, your company. And that’s it. If data is lost, mishandled or attacked while with a partner or third party, your insurance coverage won’t touch it. However, there is a second type of cyber insurance that is specifically designed to protect your data when it is in the hands of third parties. This is particularly useful in sectors like the healthcare industry, which finds itself transferring sensitive data to other organizations regularly.
Cyber insurance or not, it’s pretty obvious you will need a robust data security plan in addition to any coverage you may choose (or be required to have).