Ask the Expert: Importance of Cyber Insurance
December 16, 2019
We recently hosted a cybersecurity seminar that brought together clients from a wide range of industries, along with experts in the field, to discuss ways to protect businesses from cyber incidents. The unfortunate reality is that cyberattacks are no longer a matter of “if” but rather a “when” it happens situation. That’s why we feel it’s necessary to equip our clients with the information and resources they need to be prepared and covered. Here are a few of the burning questions addressed during the seminar:
Is cyber insurance necessary for companies in all industries?
In simple terms, yes. Companies of all sizes and in any industry can fall victim to a cyberattack, especially with the rise of ransomware and phishing events. While healthcare, financial institutions and retail may be more widely recognized as targets, we’re seeing an increase in attacks to organizations across all sectors, such as manufacturing, real estate and construction. Having a cyber insurance policy in place will help protect you when an incident does occur.
Is cyber insurance as important as general liability insurance?
Given the rapidly evolving threat landscape, cyber insurance is just as important as any other insurance policy. While general liability insurance can help protect clients from a host of damages, it may not provide coverage for loss related to a cyber event. Cyber insurance was created specifically to address those exposures. Ensuring protection with a cyber policy is the wise thing to do and is a critical part of a comprehensive risk management program.
What is included in a cyber policy?
Cyber policies are put in place to help fund costs associated with an attack, including first-and third-party expenses. More importantly, they incorporate ancillary services to help the company prepare for and prevent cyber incidents. First-party coverage often consists of costs associated with a breach coach, the forensic investigation, public relations, notification process based on state laws, credit monitoring or call center management, data restoration, business interruption, extortion and social engineering. Defense and damages from third party lawsuits should be covered under the third-party expenses. There may be first-and third-party expenses not covered by your cyber policy or crossover with other insurance policies, so we recommend contacting your insurance broker to understand those specifics.
What steps should be taken to prepare for a cyber event?
A lot can be done to help prepare your company for a cyber incident. First and foremost, obtaining cyber insurance will ensure proper coverage is in place. As mentioned, most cyber policies offer ancillary services to help prepare for and prevent an attack. This can include selecting vendors and securing competitive pricing ahead of an event. Aside from the policy, developing a cyber incident response plan is key. This plan should dovetail with the approved vendors noted in the insured’s cyber policy. The response plan should be updated regularly and must have buy-in from C-suite leaders and department heads. Also essential is training employees on information security. A simple first step would be to educate staff on what to look for in phishing emails or how to protect sensitive data. Finally, often overlooked but equally as important is to assess the cyber maturity level of third-party partners.
What steps should be taken following a cyber event?
The minutes, hours, days and even weeks or months following a cyberattack are hectic, so preparing ahead of time is crucial. Every company should have a cyber incident response plan, which must sync with the insurance policy and contain necessary steps to take when an attack hits. A successful plan will have already identified the team – made up of key stakeholders from IT, management, communications and legal – that is responsible for addressing the incident. Refreshing this document frequently to account for employee turnover and advances in both technology and cyber threats is important. With a team already identified and informed, the immediate steps – at a high level – include:
- Contact breach coach, insurance carrier and broker to report attack and get approval for expenses
- Determine source and contain attack
- Assess damage and severity
- Communicate to internal and external stakeholders
- Roll out recovery efforts
- Test, test and test!
Is cyber security only an IT issue?
A top takeaway from the seminar was that cyber security is no longer just a problem for IT – it must be a company-wide concern. A collaborative approach between C-suite leaders and IT departments is needed to ensure organizations are compliant, protected and well-positioned when a cyber incident occurs. Once security is prioritized at the top, organizations will soon see employees following the lead. In addition, IT teams should be in close communication with those who are responsibility for procuring insurance to ensure coverage is in place and claims run smoothly.
The above answers are a compilation of the insights shared by myself and Graham’s cyber practice team, as well as the other experts in the room from Baker Tilly Virchow Krause, LLP, Financial Lines, Chubb, and MorganFranklin Consulting.
Philadelphia, PA, 19102