8 Risks that cybersecurity insurance can manage or mitigate
By Stephen M.W.
Cybersecurity is a critical concern for organizations of all sizes. While the benefits of information technology are apparent, the risks IT comes with are formidable. There’s a growing prevalence of cyberattacks including hacking, phishing, identity theft, ransomware, and DDoS. When these technology risks materialize, they can be disruptive and expensive. One report estimated the cost of cybercrimes could soar to a staggering $6 trillion by 2021.
Cybersecurity risks endanger transportation systems, power grids, and the very survival of businesses large and small. To ensure these risks are contained, digital assets are protected, and that continuity of operations is maintained, companies must develop and implement robust cybersecurity practices. Yet, no organization, no matter how sophisticated its technical and procedural controls are, is immune from attack. While controls are important, businesses do not give as much attention to cybersecurity insurance.
The cost of a data breach is more than replacing lost equipment, repairing databases, reimbursing customers, and strengthening procedures. Compliance with relevant regulations may drive up expenses too, such as by requiring customers to be notified. Cybersecurity insurance will not prevent a cyberattack or completely compensate your business for the financial costs incurred after one. Nevertheless, insurance is necessary for businesses that seek a comprehensive all-round cybersecurity strategy. Let’s take a look at the risks cybersecurity insurance can mitigate.
1. Privacy incidents
A cybersecurity insurance policy can provide protection in the wake of an incident that threatens the privacy of customers and employees. This protection will cover not just the cost of responding to and managing the data breach (such as notifying the affected persons, establishing call centers, forensic investigation, and credit monitoring) but also the third-party liabilities that might arise as a result.
2. Network security liability
Cybersecurity insurance can shield the business from third-party liabilities caused by security events that take place within the enterprise’s network and attacks that leverage the organization’s digital assets. In other words, compromising network security may be part of a broader sophisticated cyberattack on the business itself or simply a means of delivering malware to a third-party.
3. Software and data damage
Business applications and data may be corrupted by a system failure or (deliberately or accidentally) deleted by an authorized user or third party. Restoring the software or repairing the data requires time and money. Cybersecurity insurance can compensate the business for the costs of contracting external experts to perform this task.
Cybercrime is the use of an organization’s computers and technology infrastructure to steal money or commit fraud that affects the ownership of securities, property, and other assets. Usually, this would be covered by a business’ comprehensive crime insurance cover but some enterprises may want this to fall under their standalone cybersecurity insurance policy.
Ransomware has taken the world by storm as cybercriminals lock business computers and demand payment from the organization before they can relinquish access. A cybersecurity insurance policy can cover the costs of resolving the incident including hiring external technical experts and negotiating the ransom. In certain cases, insurance can take care of the payment of the agreed ransom although this is a sensitive move that may be illegal.
6. Network business interruption
Disaster recovery plans are meant to shield a business from significant disruption to operations. There may however be circumstances where it takes hours, days, or even weeks for the disaster recovery process to kick in and operations to be restored. For a business, such extended disruption can inflict huge losses thanks to lost sales and the cost of restoring normalcy. The insurance cover seeks to compensate the business for these losses.
However, thanks to the expansive and relatively unpredictable nature of the aggregate exposure and costs of a single disruption, some insurers are reluctant to cover this.
7. Physical damage
A cyberattack can cause physical damage to property and equipment. Think about a malware infection that interferes with the power grid or hacking that compromises a data center’s cooling system. It doesn’t help that, with the Internet of Things (IoT) gaining traction, a growing number of ordinary home and office appliances are connected to the web and can be hijacked for nefarious purposes by a third party.
Cybersecurity insurance policies that cover the cost of physical damage following a cyberattack remain relatively rare. This is, however, likely to change thanks in large part to the proliferation of IoT devices.
8. Reputational damage
Reputation is often the most long-lasting repercussion of a cybersecurity breach. Its effects can linger long after the incident has been resolved. A diminished reputation would see a growth in customer churn or a decline in business revenue. Companies can cover these costs through a cybersecurity insurance policy. This is on condition that the loss of reputation is directly attributable to the breach event. Difficulty in establishing the link is why this cover is viewed as insurable but with constraints.
risks that remain difficult to insure
Some cybersecurity risks are difficult to insure against. These include the following:
Industrial espionage and intellectual property theft
Insurers shy away from providing coverage for the direct losses caused by industrial espionage and intellectual property theft. These include losses due to the compromised intellectual property asset or the fall in market share. The losses are not only difficult to prove but quantifying them is extremely complex. However, some cybersecurity insurance policies will cover the cost of pursuing claims from the third parties responsible for or benefiting from the theft of the business’s intellectual property.
Death and injury
We mentioned earlier how some cyberattacks could cause damage to physical property. Other than the threat to inanimate objects, humans could also be hurt or killed in the process. This risk is considered as uninsurable under a standalone cybersecurity insurance policy simply because it’s already covered by other liability insurance products. A market for standalone cybersecurity insurance of death and bodily injury caused by a cyberattack may, however, emerge if there’s a greater frequency in the application of cybersecurity-related exclusions to general liability policies.
Cybersecurity insurance as a powerful defense weapon
In the World Economic Forum’s Global Risks Report 2018, cybersecurity was identified as one of the top five risks facing organizations and governments across the world. This was in the wake of massive cyberattacks and data breaches that only seem to intensify in their scale and sophistication with each passing year.
One positive effect of this fast-changing threat landscape is organizations have not only become more aware of the cybersecurity risks they face but are compelled to explore a broad range of tools to bolster their resilience. Cybersecurity insurance solutions are one such tool. Cybersecurity insurance policies are not uniform. To be truly effective, technology executives must tailor them to the organization’s size, sector, culture, and depth of digitalization.