The Cyber Liability Insurance Cover (CLIC) or otherwise referred to as cyber insurance, is a market that grew significantly in 2015. One of the main factors that contributed significantly to this growth is the constant increase of threats in the cyber space and more specifically the high profile data breaches that took place during the past years. Due to these data breaches companies were taken to court and were forced not only to cover the losses, but to take upon the extra costs for the data breaches as well. In most cases, these additional costs included crisis management, legal costs, reputational damages, engaging in identity theft resolution, credit and fraud monitoring and further technical costs as well.
Under the potential threat of a breach and the inevitable consequences, this has established not only a need but also a demand for a cyber insurance market. This has also been highlighted by a cyber survey conducted by RIMS. The survey showed that 74 percent of the companies without Cyber insurance will be purchasing one within the next two years. Likewise, by 2025 the total annual premiums for stand-alone cyber insurance are projected to grow to $20 billion.
Even though cyber liability insurance cover has been around for almost ten years, most security professionals are not familiar with the subject or do not know it even exists. Until recently, many professionals in the information security community used to say that you have either been breached, or you just do not know it yet. This black and white approach against risk obstructs the business continuity while the transfer of risk is an acceptable way for mitigating risk.
Until now, cyber insurance has been most successful in countries where the risk transfer option is essential due to the breach notification laws. In the UK, the notification of breaches is deemed mandatory by the EU Data Protection Regulation. However, the regulation is expected to be formally adopted by the European Parliament and Council within the next six months and the new rules to become applicable within the next two years. On the other hand, the US already have mandatory requirements for data breach notification in forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands.
Cyber insurance may overlap with cover from existing products an organisation may already have in place, such as business continuity plans. Keep in mind that a decent cyber insurance policy will ensure that cyber risks are fully covered and will extend to describe a broad range of information security related tools, processes and services. Briefly, a Cyber insurance policy should include:
- Data breach and crisis management cover. This may include expenses for managing the incident, the investigation and computer forensics cost, the remediation phase, legal costs, identity theft resolution, credit and fraud monitoring, court attendance, data subject notification costs and regulatory fines.
- Extortion and financial losses due to fraud. This may include any losses due to a threat of extortion and/or financial losses due to fraud, which should include professional fees related to dealing with the extortion.
- Third-party damages. This may include the cost of data theft that belongs to third-parties and intellectual property rights infringement, other damages due to a “denial of access” and any third-party systems being affected.
At the moment, cyber insurance policies can be found with a $100 million limit. However, large policy holders are expected to be able to obtain maximum limits between $350 million and $400 million. In 2015 there was a spike in the cost of cyber insurance renewals for Point-of-Sale retailers and large health care companies. The talent gap, especially with expertise in both insurance underwriting and cyber security is affecting both the number of cyber insurance carriers in the market and the cost of obtaining a cyber insurance plan. Despite the additional cost in the yearly budget, it is expected that the option of purchasing cyber insurance as a risk mitigation tactic will start becoming a prioritised item in the annual bucket list. The costs of a potential breach has made cyber insurance way more attractive for a large number of businesses.
Even though a cyber insurance plan is capable of mitigating the risk of a data breach, it is best effective when the Cyber Security of data, products, systems and services is taken equally seriously. Cyber insurance needs to be seen as an enabler for protecting an organisation in case of a data breach when it can prove that it took all necessary steps to ensure the cyber security of its infrastructure and acted in due diligence.