What is Cyber Insurance?
Achilleion CEO, Amir Tarighat, sat down with cyber insurance expert, Mike Volk, to illustrate what cyber insurance consists of in our current day, in episode 1 of Achilleion Live: Cyber Insurance with Mike Volk.
To start, Mike informs us to keep in mind that there are differences in cyber insurance, which depend on what type of business you have. “If your primary services are technology, your policy is going to be a little bit different than if you’re a more traditional type of business. So for the majority of businesses out there that are buying a cyber insurance policy, whether you’re a construction company, or a restaurant, or an accounting firm, the type of policy that you’re going to buy is going to be what’s considered a standalone cyber insurance policy.”
Mike calls to our attention the 5 critical areas in a cyber insurance policy that he ensures are covered whenever he’s looking a policy over:
- Cyber Liability Coverages
Well, let’s say a business is holding data and fails to protect it. Or for instance, the company fails to protect its network, spreads a virus to somebody else, and is sued. This first part of the policy, cyber liability coverages, will cover that business’s liability.
This includes defense expenses damages. For example, if the business is pulled into a lawsuit and needs lawyers to defend it. This also includes expenses with regulations. For instance, if the company violates a law, which is a third party risk/liability. The third-party liability is designed to cover cases when somebody comes against the business and proclaims the breach hurt them and wants the company to help make them whole again.
So cyber insurance policies include first-party coverages and third-party liability, which is also, as Mike notes, what makes them somewhat confusing to even insurance people--let alone the average consumer.
- Direct Expenses
Let’s say you’re a business that has a data breach. Well, what the heck do you do now? Typically the first party coverages will cover things like bringing in a lawyer to figure out your obligations. Because unless you’re specialized in this area, you’re not going to know who to notify what to do.
You will also bring in forensics. A forensic investigator is going to help you figure out what happened. Is it still going on? Is it stopped? The forensic investigator will work closely with the lawyer you hire because anything they produce is essential if you are sued, and you have to trigger those third-party claims. Direct expenses will cover things like notification expenses--to notify consumers you’ve had a breach--and credit monitoring, and so forth--whatever the law dictates.
- Policies That Help the Business Return to Normal After a Cyber Attack
This part of the policy comes in once the dust has settled. For example, if a ransomware event unfortunately happened. The ransomware has now been contained, and the business figures it out what date it was exposed and begins to notify everyone. At this point, the company needs to restore its data, its network and get back to normal, to whatever degree it can.
This could entail, for instance, maybe spinning up some additional servers to set up a temporary network while its core network was compromised. All of those are expenses covered in either your data restoration or network restoration coverages--these are the things that will help a business get back to operational.
- Business Interruption Expenses
Subsequently, the next thing that’s going to happen once the business is back up and running is accounting because it was down for a period of time. So this coverage is going to help the company recoup the costs of lost income while it is down.
Traditionally, the most important thing for running a business was a business’s brick-and-mortar location. Well, since 2020 not so much anymore. Now, if a building burns down, everybody’s set up to work remotely. But if your remote work environment goes down, you can’t operate. So this part of the policy covers the lost income extra expense--some policies leaving cover things like payroll.
- Cybercrime Coverage
The last and fifth piece that’s often built into a cyber insurance policy is cybercrime. This is when the intent of the coverage is not so much data compromises but more so a theft of money. It could include social engineering--somebody being tricked into paying a fake invoice--or even somebody hacking into a bank account and committing utility fraud.
This also accounts for if somebody hacks into your internet service provider or a hotspot and spins up a huge bill, or they use your network for cryptocurrency mining, and you can see how the possibilities are limitless, especially with cyber attackers continuing to advance.
And on the front of cyber attackers bolstering their efforts, Mike reminds us that these cyber insurance policies are consistently expanding accordingly, as there’s no base policy that every carrier explicitly provides.
To learn more about cyber insurance and understand what to look for in a policy, watch the Achilleion Live video of Mike and Amir’s conversation below.