Companies can mitigate losses from cyberattacks and other data breaches by purchasing cyber insurance, but they should evaluate policies carefully.
For many organizations, it’s not a question of whether they will face a data breach incident but when. This risk, say some experts, is a main reason why organizations of all sizes have been turning to insurance policies that cover data losses from cyberattacks and other incidents.
While not new, cyber insurance has been growing in popularity at an unprecedented rate. Forrester Research predicts year-over-year sales growth of about 20 percent for the next couple years. Reasons for this growth—aside from the high frequency and exorbitant costs of many breaches—include the maturation of and multiplication of available policies.
Policies can be a sound investment if purchased from reputable carriers, but companies should be sure to look for comprehensive policies covering factors such as third-party risk and for other features that can align with the company’s specific risks, say experts.
One new trend is the popularity of products among mid and small-size organizations, says Rick Betterley, president of Betterley Risk Consultants, which has published an annual report on cyber insurance for more than a decade.
Many organizations, after a data loss incident, have been glad they had insurance, says Paul Paray, counsel at the law firm Wilson Elser and a specialist in risk management and insurance. Other firms have purchased policies after an incident.
From an insurer’s perspective, one potential downside to the insurance is that there is relatively little historical data to evaluate data-loss risks, according to a recent Forrester report. “[I]nsurance companies will compensate…by charging you a higher premium,” it states.
Some security professionals wonder whether carriers will be able to afford promised payouts after an incident. “My concern is whether insurance companies will be able to keep up with hackers,” says Betterley.
“I’d be careful who you buy from,” says Betterley, adding that it could be worthwhile to find a provider that’s been “in the [cyber insurance] market for a while.” Or perhaps, one that’s a “household name.” But others say that, due to the widely varying nature of policies, organizations should avoid limiting their options. It could be good to review a provider’s “financials,” however, says Paray.
Companies might consider working with a trusted broker who can help explain policies and, in some cases, identify fine print that could eventually limit possible payouts.
Experts also advise choosing a comprehensive policy, particularly packages covering third-party liabilities, because regulators are holding first-party companies more accountable for third-party losses. More organizations want their business partners to hold cyber insurance, says Paray. But it might help to insure against those partners’ missteps as well.
In some cases, policies termed “privacy insurance” will have more extensive coverage than their cyber counterparts, according to the Forrester report. While there isn’t always a clear distinction between the two types of policies, many privacy products will likely cover losses of sensitive information as opposed to focusing on a set of events that may have caused the loss.
It can also be important to find policies that cover incidents involving both electronic and nonelectronic data, such as information stored on paper documents, says Betterley. A growing number of policies also cover data loss and privacy incidents related to social media, he says. Such coverage could be worthwhile for companies active in social media.
Companies might also seek policies covering lawsuits stemming from excessive data collection, according to Larry Racioppo, head of the executive liability practice at the professional services firm Towers Watson. A growing number of lawsuits have stemmed from those types of incidents.
The cyber insurance market remains relatively small: just 2 percent of organizations that hold business insurance also hold cyber insurance, Forrester estimates.
But for some organizations—especially those handling large amounts of sensitive information—a policy could be worthwhile. If an incident does occur, says Betterley, it helps if you “can go to the board and say ‘we have a policy to cover this.’”