Today, cybercrime is the main risk factor for companies worldwide. In 2016 only, Italy suffered economic damage resulting from cyber-attacks for around 10 billion euros. And the situation isn’t much better in the USA, with an average annual cost of 4 million dollars per company estimated due to data breaches (2016 BDO Board Survey).
To address this risk, many businesses have taken out cyber insurances: in the USA, one in three companies has it. But even if a good cyber insurance can help customers recover as soon as possible after a data breach, it can’t prevent it. Therefore, before getting cyber insurance it is necessary to encourage a corporate culture regarding cybersecurity and data protection and to perform a process of analysis and risk management involving both human and organizational factors, as well as technological ones.
On the 5 July 2018, Hermeneut organised the “Insurance in cyber-security” workshop to assess the situation of the cyber insurance market and to present its methodology and models for risk assessment and cost-benefit analysis, which are key factors for the development and growth of the insurance market in IT security. The workshop paid particular attention to the legislative aspects of cyber insurance and to the General Data Protection Regulation (GDPR), the new European regulation on privacy and data security that came into force on 25 May 2018.
The workshop underlined that cyber insurance policies are the last step of a process that all companies should follow in order to increase their protection from cyber-attacks. A cyber insurance is important, but it is not enough if the company doesn’t already respect the highest standards of security, as well as the data protection legislation.
So, before getting cybersecurity insurance, let’s see 7 important things to know about it.
Who is cyber insurance for?
Cyber insurance is for all companies, but especially for medium and small ones, the most vulnerable to cyberattacks. Cyber attacks can have serious consequences and cause not only economic losses, but also loss of customers, data and reputation. Investing in cybersecurity (and in cyber insurance) could turn out to be a very important investment for a company.
What can cyber insurance do for companies?
Let’s start from what a cyber insurance can’t do: insurance companies don’t review business processes, neither at security levels of the IT nor with regards to the technological systems adopted; but of course they’ll keep it in mind during the risk assessment and when writing the contract. For this reason, a strong investment in cybersecurity before signing the contract is advisable. A specialised consultancy can help manage security, human factors, management and GDPR issues.
Let’s see now what the cyber liability insurances can do. They can help your company by:
- Assessing your risk and exposure, constantly monitoring your company’s situation;
- Providing assistance in case of cyber-attack, e.g. providing all necessary means to counteract and mitigate the effects of the attack and guiding you towards operational normality;
- Guiding you through compliance to GDPR, and assisting you in aspects related to the internal security of your company and the defense of its reputation;
- Refunding you financially in the event of an attack and data breach.
In this last case, some distinctions are necessary.
What assets can be insured and reimbursed?
Cybercrime insurance policies can’t cover sanctions addressed to the company not respecting legislative obligations, such as the GDPR. The new European regulation was adopted to help companies minimize the risks of cyber-attacks; for this reason, penalties apply to those who do not respect legal obligations and these sanctions will always be in charge of the offender.
All other protections are envisaged, both for tangible and intangible assets.
Are there well-defined standards for insurance policies in cybersecurity sector?
No, there aren’t standards in place for cyber insurances. This can be a risk, but also an opportunity for companies. Let’s see why.
Cyber insurance is a new sector and insurance companies currently offer different possibilities of insurance, so it’s very important to pay attention to what is assured and how. On the other hand, there’s a wide offer of insurance coverage, which can be tailored to the specific business risks of your company. Therefore, you must have clear ideas regarding your needs and rely on experts in the field before signing a contract.
What kind of insurance policies exist?
There are several kinds of policies, all offering wide margins of customization. Some policies cover the costs of system restoring and material damages in general. Others protect against data loss and reputational damages. Some cover the loss of revenue from an attack blocking a company’s production activities. Finally, other cyber insurance policies offer compensation in the event of economic theft or extortion (i.e. ransomware such as Wannacry, which in 2017 hit one hundred thousand IT systems in 105 countries), but this kind of coverage is banned in some countries. All these of policies are part of the so-called “First party insurances”.
The “Third party insurances”, instead, cover risks related to other businesses partnering with your company in different ways.
But is cyber insurance alone enough?
No, cyber insurance alone is not enough. Cyber insurance is just one of the measures that every company should adopt in terms of cybersecurity. It is necessary to adopt many other measures of intervention, which concern the human aspects and organizational processes of a company, its technological and IT standards, legislative aspects, and only as a last step the stipulation of an insurance custom-designed for your company.
How to choose the best insurance policy?
To choose the best policy suitable for specific business needs, an analysis of the risks and the impact that these could have on your business is necessary. All the assets of the company – including the financial ones, the goods protected by intellectual property and the data stored (internally and externally) – need to be considered. For each of them, the main vulnerabilities will be identified and a certain level of risk will be assigned, considering that hackers exploit the vulnerabilities of a system to enter a company’s physical resources. Only when this process is completed, it is possible for find the best policy for your own company’s needs.