Cyber liability insurance is a relatively new product to come to market. Historically policies such as Property, Liability and Crime have failed to cover the risks revolving around non-tangible assets (data), and network related risks.
With growth in the reliance for technology in all areas of business, and the heightened threat of outsiders trying to access information the threat of these risks has increased significantly. Therefore the need for cyber liability insurance has increased.
Who should we be buying cyber liability insurance?
All companies have some exposure to cyber risks to one degree or another. Any business that has data on third parties or employees should consider their exposure and, the more voluminous and sensitive the PII (Personally Identifiable Information), the greater the potential liability to third parties or employees. Any company with online sales has a clear exposure, although even companies without this can be left unable to trade effectively when they have a failure of the critical applications within their network. If staff are unable to access sales/marketing lists, customer relationship management systems and supply chain related procurement systems, work can very quickly grind to a halt, resulting in a sharp drop in profits.
Cyber policies typically provide two main elements of cover being first party – loss or damage to your physical assets and third party liability.
First party provides insurance for loss or damage to your digital assets including the costs incurred for restoring, updating, recreating or replacing. The type of loss or damage can include computer crime and computer attacks by third parties, but also accidental damage or destruction and administrative or operational mistakes by employees and third party providers.
In addition its possible to extend to include associated risks of business interruption and extra expense, cyber extortion, reputational harm.
Third Party – liability to others
If you suffer a security breach on your network, transmit any malicious code, or if you breach any third party or employee privacy rights or confidentiality the costs of the subsequent investigation, defence and civil damages can be significant. It’s possible to insure these costs under the security and privacy liability section of a cyber policy. Also its possible to insure investigation and defence costs, as well as any awards and fines if you are being investigated by any regulator as a result of a breach.
Notification expenses can also be insured if there is a legal or regulatory requirement for you to notify any individuals of a security or privacy breach, we pay for the legal, postage and advertising expenses involved in this.
Cyber Risk Assessment Tool
Answer these questions to understand the extent to which your business is exposed to a cyber attack!
Do you have an effective risk governance structure, in which your risk appetite and selected controls are aligned?
Do you have a mobile and home-working policy that staff have been trained to follow? Do you have a secure baseline device build in place?
Do you have acceptable use policies covering staff use of systems and equipment? Do you have a relevant staff training programme? Do you have a method of maintaining user awareness of cyber risks?
Do you have clear account management processes, with a strong password policy and a limited number of privileged accounts?
Do you have a policy controlling mobile and removable computer media? Are all sensitive devices appropriately encrypted? Do you scan for malware before allowing connections to your systems?
Do you have a monitoring strategy? Do you continuously monitor activity on ICT systems and networks, including for rogue wireless access points? Do you analyse network logs in real time, looking for evidence of mounting attacks? Do you continuously scan for new technical vulnerabilities?
Do you have a technical vulnerability patching programme in place and is it up to date? Do you maintain a secure configuration for all ICT devices
Do you have an appropriate anti-malware policy and practices that are effective against likely threats?
Do you protect your networks against internal and external attacks with firewalls and penetration testing?
Do you have an incident response and disaster recovery plan?
Do you have cyber liability insurance?