Cybersecurity Insurance Policies Explained

Cybersecurity insurance policies act as a defensive layer to protect your organization from the financial and reputational repercussions of cybersecurity incidents.

Understanding the fine print in your cybersecurity insurance policies is one of the most important steps to effectively mitigate the impact of a cybersecurity incident in the event one occurs on your watch. But first it is important to understand the coverage included in cybersecurity insurance policies so that you, as an information security expert, can keep your incident response processes in compliance.

In this article, we review the following:

1. Standard inclusions 
2. Types of coverage
3. Impact on information security experts

Standard inclusions of cybersecurity insurance policies

Like many cybersecurity and information security experts, you may know that cybersecurity insurance policies are a standard element in an overall cybersecurity protection plan. But what are cybersecurity insurance policies protecting you from?

Glad you asked. Cybersecurity insurance policies are designed to cover costs directly associated with a security breach.

Typical inclusions:

Documenting & investigating a cyber attack

If your organization experiences a security breach, your information security team must engage immediately with legal counsel from your insurance provider’s approved vendor list to determine the exact next steps. As a best practice, before a security incident occurs, have a discussion and engagement letter in place with breach counsel. The costs incurred from this outside counsel would be covered under your policy.

Data recovery & hardware repairs

In a cyber incident, your organization should recover data and repair hardware through a digital forensics firm from your insurance provider’s approved vendor list. The costs your organization incurs from the digital forensics firm would be covered under your policy.

Notifying consumers & regulatory agencies of a cyber incident

If customer data was included in a security breach, you must notify your customers and relevant regulatory agencies, like the CFPB. In some instances, your organization might be required to set up continuous credit monitoring through Experian or Equifax. Your insurance provider’s preferred vendor list will provide information on the notification process, including contracting with identity monitoring vendors. The cost to set up these monitoring services would be covered under your policy.

Crisis management responses

Reputational damage is a serious threat and implication to cybersecurity incidents. Many organizations hire a public relations firm to help manage public communication to mitigate reputational damage.  The costs your organization incurs from the public relations firm would be covered under your policy.

Ransomware payments

Negotiating ransomware payments is a skill and should be handled by experienced experts. A digital forensics firm from your insurance provider’s approved vendor list would be equipped to handle this activity. Engage that provider to handle this process. The costs your organization incurs from the negotiations firm and the ransomware payments would be covered under your policy.

Types of cybersecurity insurance coverage

Cybersecurity insurance policies inlcude two types of coverage: first-party and third-party coverage.

First-party insurance

First-party insurance covers the costs incurred or the income lost when managing specific situations as a result of a cyber incident.

• Business interruptions
  (e.g. business income loss during the interruption period, the shutdown of computer systems to mitigate or avoid loss, or a system failure)
• Contingent business interruptions
  (e.g. when a security breach affects an outsourced service provider and payment for lost services is necessary)
• Digital asset destruction, data retrieval & system restoration
• Social engineering & cybercrime
• Reputational loss
• Extortion events
• Breach response & remediation expenses

Third-party insurance

Third-party insurance covers expenses incurred by contracting with external parties responding to a cyber incident. Examples include the following common activities:

• Damages and legal defense expenses due to a security or privacy breach claim
• Regulatory proceedings, fines & penalties
• Media liability, such as defamation, trademark infringement, or invasion of an individual’s right to privacy
• Technology and professional services liability, such as an error that prevents technology products from performing as intended or title infringement with respect to software or computer code

Implications for information security experts

Knowing exactly what your policy covers—ensuring that you are aware of any exclusions, limitations, and conditions that may affect your coverage—is essential to your cybersecurity management strategy.

Insurance policies only payout costs associated with a cybersecurity incident if you report your claim to your insurance provider strictly following your policy.

Insurance providers have specific conditions regarding the reporting process, such as a specific time frame within which the claim must be reported or a particular format in which the claim must be submitted. This is why it’s important to understand and comply with the reporting requirements of your policy to ensure that you are eligible for coverage.

What to do in the event of a cyber incident

If your organization experiences a security breach, your information security team must engage immediately with legal counsel from your insurance provider’s approved vendor list to determine the exact next steps. As a best practice, before a security incident occurs, have a discussion and engagement letter in place with breach counsel.

The key thing to consider here is identifying those pre-approved individuals and companies when you’ve chosen the proper policy for your organization.

This is important because if a cyber incident happens, you’ll need to spring into action and reach out to the appropriate parties for remediation as opposed to working damage control with your insurance company to find the right person after the fact. Time is money in these situations, and you don’t want to waste either by cold calling someone else’s contacts hoping for help.

Revisit & document your cybersecurity program

Cybersecurity insurance coverage requires a well-structured information security program. Your insurance provider will request information on how you handle the following programs:

Security awareness training for employees

Employees should receive regular security awareness training and testing, and the training frequency should be documented for insurance purposes.

Execution of an in-depth defense

Insurance providers will look for malware protection such as EDR or XDR (endpoint detection & response) and encrypted data.

MFA (multi-factor authentication) & managed user access rights

Track employee access to files by implementing user lifecycle management practices. Log everything to a SIEM (Security Information & Event Management) system and alert and investigate all events. Managing user access rights from one, central platform not only helps you qualify for insurance, but it’s also a key step for many industry-specific compliance standards.

Patch systems, review & rate any vulnerabilities promptly

When a security incident occurs, you must also follow a protocol, which means your first phone call is likely to your insurance company. If your insurance provider requires you to work with a specific set of PR teams or ransomware negotiators, reference your insurance-approved contractor list.

Your next steps

1. Read the fine print in your insurance policy to understand what is specifically covered in the event of a cyber incident, in addition to who needs to be contacted and in what order.
2. Create a cyber incident response process that keeps you in compliance with your insurance policy.
3. Document the list of insurance-approved consultants, outside legal counsel, and other partners specifically trained to help you navigate a security breach if one does occur. Sourcing help from only this list will keep you in compliance, so any costs incurred or income cost has the potential to be recouped.

If you’re interested in learning how Onspring can help you track risk and manage your cybersecurity insurance policies, reach out to us at hello@onspring.com.