Is cyber insurance worth it?

These days, having cyber insurance that covers a company for costs related to cyberattacks is an expected standard corporate practice. It is the last in the line of risk mitigation tools that lessens or defers your company’s cyber risk. And it’s an important one, as data breaches and other cyber incidents are happening daily to entities large and small, even ones with large information security departments, such as the recent Twitter hack. Sometimes, even when you do all the right things and follow all the best practices, you can still be hacked. That is when your cyber insurance should kick in to help offset the outsize costs of a successful hacker attack. Costs can add up quickly, including technical firms to help with forensics and investigation to PR and legal costs. Having the proper cyber insurance can mean the difference between surviving a cyberattack or your organization becoming roadkill on the cybercrime highway. And just having a cyber insurance policy isn’t enough. If you don’t have the right policy that fits your organization’s needs and risk levels, it can be as bad as having no policy at all. The devil is indeed in the details when it comes to cyber insurance.

Cyber insurance: what you need to know

Here are some important questions to ask when evaluating cyber insurance policies:

Is it enough?

With costs of a data breach rising every year, a policy for $1 million or even $5 million may not be nearly enough to cover your costs. In the “old” days—and by this I mean two to three years ago—hackers were content to steal your data and try to sell it on the dark web. Cleaning up from that was expensive enough but now, using ransomware, they will lock up your entire operations, causing you downtime and lost sales and customers every day. Not to mention the regulatory citations that can either fine or limit your operations  And these costs can be quite significant. A study by the Ponemon Institute showed that the average cost of a  breach rose in 2019 to more than $8 million in the U.S. And, of course, if you are a larger than average enterprise, those costs will be greater, possibly up into the millions or even billions.

Does it cover the things you need to be covered?

I’ve reviewed many cyber insurance policies and I often see old policies that merely cover replacing equipment, maybe some forensic costs. But in these days, given the crippling effects of ransomware, you should be looking to get the coverage that offers payments for business continuity services, so you can continue to run your business while you recover from the attack. This may be used for a wide variety of things such as turning up expensive cloud infrastructure as a backup site, scaling server farms to handle DDoS barrages, and even temporary workers and office space in the event of physical damages to a facility. You might also need to employ incident response firms and PR services to manage the public side of an incident and those don’t come cheap. Be sure you are covered explicitly if you need those things.

Are there exemptions or overly broad exemption clauses?

I saw one policy that only covered “non-targeted cyber attacks.” So basically if you are hacked by random script kiddies, you are okay, but if a hacker specifically targets you, you have no coverage. This amounts to a health insurance policy that only covers the common cold; in other words, of almost no use at all. Another common exemption phrase that is used is for “acts of war.” Now this used to not matter so much as “acts of war” were committed by two countries locked in a traditional kinetic war and that wasn’t very common for superpowers like the U.S. However, with the never-ending wars in Afghanistan and Iraq and our peacekeepers in areas such as Syria and other hotspots, the definition of war is a bit hazy. Also, nation-state actors often attack other nation-states in ongoing “shadow cyber wars” without any official conflict being declared. This isn’t a theoretical legal argument; pharma giant Merck was denied coverage for over a billion dollars in coverage it thought it had when the insurers used the “act of war” clause to deny their claims. It turns out that the damage was caused by Notpetya, a malware that Russian state hackers allegedly unleashed on Ukraine. Merck became collateral damage when one of its offices in Ukraine was infected and it spread to the whole corporation. So try to strike these clauses or at least add verbiage such as “declared by Congress” as a further definition of what an “act of war” means.

Review your policies regularly

To get a handle on these issues before a policy is needed, I recommend an annual review of cyber insurance coverage, rather than the default renewal that most companies do. This will allow you to find and correct these issues as well as negotiating for better pricing, additional coverage limits, and riders to cover new attacks and the costs associated with them. Privacy fines are one area that isn’t always covered under traditional cyber insurance or may require a separate rider. Privacy is getting more regulatory attention and fines can easily reach into the billions of dollars for large corporations, as Walmart and Facebook recently found out. Keep in mind that, depending on your size and “pull” with the insurer,  you might not be able to change standard clauses, but you’ll never know if you don’t ask. And it can certainly make you more aware of what your coverages are and allow you to seek out additional coverage or insurers. So, yes, cyber insurance can be worth it, but it’s important to do a full investigation and “read between the lines” when signing up for anything. Plus, when it comes to having the right cyber insurance policy, it won’t matter until it does. And then it could matter a lot. This article originally ran on Security Boulevard.