Cyber Insurance: Minimizing Financial Liability for Cyber Risks
By CHHS Extern Beryl Harris
Considered one of the fastest growing areas of liability insurance, cyber risk insurance has come to the forefront primarily because of the growing number of data security breaches. Managing risks inherent in electronic transactions through insurance is a fairly new concept. Even so, companies both big and small are paying very close attention to this method of mitigating costs associated with cyber risks.
So, what exactly is cyber insurance? According to Risk and Insurance (IRMI) online, cyber insurance aims to cover an array of “both liability and property losses that may result when a business engages in various electronic activities.” But how is cyber insurance different from a regular insurance policy that provides coverage for a brick and mortar storefront? Mostly, the uniqueness of the types of damages and risks that is innate to e-business drives the need for a different type of insurance policy. For example, if someone were to breach a physical location, s/he may likely get away with assets belonging to the company. However, if someone breaches an online data system, s/he may end up with such information that could prove harmful to customers/clients/employees for a very long time. Thus, the need for cyber insurance is also driven, not only by the need to limit a business’ financial liability, but also, by the need to protect customers.
Inga Beale, CEO of Lloyds of England, says she “expects the market for cyber insurance to surge after hackers attacked some of the largest companies in the U.S.” Security experts have also taken note of the need for cyber insurance. Tom Ridge, former Homeland Security Secretary, who now owns a cyber insurance company, indicated that, “This is not just about insurance, but helping and incentivizing companies to manage their cyber operations more effectively.” When a business considers purchasing cyber insurance, that business must also consider tailoring other aspects of its operations in a manner that makes cyber insurance viable.
Moreover, the significance and need for cyber insurance informs the decisions that an executive board makes. According to one researcher, businesses will have to develop a formal standard of care when it comes to insurance for cyber operations. Currently, there is still no formal standard of care. CHHS Senior Law and Policy Analyst Markus Rauschecker, however, has suggested that, “Private sector organizations should be motivated to implement the NIST [National Institute of Standards and Technology] Cybersecurity Framework” as a suitable standard of care. Rauschecker further indicated that, the “NIST Cybersecurity Framework provides commonly recommended cybersecurity activities by which an organization can become more secure.”
Like any other form of insurance, cyber insurance is structured based on the predictability of an incident occurring. The Center for Insurance and Research has provided some key factors against which a cyber insurance policy could be formulated, including:
- Liability for security or privacy breaches. This would include loss of confidential information by allowing, or failing to prevent, unauthorized access to computer systems.
- The costs associated with a privacy breach, such as consumer notification, customer support and costs of providing credit monitoring services to affected consumers.
- The costs associated with restoring, updating or replacing business assets stored electronically.
Additional factors that may be considered are available here.
But along with considering these factors, it may still prove difficult to obtain cyber insurance. Cyber insurance companies pay very close attention to measures that are already in place to diminish risks. As such, businesses are required by cyber insurance companies to provide disaster response plans in conjunction with risk management techniques already utilized.
Businesses looking to reduce financial liability through cyber insurance will have to establish standard operating procedures that encompass vigorous protection of their electronic systems. No longer can businesses simply ignore the need to have robustly built and protected electronic systems. So, while cyber insurance provides a method of reducing the financial liability that may be connected to cyber risks, the burden is still on businesses to take steps to lessen risks in the first place. Only after businesses have done their part to minimize cyber risks, can cyber insurance be a viable option to reduce financial liability.