Navigating the Road to Cyber Liability Insurance

Though organizations are more connected and automated than ever today, the rise of cybersecurity threats has created a daunting landscape for businesses everywhere. Data breaches and ransomware attacks have become more common — and more costly — every year, bringing countless financial and reputational risks to businesses everywhere.

An increasing number of organizations have turned to cyber liability insurance in an effort to protect their businesses from potential damages — and for good reason. In 2021, the Financial Crimes Enforcement Network (FinCEN) received an average of four ransom incidents per day.

However, because of this increase in the frequency and cost of cyberattacks, insurance has become increasingly challenging and expensive to procure. As the requirements for purchasing cyber liability insurance become more stringent, it’s important to consider what your organization is hoping to get out of coverage before you invest.

Whether you’re a large enterprise or a small organization, you may be wondering about the kinds of benefits that cyber insurance can provide. Like insurance of any other kind, there is no one-size-fits-all answer, as coverage can vary greatly depending on your needs. However, there are a few benefits to cyber insurance that you may not be aware of:

1. Financial security. In a best-case-scenario, cyber liability insurance can be a financial safety net, covering most if not all of the organizational costs associated with a cyber incident. Depending on your coverage, cyber liability insurance may cover not just data loss, but expenses like legal fees, investigations, data recovery, business interruption losses, and even ransom payments as well. This can potentially alleviate the financially devastating impact of a cyber incident on organizations of all sizes.
2. Reputational damage control. The negative impacts of cyberattacks may extend beyond financial stability; cyber incidents have the potential to wreak havoc on a company's reputation, affecting customer trust and future prospects in the process. Cyber liability insurance providers typically offer public relations and crisis management services to soften the blow. Often, these resources can be a crucial part of recovering a company’s image and minimizing long-term damage to the brand.
3. Breach control support. Cyber liability insurance policies typically provide access to a network of experts, including legal professionals, forensic investigators and IT specialists who offer guidance and support in the wake of a cyber incident. This guidance can help your organization manage the incident, conduct investigations and employ future-forward preventive measures.

These benefits sound great in theory — but procuring cyber liability insurance is not necessarily as easy as purchasing coverage for your home or car. It’s important to understand that getting covered requires some due diligence on the part of your organization first.

Here are three considerations to keep in mind:

1. Cost. Before you can transfer or buy down your organization’s risk, it’s important to carefully review and understand your organization’s risk factors and exposure. Premiums can vary significantly based on your organization’s size, security posture and industry. Determining the necessary level of coverage for your business based on your risk profile is essential to ensuring that your premiums remain sustainable. For larger organizations requiring millions of dollars in coverage, provider-based insurance may not be the best option, and self-insurance options or controls investments may be a better bet.
   
   
2. Coverage limitations. After applying for and receiving your policy, it’s likely that your team will need help understanding the application terms and policy language around each type of exclusion. For example, certain types of cyber incidents, like nation-state attacks, may be explicitly excluded from coverage. It’s important to understand exactly what your coverage states to confirm that you are getting the coverage you’re paying for.
   
   
3. Claims process complexity. The claims process for cyber liability insurance can be complex and time-consuming. Insurers typically require exhaustive documentation and evidence to verify a claim — which is not always top of mind for businesses already dealing with the fallout of a cyber incident. Being “claims ready” means ensuring that your organization’s program and incident response practices are aligned with your insurance policy requirements, and that those requirements are detailed in your formal incident response plan. Building your own incident response panel and ensuring that your team (as well as third-party legal counsel) are on retainer is a great way to stay prepared for any additional complexity.
   

Even with premiums rising and the requirements for coverage becoming increasingly complex, cyber insurance is still one of the most cost-effective ways for organizations to buy down their risk.

Though cyber liability insurance is not currently a formal compliance requirement, many companies have begun requiring proof of certain levels of coverage as a part of third-party risk due diligence in contracts and corporate audits.

So, where should you start?

Cyber liability insurance can be difficult to procure and even more difficult to maximize its value.

Your organization will likely need guidance on risk assessment, application completion, incident response and claim readiness before even selecting the right coverage and negotiating policies. When all is said and done, you can rest easy knowing that your organization is as prepared as possible for a cyber incident.

Story by Walt Powell, who is the Lead Field CISO at CDW, specializing in providing executive guidance around risk, governance, compliance and IT security strategies.