Cyber Insurance Considerations for your Organization
Cyber insurance, also known as cyber risk insurance or cyber liability insurance coverage can help organizations protect against losses resulting from a cyberattack. Cyber insurance generally helps organizations transfer the costs involved with recovery efforts due to a cyberattack such as a security breach, a ransomware attack, or other incidents.
The frequency and impact of cyberattacks continue to rise in
the United States. In their 2021 report, the Government Accountability Office
(GAO) said malicious cyber activity poses a significant risk to the federal
government and the nation's businesses and critical infrastructure, and it
costs the U.S. billions of dollars each year. The GAO goes on to say that
threat actors are becoming increasingly capable of carrying out attacks,
highlighting the need for a stable cyber insurance market.
Cyber Insurance Recommendations
Because recovering from a cyberattack can be costly, the Federal Trade Commission (FTC) has published the following general recommendations to consider if your organization is thinking about cyber insurance:
- Make sure your policy includes coverage for:
- Data breaches such as incidents involving theft of protected health information (PHI).
- Cyberattacks on your data held by vendors and other third parties
- Cyberattacks that involve breaches of your network
- Cyberattacks that occur anywhere in the world (not only in the United States)
- Terrorist acts
Furthermore, consider if your cyber insurance provider will:
- Defend your organization in a lawsuit against a regulatory investigation
- Provide coverage in excess of any other applicable insurance your organization has
- Breach reporting hotline or another mechanism to easily report a suspected breach
First-party cyber coverage generally protects your data,
including employee, customer, and patient information. This coverall includes
costs related to:
- Legal counsel to determine your notification and regulatory obligations
- Recovery and replacement of lost or stolen data
- Customer notification and call center services
- Lost income due to business interruption
- Crisis management and public relations
- Cyber extortion and fraud
- Forensic services to investigate the breach
- Fees, fines, and penalties related to the cyber incident
Third-party cyber coverage generally protects your
organization from liability if a third party brings claims against you. This
coverage may include:
- Payments to consumers affected by the breach
- Claims and settlement expenses relating to disputes or lawsuits
- Losses related to defamation and copyright or trademark infringement
- Costs for litigation and responding to regulatory inquiries
- Other settlements, damages, and judgments
- Accounting costs
Healthcare Compliance Pros Recommendations
While we are not recommending specific insurance companies, we do recommend discussing cyber insurance with your insurance agent. Whether your organization currently has or is considering cyber insurance, we are adding content in your Security Risk Analysis (SRA) and questionnaire so we understand any coverage your organization may have.
If you are considering coverage, we recommend using the tips the FTC has provided above to make sure your coverage is sufficient in the event of a cyberattack.