RSA 2024: What Businesses Need to Know About Cyber Insurance

If you don’t have cyber insurance, you need to get it. But even if you do have it, there’s never a bad time to review your policy to ensure you’re covered for everything you should be and that your insurance is aligned with your overall risk management strategy.

That was the key message delivered by cyber insurance experts during the RSA Conference 2024 in San Francisco. Cyber insurance is complex, they said, with little standardization throughout the industry and plenty of available customizations that organizations must consider. At the same time, it’s also vital: No modern business can afford to be left without coverage.

Here are the basics that every organization should know about cyber insurance.

In the event of a data breach, policyholders can typically expect to be reimbursed for both first- and third-party costs.

First-party costs are the insured party’s own direct expenses, including those for investigating, responding to and reporting a breach to regulators and other authorities, as well as to cover the costs of restoring or rebuilding damaged systems. It would also cover fines and other regulatory penalties, attorneys’ fees, credit monitoring or a special call center that a business may have to set up for affected parties, and any crisis communications or public relations made necessary by a breach.

Third-party costs generally refer to the costs of defending against lawsuits, including any judgments paid.

Businesses can also opt in for additional coverage. Insurers are often eager for their policyholders to take up these so-called “endorsements” because they reduce policyholders’ risk of future breaches. For example, a “betterment” endorsement may pay for a business to upgrade an outdated system either before or after a breach.

“Betterment allows the policy to pay for newer equipment and not get constrained by the typical replacement language that’s in a lot of policies,” says Peter Hedberg, vice president of underwriting with Corvus Insurance.

Another common add-on would pay out when a third party, such as a key supplier, suffers a breach that affects the policyholder, rather than the policyholder itself suffering the breach. Another pays when the policyholder suffers physical damages, including ruined inventory or equipment, as a result of a cyber event.

For these and other endorsements, businesses should “be aware of what’s available” because different insurance companies offer different options, explained Christopher Seusing, a partner with the Wood, Smith, Henning & Berman law firm and chairman of its privacy and cybersecurity practice.

In fact, Hedberg added, cyber insurance is notable within the insurance industry for its low degree of standardization. Auto and property insurance are highly standardized throughout the industry; cyber insurance is not, and that means businesses must read policy documents carefully and compare offerings between insurers.

“These products are not standardized,” Hedberg said. “Every insurance company has its own wording; they think they’re doing it the right way. You have to have a good broker because they have to sift through all that for you.”

With all that in mind, businesses should remember that cyber insurance is “just one of those ways to transfer risk,” said Violet Sullivan, an associate vice president with insurer Crum & Forster. “This is just like your vendor management contracts. You’re creating this parachute behind you. One reason it’s so important to read your policy is to make sure it aligns with the rest of the ways that you’re mitigating risk.”

Monique Ferraro, cyber counsel with insurer HSB, noted that beyond covering a business’s costs in the event of a breach, a major benefit of cyber insurance are the services that come with it. These include lists of preapproved service providers that are qualified to help with incident response.

“You also get substantial discounts and pre-vetted, pre-incident services, and that is invaluable and reduces your costs,” she said. “Your overall security budget is definitely supplemented. So, some of the value you get for free is equal to the value of the policy.”

But qualifying for cyber insurance and getting an optimal premium on a policy requires proactive work on the part of the IT team.

In general, insurers will expect that organizations have certain security controls in place, including:

• Enterprise-grade email security tools capable of automatically detecting and blocking common threats before they reach employee inboxes.

• Data loss prevention solutions that can pinpoint potential security issues and take action to prevent data loss. Third-party services such as penetration testing, policy and access evaluations can help.

• Multi-factor authentication tools that ask users to provide an additional identity factor for access, limiting the ability of attackers to brute-force their way into networks.

• Next-generation firewalls that are better designed to detect modern attack tactics than traditional state-based firewalls.

Insurance is a critical but costly component of an overall cybersecurity plan. With expert assessment and assistance, however, organizations are better equipped to balance policy, price and protection.