The increased risks posed by cybersecurity breaches has meant that many organisation are looking to insurance to address some of the exposure. But cybersecurity insurance is still new and there are things which companies wishing to purchase cybersecurity insurance should look out for. Here are five tips if you are considering obtaining or renewing a cybersecurity insurance policy.
- Get the whole team involved
It is important that your policy provides the coverage that you need. People in the organisation who are familiar with cybersecurity and its risks such as the risk management department, compliance and IT professionals, as well as legal counsel and insurance brokers who are familiar insurance and legal risk should be involved in the process. Lack of input from any of these people when making a cybersecurity insurance decision could result in avoidable gaps in your coverage.
- Understand your needs
Understanding your risk profile and tolerance is key to determining the scope of your cyber security insurance. There are many factors that should be considered including the scope and type of information you maintain, how and where the information is used stored or transferred and your network infrastructure. It will also be relevant to consider your cybersecurity, privacy, and data protection practices and any risk management or compliance requirements imposed by a Regulator if you are a regulated entity.
- Ask questions about the policy
Carefully evaluate the policy you are considering and ask your broker or insurer questions about the policy. Particular attention should be paid to inclusions and exclusions in the policy. For example, is cyber terrorism excluded from the policy?
Another important question to ask is whether the insurer will give a retroactive date of at least one year prior to the policy’s start date. US data indicates that in 2014 cyber breaches went unnoticed by organisations for an average of 205 days.
- Stand-alone cyber cover may be better
Trying to add cyber cover to traditional Professional Indemnity and Directors and Officers insurance policies can be problematic as they often contain exclusions which will limit the effectiveness of the policies in responding to cyber incidents. It may be better to purchase stand alone cyber cover which has been specifically designed to respond to cyber breaches.
- Pay attention to the application
Your cybersecurity insurance application will contain a number of questions about your cybersecurity and data protection practices. These questions will likely require detailed technical information. Your technical specialists will likely be the people drafting your responses. However, as insurance law is full of unique terms and concepts, you should also involve experienced legal counsel in the application process.
Insurance won’t prevent your cybersecurity being breached but it is a valuable component of your overall risk management program should you be the target of a cyber attack.