Cybersecurity insurance considerations
The increased risks around cybersecurity have sparked many new questions about the role of insurance in helping to manage a firm’s security risks. Many firms are adding a cybersecurity insurance policy to insulate the firm’s finances against a major security breach. Below are some important considerations when evaluating the need for a cybersecurity insurance policy:
- Cybersecurity coverage is not typically included in most commercial policies. A separate policy or rider is likely required.
- Begin by putting a basic cybersecurity program in place — an effective program can reduce premiums.
- Clearly understand the scope of cyber coverage; brokers can help clarify.
- Firms should consider both first- and third-party coverage, to cover potential losses because of firm weaknesses or weaknesses of third-party vendors.
- Be responsible: A cyber policy can be an important part of a firm’s cybersecurity program, but it shouldn’t replace cybersecurity policies and controls.
The National Association of Insurance Commissioners (NAIC) outlines some of the types of cybersecurity coverage being offered:
- Liability for security or privacy breaches
- Costs associated with breaches, such as customer notification and support
- Replacement costs for restoring, updating or replacing business assets stored electronically
- Costs associated with business interruption
- Liability associated with copyright infringement or product disparagement as the result of a breach
- Expenses paid for ransomware or cyber extortion
- Expenses related to regulatory compliance failures