There is a new trend that is emerging – that of Cybersecurity Insurance.

Because of what it all has been through, the City of Baltimore has purchased a sweeping, brand new $20 million policy in order to protect not only its assets, but the people whom have been impacted by it as well, which includes mostly the city workers.  According to news reports, the Baltimore Board of Education just approved of this just recently and gave the go ahead.

It is highly anticipated that this plan will include coverage for the following:

  • Expenses that have been incurred for Incident Response activities;
  • Any sort of downtime that has occurred because of recovering stolen information and data;
  • Implementing stronger Network Security Protocols in the city’s IT Infrastructure.

When the city was attacked, it suffered over $18 million in damages alone.  This included the disruption of the city’s Email system, temporarily shutting down payment systems such as those related to water usage billing and even real estate transactions. In response, the Cyberattacker(s) demanded $76,00o to be paid in Bitcoin.

But the city never paid up (which is a very good thing), and thus, this further delayed  the complete restoration of fully functionable government services.  It is expected that this Cybersecurity insurance policy that has just been acquired will be kept for the upcoming years by the city.

As the threat landscape will keep getting more covert and sophisticated in 2020, many  businesses, no matter how large or how small, or even what type of industry they serve, will find the acquisition of Cybersecurity Insurance to be a comforting fact.

But just because you have it, don’t get lax in your security approaches, because if you are hit, the nightmare of not getting paid for all of your damages will start, and the headaches of trying to fight with your insurance carrier will only get worse. But you may be asking why is the case?  Well, here are some key reasons for this:

  • Although Cybersecurity Insurance has been around for many years, its popularity and demand has just started to grow.  Because of that, there are still a lot of uncertainties and ambiguities that need to be answered;
  • The insurance carriers that are carrying these kinds of policies are just the major ones – such as Hiscox, Nationwide, State Farm, etc.  What they offer may not be necessarily the best for your own businesses’ circumstances;
  • When evaluating the application of a potential policy holder, the major insurance carriers don’t use really any sort of quantitative risk measure per se.  Rather they look at each applicant on a case by case basis, carefully scrutinizing all of the security practices that they have been in place.  For example, is there a Security Policy in place?  How about a Disaster Recovery Plan?  Are these rehearsed on a regular schedule?  What kinds of safeguards have been implemented to protect the Personal Identifiable Information (PII) of both customers and employees?  Has the applicant been impacted by a Cyberattack before?  If so, how quickly were they able to recover and notify affected parties (such as those of customers)? And so on.  The bottom line is that when you think you will get a policy, you may not get one in the end because your business has gone astray in the past on any of these factors, and possibly others as well.  Thus, the Cybersecurity Insurance carriers have recently been accused on a large scale for being discriminatory and not treating all of the policy applicants in the same regard.
  • Depending upon how large your business is, you could be paying an exorbitant amount in monthly premiums but not a get  much of a higher return when you indeed file a claim.  Again, it is just like the healthcare industry-you may pay a lot into the system but get only pennies on the dollar back in return.
  • The Cybersecurity Threat Landscape is constantly changing on a daily basis.  Thus, this makes it even more difficult for the major carriers to keep up as to what their policies will cover.  For example, if your business is hit by a Cyberattack, more than likely you will be paid out for the direct damages.  This would include such things as the expenses to bring your business back up to a normal state of business operations, provided that you followed the Disaster Recovery plan that you had in place (yes, the insurance companies even look at this before they make a payout).  But, will they pay for indirect damages and expenses such as offering free credit report services to impacted customers down the road, paying for lawsuits, the costs that are associated with notifying affected stakeholders, etc.?  You could potentially get these kinds of coverages, but it will have to be included as separate addendums or add ons to your main policy.  So, this makes things even more complex.

The above are just some of the main factors in which why the Cybersecurity Insurance is still so murky.  There are others as well, such as the lack of a best standards or practices in which to accept and pay out policy holders.

In turn, Corporate America is scrambling to find ways to prove to the insurance carriers that they are worthy of having a comprehensive plan at a fair price.

As a result, many of these businesses are turning to Cybersecurity vendors that claim they can calculate your so-called Cyber Risk Score which can be used to show a carrier their  particular level of riskiness.  In fact, many of them even claim that their process is like calculating a Credit Score.

But be careful of these claims, as many of these vendors are very guarded in telling you about how they compute your so-called Cyber Risk Score.  In fact, at this point in time, because of the lack of standards and best practices, many insurance companies probably would not even recognize this at all in deciding your worthiness to be awarded a policy.

In the end, at least for short term, it is always best to go through an insurance broker that you know and trust, and deal with them directly.  After all, they know all of the ins and outs of this kind of industry, and probably even have the level of contacts to get you the best coverage possible for the most affordable price.

But to the business owner, keep this in mind as well:  Just because you have a comprehensive Cybersecurity Insurance Policy in hand not, don’t think you can relax.

Many of these larger insurance companies will require that you be proactive in your current security protocols, if not, you could face even higher premiums, or your policy could be terminated all together.

Also be aware that you may even be subject to an audit by them just to ensure that you are “up to snuff” in terms of your Cyber Hygiene.