HOW DOES CYBERINSURANCE WORK?
Cyberinsurance typically is purchased separately from property or casualty policies. Annual premiums generally run between $5,000 and $10,000 per million in coverage, say insurance experts. Premiums can be more or less expensive depending on the industry vertical and the perceived level of risk that the underwriter might have, said NetDiligence's Greisiger. Size does not necessarily matter, as a small business that is in a highly regulated space and collects a lot of data faces increased exposure, causing rates to increase. Rates are loosely based on the industry sector, the revenue of the business, the number of employees and the type of data in the company's systems, he said.
Much like auto or home insurance, policies have a deductible or a retention limit. A million dollars in coverage may have a $10,000 deductible. Once the threshold is reached, a claim can be made. Underwriters rarely request an on-site risk assessment, but in cases where the coverage is high companies such as NetDiligence are called in to conduct an analysis of the systems and security policies in place. If the business is in a regulated sector, such as the payment industry, a report on compliance is sometimes requested for review.
"If it’s a small client with low-level limits, the underwriters may just roll the dice," Greisiger said. "If we are called in, we check to see if you have a dedicated team in place, ongoing patching and change management processes and certain safeguards beyond the basics."
Most standard liability insurance fails to cover data losses stemming from cyber-related incidents, said Christine Marciano, a cyber-liability insurance specialist at Princeton, N.J.-based Cyber Data-Risk Managers. Marciano, a certified information privacy professional who is licensed to sell insurance in 15 states and Australia, said she often works with IT consultants, resellers and other providers, which refer potential clients.
"When an organization doesn't have a true cyberinsurance policy, a claim made under existing coverage is often battled between legal teams in court," Marciano said. "It's too late when the victim organization finally realizes that property and casualty policies are insufficient."
Businesses typically are referred to Cyber Data-Risk Managers after a serious security incident has taken place or during a review find that their policies need to be updated, Marciano said. Conducting an annual review is crucial, she said, because insurance companies are constantly trying to keep pace with the changing threat landscape and emerging security technologies to make adjustments to coverage.
"We have both proactive organizations that realize that the risk isn't going away no matter how much they spend on technology, and organizations that had a breach and then realize they don't want to go through this again," Marciano said. "It's very important when renewal time comes up for the existing policyholder to take a look at what other policy offerings are out there because, just as technology is constantly evolving, insurance has to keep up with the changes with the coverage that they are offering."
Coverage is just beginning to emerge for companies facing legal trouble for collecting data on individuals in a nontransparent manner. Another area of concern is the aggregate risks building up for underwriters over the increased use of cloud services, where a serious breach could result in a thousand or more claims overnight, said NetDiligence's Greisiger. Underwriters also are considering adding coverage for intellectual property protection, an area that is often not covered by most cyberinsurance policies.
Risk can never be completely eliminated, said Justin Kallhoff, CEO of Lincoln, Neb.-based Infogressive, a service provider that focuses on penetration testing, vulnerability management and implementing network security appliances and other security technologies. Kallhoff said some of Infogressive's customers have purchased cyberinsurance or special insurance riders adding data security to standard insurance coverage. It's all about the individual business' risk tolerance, he said.
"We have plenty of conversations about the fact that you're never going to get to a zero-risk state," Kallhoff said. "It's always a discussion around not being a matter of if, but a matter of when."
NEXT: By The Numbers: Data Breach Claims