Cybersecurity breaches have been on the rise over the last few years, which has necessitated the need for insurance policies to address such risks. However, modeling of cybersecurity risks to create the appropriate pricing formula is at its formative stages due to its unique characteristics. As such, the risks that cyber insurance policies cover are still evolving as companies strive to adjust to the ever-changing technology milieu. Nevertheless, different organizations offer various cyber insurance packages as the market continues to broaden to ensure that the value of data lost in case of an attack is commensurate with the corresponding premiums (OECD, 2017). This paper discusses the various issues surrounding cyber insurance including the policies that are covered and excluded, factors that an insurance company might consider in assessing the risk level of a certain business, and a personal opinion on whether cyber insurance is a viable option for a business to mitigate cyber risk.
Cyber Insurance Policies
Cyber insurance policies have two major broad loss categories – the first party and the third party. According to Romanosky et al. (2019), first party losses are associated with those directly “suffered by the insured (the “first” party to the insurance contract), while third party liability relates to claims brought by parties external to the contract (the “third” party) who suffer a loss allegedly due to the insured’s conduct” (p. 4). For instance, if a hacker accesses the insured party’s systems and steals customer data, the cover could pay for the expenses linked to this incident, including credit monitoring or customer notification among other related aspects. Therefore, this form of coverage is normally placed under errors and omissions insurance. As such, any business that stores data that is capable of cyber-attack should consider having this form of insurance coverage. The main areas covered by first party insurance policy in cyberspace include business interruption, threats associated with cyber extortion, anti-fraud protection or credit monitoring, costs incurred when investigating the source of the attack, and public relations exercises meant to restore the affected organization’s reputation.
On the other hand, third party liability insurance covers companies that fail to protect their clients’ data or privacy. For instance, if client A shares sensitive information with a certain organization, and it fails to protect that data, client A could sue the involved entity. Therefore, most tech companies handling clients’ data should consider having this form of insurance coverage. It covers the cost of hiring legal representation, settlement costs, damages ordered by the courts, associated fines and penalties by regulatory or government authorities, and other related costs. However, some exclusions are considered in both first party and third party cyber insurance coverage. Romanosky et al. (2019) argue that the common exclusions involve criminal or fraudulent acts, negligence on the part of the insured party, loss of systems not owned or operated, bodily injuries, contractual liability, acts of war, terrorism, or God, IP theft, destruction or seizure of systems by government, and associated fines, fees, or penalties.
Assessment Factors for Insurance Companies
Insurance companies in the cybersecurity space consider various factors when assessing the risk level (exposure) of a certain business. First, it is important to understand the nature of the organization being covered to determine the appropriate policy, whether first party or third party. Additionally, the financial status of the company concerning revenues and assets should be gathered to assess the capacity to pay insurance premiums and other related aspects. Previous insurance coverage information is also important together with incident loss history to understand past vulnerability challenges and how they were handled. Finally, information technology security spending and budget are critical organizational factors to understand how much a company invests in data protection. An insurance company is unlikely to offer services to an organization without firewalls and other stringent data protection protocols.
In terms of technical security matters, insurance companies should understand the technology and infrastructure landscape of a potential client. According to Romanosky et al. (2019), “Information about the technology and infrastructure landscape would help a carrier understand, if only at a basic level, the overall attack surface of a potential insured and, with more information, help assess their overall information security risk posture” (p. 10). Additionally, the policies and procedures by regulatory authorities should also be considered. According to Deloitte (n.d.), it is important to examine and understand the various management practices of the insured, such as whether the company shares information with third parties and the number of records held among other related information. Finally, in terms of legal and compliance attributes, each country has different policies governing the cybersecurity space, and thus insurance companies should regard the same in their assessment.
Cyber insurance policies are a viable option for businesses to mitigate cyber risk due to three major reasons. First, before insurance companies can offer their services to a client, a certain level of data protection measures are expected to be in place. Therefore, cyber insurance policies implicitly encourage companies to mitigate cyber risk by attaining a certain level of preparedness as required by insurance companies. Second, according to Bodin et al. (2018), a firm’s objective in purchasing “cybersecurity insurance is to minimize the sum of the costs of the premiums associated with the cybersecurity insurance policies selected and the sum of the expected losses not covered by the insurance policies” (p. 577). Therefore, companies invest in in-house cybersecurity measures to ensure that they do not spend heavily on insurance premiums. For instance, organizations could engage ethical hackers to identify and seal all security loopholes that could emerge in the future as a way of being prepared for such eventualities. Third, since an organization wants to limit all possible cyber threats, it is impossible to eliminate all risks and attain impregnable security levels. As such, cyber insurance policies cover unforeseen risks, and this aspect protects the affected company from the associated damages and loss.
Cyber threats are ever-increasing security issues affecting organizations as they seek to leverage technology to remain competitive in the market. Therefore, cyber insurance companies have come up with policies to address various market needs. Such policies are divided mainly into two – first party and third party, depending on the nature of the business being conducted by the insured entity. However, before engaging their potential clients, insurance companies have to consider different factors during the assessing procedure. My opinion concerning this issue is that cyber insurance policies are a viable strategy to address cyber risk because the insured companies have to meet certain security thresholds before being given insurance coverage among other related reasons as discussed in this paper.
Bodin, L. D., Gordon, L. A., Loeb, M. P., & Wang, A. (2018). Cybersecurity insurance and risk-sharing. Journal of Accounting and Public Policy, 37(6), 527-544.
Deloitte. (N.d.). Cyber insurance: A key element of the corporate risk management strategy. Web.
OECD. (2017). Enhancing the role of insurance in cyber risk management. OECD Publishing.
Romanosky, S., Ablon, L., Kuehn, A., & Jones, T. (2019). Content analysis of cyber insurance policies: How do carriers price cyber risk? Journal of Cybersecurity, 5(1), 1-19.