Cyber Insurance Checklist: What You Should Keep in Mind When Buying Cyber Insurance

Buying cyber insurance for the first time can be daunting. Not only is there a lot of industry jargon, but understanding your coverages and how your business’s cybersecurity practices factor into the underwriting of your policy can be overwhelming. Here are some of the things that you should keep in mind.

Learn the Basics About Cyber Insurance

There are plenty of resources around the web to help you understand what cyber insurance is and help you get familiar with some of the terminology. You don’t have to be an expert by any means but knowing enough, so you don’t get lost is helpful. 

To help SMBs get familiar with the industry, we’ve put together an original report, the 2020 State of the Cyber Insurance Market for SMBs, with insights from the data we have collected through our experience providing cyber insurance and cybersecurity.

Understand Why You Need Cyber Insurance

People mainly buy cyber insurance for two reasons: to meet contractual requirements and to have a safety net in place in case of a data breach. 

If you’re trying to meet a contractual requirement, you’re probably just looking for a policy that meets your potential customer’s or partner’s requirements and comparing prices. Cyber insurance can also play a role in regulatory complianceOne thing to consider in this case is if your partner requires you to list them as an additional insured on your policy and if they request a waiver of subrogation, as these options may impact your premiums.  

If you’re trying to protect your business from the potential financial ruin of a data breach, you’re probably focusing more on the coverages to make sure they’re comprehensive. You’ll also want to evaluate optional coverages to see if they’re applicable to your specific business risks.   

Evaluate Your Risk

Insurance premiums are typically priced based on your risk. It’s important to evaluate your organization’s cyber risk profile ahead of time to understand where your gaps lie. That way you can implement stronger cybersecurity measures to reduce your risk and lower your insurance costs. These are some of the questions you should be asking yourself as you evaluate the risks your company faces:

1. Does your company collect or handle sensitive information like payment card information (PCI), personally identifiable information (PII), or protected health information (PHI)?

The more sensitive and regulated data that you collect, the more at risk your company is. It’s important to have strong, holistic risk management in place. 

2. Is your customer information safe and secure?  

Make sure you’re following best practices in regards to encryption, data storage, backup, and retention, as well as least privilege access.

3. Does your business rely heavily on confidentiality?

Law offices and healthcare organizations rely heavily on confidentiality and collect and store a significant amount of sensitive data, making them prime targets for cyber attacks.

4. Do you have a website or a web application that interacts with customers and stores login or other sensitive data? 

Web-based attacks are extremely common. Regularly scan your website and web applications for weaknesses that hackers exploit. You can do this with an automated web vulnerability scanner.

5. What third-party vendors do you use, and how much access do they have to your IT infrastructure and customer data?

You should hold your third parties to the same cybersecurity standards as your own organization as you are exposed to the threats that they are exposed to. You might want to find coverage for mistakes made by third parties as well as contractually require them to have their own cyber insurance.

6. Do you allow your employees to bring their own devices? 

If you do, you should have a BYOD policy in place and use a mobile device management solution. You should also train your employees on best practices when using personal devices for company purposes.  

What is Your Budget?

How much can you spend on your premium? But even beyond that, do you have a rainy day fund that can help you cover the cost of a cyber attack? The average cost of a data breach is around $150 per stolen record. Will your coverage limit be able to cover enough of the costs so that your financial burden is lessened? 

If your coverage limit is appropriate, what can you or are you willing to pay for your deductible? This is similar to how you would evaluate an auto insurance policy. If you get into a car accident, are you comfortable paying the $1000 deductible before your insurance policy kicks in or would you rather pay more on your premium for a $250 deductible? 

How Does Your Policy Kick In?

Read through the terms, conditions, and exclusions of your policy carefully before you purchase. For example, what kind of triggers are there for coverage? A policy could focus on specific types of attacks or accidents rather than offering blanket coverage. This means that you wouldn’t qualify for coverage unless you met those triggers. 

Are there any exclusions to your coverage that pertains to your business practices? For example, some policies may exclude coverage for incidents that occur due to BYODs. If you allow employees to bring their own devices, then a policy with a BYOD exclusion will not be appropriate for your organization.

Make Sure Your Policy Includes the Coverages You Need

You should seek insurance coverages based on your specific business needs. For example, if you must comply with the Payment Card Industry Data Security Standard (PCI DSS), you should find a policy that helps cover PCI fines and penalties. 

Examples of cyber insurance coverages include, but are not limited to:

  • Business Interruption & Extortion: Cybercrimes and attacks could impact the day-to-day operations of your business, resulting in lost revenue. With this coverage, your policy covers loss of business, crisis management, and cyber extortion.
  • Customer and Employee Data Loss: Coverage areas include identity recovery, data compromise liability, and data compromise response expenses like fines and penalties.
  • Third-Party Lawsuits: If your network is negatively affected by a security incident and it impacts a third party, then your policy will cover potential lawsuits. 
  • Payment Fraud: If you or your employees get deceived and end up transferring or diverting money to a fraudulent destination, then this covers funds lost in those scenarios.

Key Elements of Cyber Insurance Coverage

There are several key elements of cyber insurance coverage that most businesses need. These essential coverages include:  

  • Forensic Expenses: Forensic expenses include costs incurred for investigating, isolating, and eliminating a threat. This coverage covers the costs associated with hiring an IT professional to review your systems and backups and determine the size and scope of a data breach. Forensic expenses can also include the cost of hiring a forensic accountant to determine the expenses that occurred and the cost of business interruptions. 
  • Legal Expenses: Legal expenses may include defense and settlement costs for defending against a lawsuit brought by your customers as a result of a data breach. 
  • Notification Expenses: Some regulations, such as PCI DSS, require companies to notify consumers affected by a data breach. Notification expenses include the costs associated with notifying consumers that their data may have been compromised in a data breach. 
  • Regulatory Fines and Penalties: If your business is subject to regulations such as PCI DSS, cyber insurance can cover the cost of regulatory fines if regulators determine that your business failed to adequately protect sensitive consumer data. 
  • Credit Monitoring and ID Theft Repair: Credit monitoring and ID theft repair includes costs associated with recovering from identity theft and can also include costs such as lost wages and child and elder care incurred while dealing with identity theft. If your company suffers a data breach and offers credit monitoring services to affected consumers, cyber insurance can cover the costs of credit monitoring services, as well. 
  • Public Relations Expenses: A data breach can result in serious reputation damage for your business. Consumers may be less likely to want to do business with you if you’ve suffered a high-profile data breach or had to notify consumers that their data may have been compromised in a cyberattack. Cyber insurance covers the costs associated with hiring a public relations firm to protect your company’s reputation following a data breach as well as the costs associated with implementing any of the PR firm’s recommendations. 
  • Liability and Defense Costs: Liability and defense costs include coverage for losses and the cost of defense for lawsuits related to network security liability, such as negligent security failures or weaknesses that enable malware to spread, denial of service attacks, and unintended disclosure, release, or loss of third-party data. It also includes electronic media liability, such as copyright or trademark infringement, privacy rights violations, unintended defamation, and the interference of an entity’s right to publicity. 

Other Areas You Might Need Cyber Insurance Coverage

In addition to the key elements of cyber insurance coverage listed above, businesses in the market for cyber insurance should consider whether they require coverage in other areas such as: 

  • Network Security: Coverage for network security costs, including hardware and software, as well as network security liability and network security defense.
  • Incident Response: Coverage for the costs incurred for incident response in the wake of a data breach.
  • Insurance for Lost or Stolen Laptops and Mobile Devices: Coverage for the cost of replacing lost or stolen laptops or mobile devices. 
  • Business Interruption: Coverage for costs incurred due to business interruption as a result of a cyber event, such as an inability to provide services for a period of time when you’re unable to access your systems or data due to a ransomware attack. 
  • Cyber Extortion: Coverage for types of cyber extortion like ransomware. This can include the cost of hiring a negotiator and investigators and even the ransom payment. 

Wrapping Up

Cyber insurance is the ultimate safety net for organizations should they experience a data breach. It transfers some of your risks to your insurance provider. However, cyber insurance is still a passive defense. It should complement a strong cybersecurity posture and program.

Ultimately, you’ll want to choose an insurance provider that grows with you and allows you to update your limits based on your needs. They should act as a partner. Here at Zeguro, we pride ourselves on our customer service. While the entire experience of buying cyber insurance with us is online for your convenience, if you have any questions or need assistance, our licensed team is here to help you find the best-fit insurance solution for your organization. You can start your quote today here.

Zeguro is a cyber safety solution and insurance provider for small to mid-sized businesses (SMBs), offering a comprehensive suite of tools for risk mitigation and compliance, as well as insurance premiums that are tailored to the size, sector and profile of a company.
Learn more →

Start My Quote
Jai Bawa
Written by

Jai Bawa

Content Marketing and Social Media Intern

Student at San Jose State University, fascinated with the world of Digital Marketing. Movie enthusiast. Always curious!

Sign up for the latest news

Oops! Please make sure your email is valid and try again.