Steps to Assess & Mitigate Cyber Security Risks – Part II

Last month, our Ansay Strategic Risk Manager, Mike Anderson, provides four actions a business owner can take to identify key internal and external cyber risks. He concluded the blog with two key takeaways 1) Every company faces cyber risk and 2) Cyber risk is insurable. Today’s blog is intended to delve into cyber insurance, using a claim example to illustrate the value of considering insurance as a risk management option for your business.

 Many business owners, especially owners of small and medium-size companies, are under the misconception that they are not significantly exposed to cybercrime risks. Any business large or small likely stores private data of others, and, therefore, has cyber exposures that should be identified and managed. One preferable, yet often overlooked, risk management technique is transferring the cyber risk to an insurance carrier through cyber insurance. In a recent survey conducted by Walker College of Business at Appalachian State University, only 20% of businesses have any cyber insurance coverage. [1]This claim example illustrates how cyber insurance could respond to a cybercrime event and protect a business from the paralyzing potential of cybercrime.

 Claim Scenario – IT Kidnapping

Last year, one of our clients, who ironically are in the business of computer networking and support, experienced a ransomware attack. In this attack, the cybercriminal gained access to the client’s network and placed malicious encryption on the company’s data. The cybercriminal extended the encryption to some of our client’s customers. The cybercriminal demanded a sizable amount of money in exchange for the “encryption key” which would allow the client and its customers to re-gain access to the data and continue operations.  Our client suffered the following losses caused by this ransomware attack:

  • Expenses of hiring IT consultant to investigate the encryption, protect vs. repeat attack, identify customers impacted, and perform  network monitoring, and restore data and systems
  • Business interruption and loss of customers
  • Extra expense to include employee labor overtime
  • Customer claims (Third-party claims)
  • Ransom response –ransom and related expenses

In response to the claim submission the insurance company paid for the following:

  • Business Income and extra expenses
  • IT consulting services
  • Settlement of 13 customer liability claims
  • Ransom payment of $250,000

This is a useful cyber claims example because it involved both “first party” and “third party” cyber claims. A robust insurance cyber insurance policy should address the first-party expenses of the policyholder such as business interruption expenses, IT consulting costs, payment for regulatory compliance or fines, and restoration of systems and data. It should also address the claims that can be made by “third parties” who were also harmed by the cyber incident – As you can see in this example, third party payments were made to the client’s customers and these settlements were critical to protecting our client’s reputation and business partnerships.

Cyber Insurance Marketplace

The cyber insurance market is evolving and adjusting to meet the ever-changing landscape of cybercrime. Insurance coverage for cyber can be found in two ways: 1) Coverage endorsements or “enhancements” to existing commercial packages or 2) Stand-alone products available in the insurance market. Therefore, the first consideration for your business is whether your current insurance carrier can enhance the current insurance program with supplemental coverages that may meet some of the basic cyber insurance needs of your business. Often these supplemental coverages are limited basic coverages that can be added to existing property or liability policies.  A close examination of these coverages is needed to ensure that these supplemental coverages fully address the cyber exposures, and provide adequate insurance protection.

 Another option that should be considered is a stand-alone cyber insurance policy. These policies provide a more robust approach to cyber insurance and are designed as a comprehensive policy that contains a variety of coverages, both first and third party.  These policies may even provide services that address the reputational harm caused by these cyber incidents. They may even go further by providing pre-loss risk management services such as online learning or training for policyholder employees, risk assessments, review of incident response plans, or access to telephonic or internet research and consultation resources.

 As you can see, cyber risk is pervasive, complex, and potentially devastating.  The claim example illustrates how a cyber incident can create significant expenses that have the potential of crippling most businesses. There is some good news, however, in that insurance products are available to protect against these consequences of cybercrime.  Please talk to your Ansay Insurance Advisor about how cyber insurance can be incorporated into your risk management strategy, and be used to protect you and your business in these technologically challenging times.   

 

 

[1] https://www.selective.com/investors/news-and-filings/company-news/2021/03-15-2021-170024287

Alan Edwards

Claims Advocate Manager

Port Washington - Corporate Headquarters

alan.edwards@ansay.com