Cybersecurity insurance is a product that is offered to individuals and businesses in order to protect them from the effects and consequences of online attacks. This product is a recognition of the inherent dangers of storing customer information online and the risks businesses face in this online age.

Cybersecurity insurance can be obtained as a first-party product that focuses on compensating or mitigating the costs that are borne by the holder of the policy. It can also be sold as a third-party insurance product that covers the businesses and people that are found to be “responsible” for a breach. Sometimes you will be encouraged to add “Errors and Omissions” coverage to your policy as well for added protection. Cybersecurity insurance is a product that is growing quickly in terms of scope and size. Currently, it remains a niche product despite the fact that the vast majority of people have used the internet directly or indirectly at one point in their lives. The reason for the relatively limited coverage is primarily because both the service providers and customers are just becoming accustomed to the product. There is a lack of awareness regarding cybersecurity in general, the risks companies are taking on a day-to-day basis and that most of their regular business insurance does not cover data breach incidents.

Introduction to Cybersecurity

Cybersecurity insurance has been a concern for the industry and the government as far back as the 1990s. At that time, one of the biggest threats was intellectual theft and copyright infringement. Some of the big players in the computer industry were worried about other rivals stealing their innovations and presenting them as their own. By the end of the decade, many people in the industry were beginning to realize that this was not just about copyright theft. It was also about information security as a wider concern. At that point, consideration was given to the possibility of coming up with risk management tools that would help the industry to cope with the threats it faced.

As is often the case in these situations, it took the occurrence of two major incidents for all the players within the industry to take notice. The first was the Y2K concern about computers shutting down permanently at the end of the millennium because they were not properly programmed. Then, the terrorist attacks on September 11, 2001 shattered the idea of a safe Western world that could effectively insulate itself from the problems of the rest of the world. It is this ethos of concern that has eventually persuaded governments to place emphasis on cybersecurity insurance as a key resource for small and medium businesses (SMBs). The financial crisis of 2008 also demonstrated that even the big corporations may require support from the government from time to time.

The banking industry started giving serious consideration to the development of cybersecurity insurance products because banking is an increasingly internet-based activity. Lloyds developed the first such product in 2000. The initial product configuration was restricted to third-party costs as well as some coverage for business interruptions. One of the big concerns for companies was the potential for being sued for inadvertently transmitting a virus or cyber-attack to other business entities. Eventually, this led to the modification of the original policies so that they included both the first and third-party elements. Some of the costs that are still covered today include:

• Business Interruption
• Penalties and Fines
• Costs of Monitoring Credit
• Costs Related to Public Relations
• Costs associated with Rebuilding or Restoring Private Data

This is not a static list by any stretch of the imagination. Rather, it is one that continues to grow in response to the needs of the industry and its customers. For example, there have been efforts to cover any errors and omissions that are committed during the software development phase. Where such software programs are sold to third parties, the potential for being sued is quite significant. Indeed, in the USA, the potential for litigation extends even to the mere act of giving advice that later turns out to be inappropriate. Currently, the cyber market consists of about 80 major companies with countless more operating under a large company’s umbrella.

Ten Reasons a Company Should Get Cybersecurity Insurance:

• 1.        Protect against data loss due to hackers and other criminal elements.
• 2.        Protect customers and suppliers so that they are not inconvenienced by major incidents.
• 3.        Give investors and funders some confidence that the company is not going to collapse the moment there is a successful claim.
• 4.        Ensure that the company is getting in line with all the regulations and requirements of the state within which they operate.

5. Provide an example of best practice to subsidiaries and parent companies that are not already insured.

• 6.        Take care of unexpected and unexplained changes in the nature of the threat that is faced by all those who use the internet.
• 7.        Deal with the public relations requirements following an incident that concerns internet breaches.
• 8.        Have a fund or pot of money to deal with the legal and technical costs of dealing with major incidents.
• 9.        Deal with issues of privacy and data protection following the online theft of private information.
• 10.      Gain other benefits that arise from having an insurance policy including education and sensitization to risks.