Cybersecurity insurance considerations

The increased risks around cybersecurity have sparked many new questions about the role of insurance in helping to manage a firm’s security risks. Many firms are adding a cybersecurity insurance policy to insulate the firm’s finances against a major security breach. Below are some important considerations when evaluating the need for a cybersecurity insurance policy:

• Cybersecurity coverage is not typically included in most commercial policies. A separate policy or rider is likely required.
• Begin by putting a basic cybersecurity program in place — an effective program can reduce premiums.
• Clearly understand the scope of cyber coverage; brokers can help clarify.
• Firms should consider both first- and third-party coverage, to cover potential losses because of firm weaknesses or weaknesses of third-party vendors.
• Be responsible: A cyber policy can be an important part of a firm’s cybersecurity program, but it shouldn’t replace cybersecurity policies and controls.

The National Association of Insurance Commissioners (NAIC) outlines some of the types of cybersecurity coverage being offered:

• Liability for security or privacy breaches
• Costs associated with breaches, such as customer notification and support
• Replacement costs for restoring, updating, or replacing business assets stored electronically
• Costs associated with business interruption
• Liability associated with copyright infringement or product disparagement as the result of a breach
• Expenses paid for ransomware or cyber extortion
• Expenses related to regulatory compliance failures