Near the end of Stage 1, you performed a risk assessment on your digital infrastructure to get a clear idea of the risks threatening your specific business environment. Additionally, you were given some options for how to address those risks. One such approach was Risk Transference, where responsibility for the risk is transferred to a third party. Most risk transference scenarios involve the purchase of insurance. Cyber Insurance is a niche category of insurance, but its usefulness in our rapidly growing digital landscape is being recognized. If you decide that purchasing cyber insurance is something your small business good benefit from, then it is worth discussing the concept with your Steering Committee.

Different providers of cyber insurance provide different levels of coverage. Some of the major cybersecurity issues that may be covered by cyber insurance include:

  • Data Breach Handling
  • Business Interruption Reimbursement
  • Costs for Data Recovery
  • Costs for equipment replacement
  • Lawsuit protection
  • Regulatory fines
  • Intellectual Property (IP) Theft

In the world of insurance, there are to main sub-categories:

  1. Directors & Officers (D&O) Insurance: protects C-level executives and corporate leaders from liability relating to their management decisions.
  2. Errors & Omissions (E&O) Insurance: protects professionals/businesses against claims of negligence, malpractice, breach of contract, or fraud.

A real-world example of a D&O Cyber Insurance case would look something like this: the chief security and information executives at a company are accused by regulators of failing to disclose and properly address vulnerabilities in their network infrastructure, ultimately leading to a huge data breach. The cyber insurance policy would help cover the legal defense costs experienced by the executives.

A real-world example of an E&O Cyber Insurance case might look like this: a local IT consulting business provides managed security services to other local businesses. However, the IT consultant misses a critical patch on several clients' firewalls resulting in major attacks on all of them. The IT provider is sued by all of the infected clients for negligence. The IT consulting business has insuance which covers the legal costs as well as settlements with the affected parties.

As you can see from the previous examples, cyber insurance can vary significantly in what it covers and in which scenarios it excels. If you do decide to purchase any kind of cybersecurity-related insurance, there will be specific considerations about your cybersecurity posture that will influence the premiums. They include:

  • Making sure your systems are patched regularly
  • Encryption is present on your network
  • Network segmentation has been implemented
  • Best practices are followed for cloud platforms and systems
  • Backups are made and tested regularly
  • An Incident Response Policy has been implemented

It is important to heavily weigh the pros and cons of cyber insurance before purchasing it. You need to know what exactly your potential provider will cover and the specific exclusions presented. For example, cyber insurance providers usually will not cover nation-state-sponsored attacks as the risks for such cyberwarfare/cyberterrorism scenarios go beyond the provider's risk appetite. Purchasing cyber insurance is also not a way to avoid any responsibilities. As stated, you will need to prove that you have good security controls and practices in place in order to reduce the cost of your premium. Still, purchasing cyber insurance can be a huge help, especially if your business operates in a high-risk sector and/or handles large amounts of Personally Identifiable Information (PII).