A number of businesses have taken cyber liability insurance to counter the risk and potential losses arising from cyber crime or cyber fraud. Apart from providing some financial protection for potential losses, the IT disciplines required to ensure that the policy terms are complied with are fairly demanding.
Is cyber insurance then worthwhile or not?
To assess this you need to have a very clear understanding of what all is covered in terms of the policy, the types and extent of losses you could possibly suffer and what is likely to be required from you in order to comply with the terms of the insurance policy so as to ensure that any claim is not repudiated. The level of the excess/self insured portion, any sub limits along with the monthly premiums need to be evaluated against the potential financial loss arising out of any claim. i.e. what it would cost the business in the event that a policy was not purchased? The potential areas of possible cyber loss in each business need assessment. These can range from data theft, loss of data, reputational damage and remedial action, web-site hacking or hi-jacking, ransom/extortion threats, theft of monies, systems rendered unavailable and the inability to deliver services (deliberate denial of services - DDOS attacks). It also needs to be borne in mind that over 90% of all cybercrime emanates from e-mails.
Let us look at a simple example of the theft of confidential customer data from a small tax and accounting practice whose annual billings are $100k. The theft is then followed by a ransom request for $ 10000 dollars. The monthly premium is $1200 with a claim limit of $1 million dollars.
We assume that the cover includes extortion. In isolation, this incident doesn’t warrant the cover or the annual insurance cost, however it can’t be assumed that the business will not suffer further cyber losses with higher financial implications. The example also does not factor in the time or cost of implementing the required IT disciplines and controls on a small organisation to ensure compliance with the policy requirements, or its ability to remain compliant with these.
In most cases the minimum requirements for cyber insurance cover that are going to have to be met, implemented and maintained are:
To access the full checklists or tools become a member now.