How to Select the Right Cyber Insurance Policy

Publication date: Dec 14, 2021

Last Published: Dec 23, 2021

Table of Contents
Read Time : 5 minutes

The cost of cybercrime continues to soar and is expected to reach $10.5 trillion annually by 2025, growing by 15 percent per year. This alarming figure is a direct result of digitalization, which exposes organizations to increased cybersecurity risk.

While modern cybersecurity controls and measures can effectively hold most threats at bay, the protection they provide is never flawless. A single cyberattack can kick off a whole avalanche of compliance-related burdens—not to mention the direct and indirect loss of revenue caused by the steps necessary to contain it.

Knowing this, it makes sense to protect your organization against the worst-case scenario by buying a cyber insurance policy, but how do you select the right one? By keeping in mind the tips provided in this article.

1. Does the Policy Include the Coverages You Need?

Not all cyber insurance policies are created equal. In fact, the differences between two similarly priced policies can be massive. That’s why you should always carefully check if the policy you’re considering includes the coverages you need.

Here are a few examples of common cyber insurance coverages that most organizations are interested in:

  • Business interruption coverage: Covers the lost income and related expenses due to a security incident.
  • Customer and employee data loss coverage: Covers the costs of identity recovery, data breach notification, and more.  
  • Payment fraud coverage: Covers the funds lost in payment fraud attacks like business email compromise (BEC).

If your organization is subject to specific regulations, such as HIPAA and PCI DSS, then you should also check if the policy provides financial support to cover the associated fines and penalties.

DoD Contractor’s Guide to CMMC 2.0 Compliance

2. Do You Need Third-Party Coverage?

These days, most organizations rely heavily on all kinds of third parties—from cloud vendors to managed service providers—who help them meet their information technology needs and compete against large enterprises.

What the same organizations often don’t realize is that their partners are exposed to the same cyber threats as they are. A third-party cyber incident can affect a large number of customers and partners, especially if the services provided by the third party require elevated access rights.

Third-party coverage protects against the consequences of third-party cyber incidents, making it a must for all organizations that outsource IT support and take advantage of cloud computing.

3. Wouldn’t a Standalone Policy Be Better than a Blended Policy?

Cyber insurance companies offer cyber insurance either as standalone policies or blended policies (typically as part of policies such as crime insurance).

Organizations with a lower risk profile often go for blended policies because they can be cost-effective. Their biggest downside is they have a single aggregate limit of indemnity. What this means is that, for example, a single crime insurance claim can erode the entire amount of money that is available under the policy.

While typically more expensive, standalone policies are more robust and thus more suitable for organizations with a higher risk profile.

4. What Type of Post-Incident Services Are Available?

Buying a cyber insurance policy isn’t just about securing a financial safety net—at least it shouldn’t be. Cyber insurance companies employ legal experts who can help you navigate the jungle of data breach notification laws and regulations after you experience a cybersecurity incident.

Some cyber insurance companies even work with in-house or third-party cybersecurity experts to provide around-the-clock technical assistance, organize training sessions, and perform vulnerability assessments to help their customers become more resilient. 

Of course, cyber insurance companies do all this mainly to protect their bottom lines, and not from the kindness of their hearts, but what’s important is that the extra services they provide benefit everyone.

5. Are You Okay with Everything That’s Excluded?

As a rule of thumb, you should never assume that something is covered by your cyber insurance policy unless the policy explicitly states that it is. Insured organizations are often surprised that their expensive policies don’t cover such common cyber threats as ransomware or phishing.

Other common exclusions include electrical or mechanical failure of infrastructure, physical damage to persons or property, deliberate acts, intentional breaches of law and reckless misconduct, as well as infringements of patents or trade secrets, just to give some examples.


Strengthen Your Defenses Before Applying for a Cyber Insurance Policy

Before you apply for a cyber insurance policy, you should be aware of the biggest cyber risks your organization faces and strengthen your defenses accordingly. If you fail to do so, insurers won’t want to accept you as a client because the chance of you becoming the victim of a data breach will be too high.

OSIbeyond can help you prepare for the cyber insurance application process by evaluating your current cybersecurity posture and creating a detailed cybersecurity plan to implement the policies, procedures, and controls cyber insurers expect their clients to have in place these days. Schedule a meeting to get started.

Related Posts: