Cyber insurance gives organizations an additional option for cyber risk management other than solely improving cybersecurity. As suggested by many studies, even the most advanced self-protection measures cannot guarantee the elimination of cyber risks existing in an information system, and not many organizations need such technologies nor can afford them. Therefore, it would be nice to have some insurance coverages in addition to an adequate investment in self-protection, in case unforeseeable cyber losses occur.
Cyber insurance products provide a variety of coverages as cyber risks typically lead to multiple losses. Coverages that can be found in the existing cyber insurance policies reimburse insureds for losses resulting from cyber incidents such as breach notification costs in data breach incidents and business interruption losses in ransomware attacks.
Most of the cyber insurance policies provide the following coverages:
1. Cost of claims expenses, penalties, legal costs
2. Public relations (PR) services
3. Notification to affected individuals
4. Services to affected individuals (e.g. credit monitoring)
5. Data restoration/recreation
6. Forensics
7. Business income loss
8. Data extortion expense
9. Costs from security breach; data loss
10. Costs of damages
Many of the cyber losses fall into these categories, andtherefore, the magnitude of loss endured by organizations having the rightcoverages can be significantly reduced.
In addition to getting reimbursements from the insurer for cyber losses, cyber insurance policyholders can also benefit from the pre-incident and post-incident services provided by the insurer. The risk assessments conducted by the insurer for underwriting an organization will not only help the insurer understand the risk, but also reveal some hidden cybersecurity issues that the organization itself may have never noticed before. This is a great opportunity for the organization to further improve its cybersecurity as it now has better understanding of its weaknesses and vulnerabilities. The post-incident services provided by the insurer is also valuable. Many organizations do not have experience with actual cyber incidents, and thus may fail to take proper measures in order to minimize losses. The consultation and remediation services provided by insurers will make it easier for victim organizations in cyber incidents to quickly recover at lower costs.
