Echoworx Talking Security –
Cyber Insurance: What it is and how it works
Although cyber insurance is quickly becoming a common part of any cyber security program, this type of insurance is still a new kid on the block. Without a significant well of cases, payouts and claims to draw from, as opposed to its insurance counterparts, cyber insurance as a product can appear as a sort of shot in the dark – does the risk of a costly attack outweigh costly premiums?
There are a few questions to answer:
Just like in other insurance areas, cyber insurance is based in the assumption that not everyone is going to have an accident at once. But this is not really the case with massive cyber crime exploits, like WannaCry or NotPetya, where millions upon millions of computers are infected at once. The fear is not whether cyber insurance can keep up with rising cybercrime exploits but rather whether cyber insurance can pay out in the event of a massive attack.
Cyber insurance policies vary in terms of size, what they cover and how they are assembled – a bit like Frankenstein’s monster. These policies are based on an equation of things like industry risk, company size and other less exciting details. Since insurance companies are excellent calculators of risk, there is some reassurance that not every policy is designed for doomsday – but rather for more mundane things like general commercial liability or professional services liability.
While different types of cyber insurance coverage exist, most fall into two categories: third-party liability and first-party liability. The former deals specifically with damage done to others as a result of your company’s actions – like damage to another person’s car in the context of auto insurance. The latter deals specifically with damage done by a cyber exploit to your own organization.