Earlier this year, Norsk Hydro, one of the world’s largest aluminum producers, was hit by the ransomware virus LockerGoga. Production shut down across 40 countries, and some 35,000 employees were warned not to use computers, laptops, or cell phones of any kind. Norsk Hydro’s losses included not just the direct costs of removing the virus, but a near complete cessation of business activities. As these types of attacks occur with increasing frequency, companies of all sizes and types are vulnerable to attacks that may cause millions or even hundreds of millions of dollars in damages. If your organization is worried about the impact of cyberattacks, cyber insurance can provide protection and peace of mind.

Cyber insurance first emerged around 2000 as organizations’ growing digital footprint created new risks and vulnerabilities. Cyber insurance policies are designed to cover the costs involved in cyber-related security breaches. These include the initial costs of investigating and repairing the breach, any business losses, costs of notifying customers and other affected parties, as well as covering legal expenses such as legal services, fines, and judgments.

About one-third of U.S. companies currently purchase cyber insurance, according to PwC, and the total value of premiums are expected to reach $7.5 billion in 2020. Demand has, so far, been strongest in the United States, where organizations purchase 90% of the world’s cyber insurance policies, but interest is growing worldwide.

Most cyber insurance breaks into four categories: Errors & Omissions (E&O), Media Liability, Network Security, and Privacy. Within these categories are options for first- or third-party coverage.

E&O addresses claims that arise from errors in how services are provided. For a technical service provider, this may include areas such as software development, consulting services, or cloud security services.

Media Liability coverage is specifically designed for media-related organizations to protect the insured from common media liability, which can include copyright infringement, unauthorized use of material, trademark or names, defamation, libel, slander, and invasion of privacy (depending on the specific policy).

Network Security vulnerabilities or failures can lead to many different opportunities for a threat actor: consumer data breach, malware transmission, or even cyber extortion.

Privacy coverages address the loss of both physical and digital data. For example, files carelessly tossed into the trash or residing on an unencrypted laptop that was left in a taxi fall under this coverage.

To further break down coverage options, businesses must consider which side of the data they’re on, whether first-party or third-party coverage is more appropriate to address their specific risk posture.

First-party coverage addresses losses at your company, including the costs of communicating with customers after a breach, providing credit monitoring, reputation management, and other recovery efforts. Most businesses, non-profits, and state and local government entities fall into this category for coverage.

Third-party coverage addresses losses that may occur if you make a mistake that causes clients or other organizations to experience a data breach or cyberattack. Cybersecurity and other technology vendors should consider this type of insurance.

The Benefits of Cyber Insurance
Cyber insurance is like any other form of insurance. It protects you from the impact of negative events that are hard to predict in advance.

If you buy first-party cyber insurance, it will protect you from costs including legal fees, notification requirements, identity restoration, and forensic investigations.

Third-party insurance reimburses for costs like legal defense, settlements, regulatory fines, and damages.

Cyber insurance can help you make amends to your customers and do the right thing after the fact. However, it can’t restore the trust that is lost or convince people to work or shop with you anymore. As a result, companies will often experience a loss of future revenue regardless of having cyber insurance.

Even Smaller Companies Need Protection
Cyber insurance makes sense for companies of all sizes—from giant multinationals to mom-and-pop shops. Indeed, recent research shows that attacks on smaller organizations are increasing. Computer security researchers at Symantec report that over a third (38%) of phishing attacks target organizations with less than 250 employees. Overall, 43% of all attacks were targeted at small businesses.

Small business owners typically focus more on building their companies than securing data, but the costs of a successful attack can put everything they’ve worked for at risk. It’s important to put the proper security controls in place consistently throughout your organization and technical environments and back that up with reasonable cybersecurity policies to help reduce the overall risk to your business. We’re living in a time where it’s no longer a question of if you will be breached, but rather when.  How are you addressing those risks? Have you done enough?

Consider this chilling paragraph from PwC’s most recent cyber insurance brief:

“The digital revolution has created a highly interconnected world that is awash with data, much of it sensitive, and much of it vulnerable to fraud, theft and compromise. Add to that malware, denial of service and other malicious attacks, and cyber risk emerges as one of the biggest threats of our age. Cybercriminals are constantly probing for weaknesses and adapting their tactics. And while our image of the perpetrators often centers on activists or organized gangs, they could just as easily be employees. The targets are also broadening. A clear example came from the insurance sector itself when a company was hacked for the tracking data they held on cargo shipments. All these factors [our interconnected world, persistent cyberattack attempts, continual sophistication of attack types, and insider threats], make cybercrime a costly, hard to detect and difficult to combat threat. From an insurance perspective, while analogies are often made with terrorism or catastrophe risks, cyber risk is, in many ways, a risk like no other.”

Understanding the Nuances of Cyber Insurance
Before you purchase cyber insurance, it’s important to understand exactly what a specific policy will and will not cover. Not understanding the details can result in some very unpleasant surprises.

For instance, in 2017, French snack manufacturer Mondelez International suffered an attack from the Russian ransomware NotPetya, which paralyzed the company’s warehouse and logistics infrastructure. The attack ended up costing the company more than $100 million in spoiled goods and lost sales. Mondelez had cyber insurance through Zurich American Insurance, however Zurich rejected the claim, citing an exception for losses incurred through a “hostile or warlike action.” Since NotPetya was sponsored by the Russian government, it amounted to an act of war, stated Zurich. The case is still being litigated.

Insurers can also decline claims if they think your breach resulted from negligence—for instance if your cybersecurity protections aren’t up to date.

For this reason, it makes sense to examine policies carefully, asking carriers to describe exactly which circumstances might lead them to deny a claim. Right now, carriers have a lot of leeway in deciding the conditions that might trigger a denial, but terms will likely be codified over the next 5 to 10 years. We expect to see insurers begin to demand additional controls and infrastructure from customers before they can obtain cyber insurance.

Choosing a Policy
Again, cyber insurance is not black and white. Costs, terms, exclusions, and conditions vary from carrier to carrier and policy to policy. It’s wise to work with an experienced insurance broker who understands cybersecurity issues in choosing coverage.

Do your homework and be thorough. Cyber insurance can provide critical protection against the risks of cybercrime, but only if you choose the coverage that works for your organization’s unique needs.