Although hacking and cyber threats have been present for quite some time, cybersecurity insurance is a relatively nascent field. Although cybersecurity insurance policies from different companies may vary widely, there are many similarities. In this post, we describe the basics of cybersecurity insurance in simple English.
There are two major types of cybersecurity insurance policies:
- First-party insurance provides coverage for direct costs associated with responding to the failure and managing through the incident.
- Third-party insurance provides coverage for lawsuits or claims that come as a result of a cyber incident.
First-party cybersecurity insurance
Firms that hold lots of confidential client information should consider first-party insurance coverage. The coverage is for direct costs incurred by the insured company, not for costs that come as a result of lawsuits or regulatory demands/fines. This is the most common kind of cybersecurity insurance for non-technology firms. The most common types of claims on this type of policy include:
- Notifying clients and partners of the breach
- Credit monitoring services for clients and partners. This is particularly important if payment information (e.g., credit cards) was breached
- Paying extortion or blackmail costs in case the data is held hostage
- Hiring a public relations firm to manage the brand and reputation of the company
- Covering lost income or revenue that occurred as a direct result of the breach
A critical aspect of this policy to review is the trigger for payment. Some policies require the company to be legally obligated to notify clients of a breach. In the US, 47 states have laws requiring a company to notify clients of a breach within a set period of time. Canada does not yet have such rules yet, but a company may choose to notify clients regardless. As a result, check your policy to make sure voluntary notification costs are covered.
Third party coverage cybersecurity insurance
Third party cybersecurity insurance covers the business that was responsible for the software that was hacked. For instance, if your basement floods, your home insurance policy would cover the cost of repairs. This is would be equivalent to a first party cybersecurity policy. However, the engineer that designed the basement could be sued for improperly designing the home, thus allowing the basement to get flooded. That would be the equivalent of third-party cybersecurity insurance.
Firms that are responsible for holding on to client data, securing networks, data or other similar activities should consider third-party cybersecurity insurance. The insurance is to cover costs that are incurred as a result of customers, partners or regulators. The most common types of claims on this type of policy include
- Legal costs to defend the company in court
- Settlements, damages, and judgments directly related to the attack
- Costs related to responding to regulatory demands (e.g., gathering data)
- Regulatory fines and penalties
Talk to us if you have any questions about cybersecurity insurance.
- Read more: Seven commonly overlooked cybersecurity insurance coverages
- Read more: Seven steps to buying cybersecurity insurance
- Read more: Five critical elements to check in your cybersecurity insurance policy
- Read more: 4 steps to reducing your cybersecurity risk
Zensurance is Canada’s leading online commercial insurance broker. We offer a full range of insurance products to small businesses, with a particular focus on digitizing businesses and technology startups. We understand what it is to work with new technology, and know the most common risks of which you should be aware. Based on that (and a lot of analytics), we recommend the ideal insurance coverage for your business.