Search Our Website
cancel
Table of Contents
< collapse table
show table of contents >
show table of contents >

Cyber Risk and Cyber Insurance Liability and First Party coverage

Preamble

This content is independent of any content coming from insurance brokers, insurers, law firms, or other insurance lobbyists. Commercial insurance is rarely taught in schools, and when it is, it’s mostly done through the lens of brokers or insurers. There are many misconceptions around Cyber Insurance Liability and First Party coverage, like many other topics in commercial insurance, due to bad habits acquired through the over reliance on insurance brokers or insurers or information providers who are lobbied by them. It is also important to note that insurance has both an operational aspect and a legal aspect, on which we put weights of 95% and 5% respectively in terms of importance to protecting a business and its investors (the point is that going to court to enforce coverage defeats the purpose of buying insurance, so you want to make sure that whatever insurance you buy protects your business right and pays out fast on large losses).

The video above shows real life examples of cyber events leading to financial losses to various organizations around the world. Cyber insurance liability and first party coverage play a major role in reducing direct or indirect losses of organizations due to Cyber Risk. It's important to remember that the insurance must be reworded by risk experts independent of brokers and insurers for it to be effective and least costly.

Cyber Risk Management

Cyber Risk Meaning

It is the risk of a cyber event leading to financial loss either directly or indirectly. Financial loss related to Cyber Risk is broken down into First Party costs and Third-Party Liability costs.

• First Party costs include an organization’s direct expenses or lost profits such as:

- restoration expenses;

- interruption in business operations leading to a loss in revenue and therefore profits;

- investigation costs;

- notification expenses;

- costs related to public relations efforts;

- Reputational damage.

• Third Party Liability costs include the costs of indemnification, defence, or settlement of civil suits, as well as the costs of regulatory proceedings.

- Examples of civil suits include lawsuits brought by customers, suppliers or business partners, employees, or other parties, as a result of damage they have sustained from a cyber event;

- Examples of regulatory proceedings are fines applied by privacy commissioners.

Cyber Risk Quantification Models

Most models are proprietary in nature such as our model, however certain regulatory bodies, such as in Europe, provide a starting point on how to measure Cyber Risk (ex. European Banking Act). 

Cyber Risk Report

Such a report can be drafted on a stand-alone basis or as part of a comprehensive report on Operational Risk. The report should include measures of Cyber Risk (currency impacts and probabilities of occurrence of different cyber risk events), recommended and implemented cyber controls, details of cyber insurance, relevant benchmarking, and ways to monetize a more competitive cyber risk profile. 

Cyber Risk Rating

Using our proprietary models, our team provides ratings for cyber risk either as part of an overall Operational Risk Rating, or on a stand-alone basis. It is recommended that such ratings be updated on a quarterly basis for publicly traded companies and presented to investors as part of quarterly earnings.

Cyber Risk Management Process

First, Cyber Risk needs to be quantified (the severity in currency terms as well as the probability of occurrence of specific cyber risk events). Second, adequate controls must be implemented based on the size and type of organization (ex. password security protocols, etc.). Third, Cyber Insurance must be purchased, however it has to be reworded to match the organization’s profile before it is bought from a broker or insurer. The insurance also needs to be triggered clinically in the event of a loss by experts who are independent from any broker or insurer. Finally, a re-measurement of the risk must be done to ensure that the steps within the cyber risk management process have been implemented correctly. It is recommended to review and update the process on a quarterly basis for mid-sized companies, and at least annually for small business.

Cyber Risk Governance Framework

Cyber Risk, along with other major forms of Operational Risk, should be dealt with professionally and in a structured manner that is clearly outlined within a company’s governance framework. Areas of governance include oversight, compensation, insurance, and other related matters. We recommend that such a governance framework be reviewed at least quarterly by the Board of Directors for mid-sized companies.

How To Quantify Cyber Risk

Our team uses proprietary models and methodologies to quantify Cyber Risk. This includes providing probabilities of occurrence on different cyber risk events as well as their corresponding currency impacts.

Cyber Risk Program

This can include a set of risk protocols as well as a standardized cyber insurance policy to be used by members of a specific association or a group of entities that are required to meet certain cyber protocols.

Cyber Risk Types

There are two broad types of Cyber Risk:

1. First Party risks: these are risks that directly impact an organization as a result of a cyber event (ex. ransomware event);

2. Third Party risks: these are forms of Liability Risk that are an indirect impact of a cyber event (ex. a cyber breach occurs, which then results in a customer lawsuit).

Cyber Risk Strategy

Please refer to the above section ‘Cyber Risk Management Process’.

Risk Management For Cyber Security

Please refer to the above section ‘Cyber Risk Management Process’. 

How To Calculate Cyber Risk

Please refer to the above section ‘How To Quantify Cyber Risk’.

How To Mitigate Cyber Risk

Mitigation is done through either (a) cyber controls; and/or (b) cyber insurance. 

How To Reduce Cyber Risk

Please refer to the above section ‘How To Mitigate Cyber Risk’.

Cyber Risk And Insurance

Insurance is part of the risk management process for Cyber Risk. It has to be reworded and triggered independently of brokers and insurers. Please note that Cyber risk should be specifically hedged through a dedicated Cyber insurance policy, which offers Cyber Insurance Liability coverage as well as Cyber Insurance First Party coverage, and not through other commercial insurance policies including but not limited to the ones listed below, which either provide limited cyber coverage or none at all:

• Commercial General Liability

• Property

• Directors’ and Officers’ Liability

• Professional Liability(E&O)

• Fidelity  

Cyber Insurance Risk 

Also known as Cyber insurance basis risk, this is the risk that the cyber insurance does not pay out as expected, which includes no, low, or delayed payouts. This risk applies to both Cyber Insurance Liability coverage as well as Cyber Insurance First Party coverage.

Cyber Insurance

What Does Cyber Risk Insurance Cover?

First party losses as well as third party losses. Examples of first party losses include notification expenses that are required to meet privacy regulation notification requirements in the case of a cyber breach. Examples of third-party losses include liability from customers or others in the event of a cyber breach, which are covered under Cyber Liability Insurance or Cyber Insurance Liability Coverage.

Cyber Risk Quotes

Please contact us if you are looking for cyber insurance quotes. We would reword the coverage to fit your operational details and have brokers compete for your business for most cost-effective results.

Cyber Risk Exclusion

It can be an exclusion under any form of commercial insurance that is not cyber insurance. This is simply due to the fact that insurers generally exclude risks that can be insured by separate products.

Cyber Risk Policy Template

You can ask your local broker for a copy of a sample cyber insurance policy. Generally, a cyber insurance policy will be divided into two main sections: (1) First Party coverage; and (2) Third Party or Cyber Insurance Liability coverage. Each section will have its own set of insuring agreements, definitions, exclusions, terms and conditions, alongside general conditions applying to both sections.

Cyber Insurance Liability

Most commonly referred to as Cyber Liability Insurance or Third Party Cyber coverage, it is insurance against Liability Risk that is a direct result of a cyber event (ex. data breach, virus, hack, etc.). For example, an airline company sustains a data breach whereby hackers get hold of the personal information of customers. Customers then hire lawyers to form a class action lawsuit against the airline company for compensation.

POPULAR SEARCHES ONLINE

Quote Queries

Cyber Insurance Online Quote

You can fill out and submit this form. It’s an easy 1-step process, and our team will send you a proposal.

Cost Queries

Cyber Insurance Premiums 

Recently cyber insurance premiums have been increasing due to various data breaches, ransomware, and other cyber events that have resulted in losses to insurers. However, competition amongst insurers is increasing and new insurance companies keep on entering the market putting a cap on the increasing premiums.

Cyber Insurance Pricing 

Pricing depends on the type of organization being covered, including its size, industry, cyber controls, amongst other factors. It is very hard to estimate pricing without details as some companies can pay as little as $500 for a $1 million limit in cyber coverage whereas others can pay hundreds of thousands or millions of dollars in premiums for the same cyber insurance limit.

Coverage Queries

Cyber Insurance Coverage

Primary coverage sections include:

• Security/Privacy Liability Coverage (part of Cyber Insurance Liability coverage)

This section covers loss from 3rd party claims for:

› Actual or potential unauthorized access to customer or employee personal information;

› Unauthorized access into computer systems or a computer system of an organization the insured contracts with to process, hold or store information;

› The insured’s failure to comply with its own publicly stated privacy policy;

› Cyber attacks to the insured or its processors that impair the use of a 3rd party’s computer system;

› Damage to a person or organization’s reputation in connection with the insured’s cyber activities.

• Privacy Notification Expenses

This section covers the insured’s reasonable privacy notification expenses to persons whose personal information may have been subject to a privacy breach.

• Crisis Management Expenses

This section covers the insured’s reasonable costs for outside legal counsel, forensic investigators, public relations consultants, advertising and public relations media and activities.

 E-Business Interruption and Extra Expenses

This section covers the insured’s loss of income, after a 24-hour waiting period until computer operations are restored, as a result of a cyber attack (also immediate coverage is available for expenses needed to continue operating).

Reward Expenses

This section covers amounts paid by the insured to informants leading to the arrest of the cyber attacker(s).

Regulatory Action Coverage (part of Cyber Insurance Liability coverage)

This section covers the insured’s defence costs incurred in defending actions brought by Privacy Commissioners and other government regulators.

E-Threat Expenses

This section covers funds and property where the insured surrenders same due to a threat involving the fraudulent input of data (also covers related expenses).

• E-Vandalism Expenses

This section covers the insured’s costs of blank media and labour to restore data in connection with data vandalism.

Consumer Redress Funds

This section covers any money the insured must deposit in a fund for the payment of consumer claims as a result of a regulatory action.

Cyber Insurance First Party Coverage

Coverage for costs borne by an organization as a result of a cyber event including direct expenses or lost profits. Included in such coverage are expenses to comply with regulatory notification policies, expenses to fix and restore systems, PR expenses, lost profits due to business interruption, and other costs. 

Cyber Insurance Exclusions

Every cyber insurance policy is different, whether it’s first party coverage or third-party coverage (aka Cyber Insurance Liability coverage), and its corresponding exclusions are different as well. Please take this following list as a general list that can materially differ from one policy to another based on how the exclusion is worded or whether it exists within a specific policy. Cyber insurance exclusions include but are not limited to the following exclusions for:

- Fraudulent conduct;

- Prior knowledge of a loss;

- Prior or Pending litigations;

- Bodily Injury and Property Damage;

- War;

- Infrastructure Outages;

- Other loss scenarios.

Cyber Insurance Limits

Any one company can find cyber insurance limits of over $300 million. That said the cyber insurance limit to buy largely depends on the cyber risk measurement and assessment of the organization buying the insurance. Many companies make the mistake of relying on benchmarking provided by insurance brokers and companies, such benchmarking is inherently flawed in the way data is compiled. For mid-sized companies and larger, it is important to measure cyber risk accurately and reword any commercial insurance contract to reflect the risk measurement and assessment efforts.

Queries By Country or State

Cyber Insurance Canada

Our team can assist small to multinational Canadian businesses manage their cyber insurance, including negotiations with brokers and triggering the insurance for effective payout, or to provide them with analytics for their own broker negotiations. The cyber insurance market in Canada is competitive, considered to be more sophisticated than the average G7 cyber insurance market, and there is no shortage of brokers and insurers as providers of such insurance. It is however important to have risk experts independent of brokers and insurers who would reword and trigger the insurance for best value.

Cyber Insurance USA 

Our team can assist mid-sized to multinational US businesses manage their cyber insurance, including negotiations with brokers and triggering the insurance for effective payout, or to provide them with analytics for their own broker negotiations. The US cyber insurance market is the largest and arguably the most sophisticated in the world. There are many options and effective negotiations with brokers and insurers can lead to very different results than otherwise. Businesses can get very different coverage with the same broker and insurer.

Cyber Insurance New Zealand

Our team can assist mid-sized to multinational businesses in New Zealand manage, reword, and trigger their cyber insurance independently of insurance brokers or companies. We can work with the existing brokers of the business or conduct an RFP to choose an optimal insurance broker either our firm or the business would communicate with.

Cyber Insurance Australia

Our team can assist mid-sized to multinational businesses in Australia manage, reword, and trigger their cyber insurance independently of insurance brokers or companies. We can work with the existing brokers of the business or conduct an RFP to choose an optimal insurance broker either our firm or the business would communicate with. 

Cyber Insurance London

Our firm has extensive experience within the London and UK market and can assist mid-sized to multinational businesses in London or the UK manage, reword, and trigger their cyber insurance independently of insurance brokers or companies.

Cyber Insurance UK

Please refer to the section right above.

Cyber Insurance Ireland

Please refer to the section right above.

Cyber Insurance Europe 

Our team can assist mid-sized to multinational businesses across Europe manage, reword, and trigger their cyber insurance independently of insurance brokers or companies. We can work with the existing brokers of the business or conduct an RFP to choose an optimal insurance broker either our firm or the business would communicate with.

Cyber Insurance Market In India

Our team can assist mid-sized to multinational businesses based in India manage, reword, and trigger their cyber insurance independently of brokers and insurers, implementing the latest North American techniques regardless of local insurance market dynamics. The cyber insurance market in India is typically inexpensive compared to many other countries however that is because insurers exclude many types of cyber risks that could be relevant to businesses. It is important for Indian businesses to be sure of the purpose of buying Cyber Insurance and not benchmark to local businesses if cyber risk management is their primary focus. 

Cyber Insurance UAE

Our team can assist small to multinational businesses based in the UAE manage, reword, and trigger their cyber insurance independently of brokers and insurers, implementing the latest North American techniques regardless of local insurance market dynamics.

Cyber Insurance Hong Kong

Our team can assist mid-sized to multinational businesses based out of Hong Kong or mainland China for cyber insurance management and/or analytics independently of any broker or insurer. We would bring the latest north American techniques and coverage, for both cyber insurance liability or first party coverage, when assisting a business in Hong Kong or mainland China regardless of the capabilities of local brokers and insurers.

Cyber Insurance Singapore

Our team can assist mid-sized to multinational businesses based out of Singapore for cyber insurance management and/or analytics independently of any broker or insurer. We would bring the latest north American techniques and coverage, for both cyber insurance liability or first party coverage, when assisting a business in Singapore regardless of the capabilities of local brokers and insurers.

Cyber Insurance Malaysia

Malaysia is one of the leading Asian countries in terms of awareness and research of Liability Risk, for which Cyber Insurance Liability coverage can be a hedge as it relates to cyber events leading to liability. Our team can assist mid-sized to multinational businesses based out of Malaysia for cyber insurance management and/or analytics independently of any insurance broker or insurance company.

Cyber Insurance Indonesia

Our team can assist mid-sized to multinational businesses based out of Indonesia for cyber insurance procurement independently of any broker or insurer. We would bring the latest north American techniques and coverage, for both cyber insurance liability or first party coverage, when assisting a business in Indonesia regardless of the capabilities of local brokers and insurers.

Cyber Insurance Thailand

Our team can assist mid-sized to multinational businesses based out of Thailand manage their cyber insurance independently of any broker or insurer. Our team would bring the latest north American techniques and coverage, for both cyber insurance liability or first party coverage, when assisting a business in Thailand regardless of the capabilities of local brokers and insurers.

Cyber Insurance South Africa

Our team can assist mid-sized to multinational South African businesses manage their cyber insurance independently of any broker or insurer. South Africa would be the leader in Africa in terms of commercial insurance penetration and coverage, including cyber insurance liability or first party coverage. Our team would bring the latest north American techniques and coverage when assisting a South African business, even if local brokers and insurers do not have immediate capabilities to provide for the latest solutions.

Marketplace Queries

Cyber Insurance Providers

Providers of cyber insurance are plenty ranging from local to regional to international insurance brokers and companies. International brokers include Marsh, Aon, Willis, Gallagher, and others. International insurers include AIG, Zurich, Chubb, Lloyd’s, and others. What is important is to have the insurance reworded and triggered independently of any insurance provider for best value.

Cyber Insurance Underwriting

Many insurance companies have a Cyber Insurance product expert formulating underwriting guidelines. That said, often times there are major flaws in the way the insurance product is underwritten. For the most part, as is the case with other forms of commercial insurance, insurers will take a portfolio approach when underwriting a specific risk as opposed to looking at the detailed operational risk metrics of a specific business. This ultimately leads to a product that is largely not tailored to the specific operations of the insured.

Cyber Insurance Claims

There are many cyber insurance claims around the world, both cyber insurance liability claims as well as cyber first party claims. You can watch the video at the top of this page to skim through some notable cyber events that have led to losses for the businesses involved. If the business had cyber insurance then it would have claimed the insurance, however the question remains whether the insurance effectively paid out on such claims or not. There are various disputes around the world for cyber insurance claims not being paid out by insurers. It is therefore important to reword the insurance contract with the help of risk experts who are independent of brokers and insurers.

General Queries

Cyber Insurance 101

Cyber insurance is simply protection or insurance against cyber risk, which is the risk of cyber events occurring and leading to financial losses to organizations. It has two coverage parts (1) Cyber Insurance Liability coverage; and (2) Cyber Insurance First Party coverage. Please refer to the section ‘Cyber Risk Meaning’ for a better understanding of the types of cyber risks that should be covered accurately through cyber insurance.

Cyber Insurance Explained

Please refer to the section right above.

How Cyber Insurance Works

First, the insurance has to be connected to the measurement and assessment of the cyber risk of a business. Once the latter is completed, the insurance needs to be reworded to fit the operational details of a business. The product that is reworded is then given to the assigned insurance broker for distribution amongst insurance companies. When a loss happens, the insurance policy must be triggered clinically independently of any broker or insurer for effective payout.

Frequently Asked Questions (FAQ)

Is Cyber Insurance Necessary?

Yes, if you are a business storing lots of customer or sensitive data or if your operations can be adversely impacted by a cyber business interruption event. Keep in mind that Cyber Risk has one of the highest probabilities of occurrence out of all forms of Operational Risk.

How Can Cyber Insurance Mitigate The Risk?

The insurance is made up of two main coverage sections, Cyber Insurance Liability coverage and Cyber Insurance First Party coverage, which outline the various loss scenarios that would be covered by the insurance. Simply put, Cyber risk is the risk of a cyber event occurring and leading to financial loss to an organization. The insurance is one of the most effective ways to mitigate the risk because it indemnifies or reimburses the organization for the financial loss resulting from the risk occurring. This is very important because many organizations think their cyber controls are enough to mitigate the risk, but if we look at various cyber losses across the world, we will note that losses are borne by many top organizations who had some of the best cyber controls in place. It is therefore important to mitigate Cyber Risk beyond the implementation of controls, which is where Cyber Insurance comes into play.

What Does Cyber Insurance Not Cover?

Cyber insurance does not cover various loss scenarios, from malicious acts to bodily injury, that are specifically outlined in the exclusions section of the cyber insurance policy wording. For more information, please refer to the section ‘Cyber Insurance Exclusions’ under Coverage Queries.

How Much Does Cyber Insurance Cost?

Please refer to the section ‘Cyber Insurance Pricing’ under Cost Queries.

Tagged under: