Information security management — Guidelines for cyberinsurance
6 Cyber-risk and insurance coverage
6.1 Risk management process and cyber-insurance
A cyber-insurance policy generally allows the insured to reduce losses from cyber-risks through the sharing of these risks with an insurer.
An organization should be protected from cyber-risks by using a process that actively predicts, identifies, assesses, treats and responds to cyber-incidents as part of an effective risk management approach.
The risk assessment process should include appropriate translation of cyber-risks into business terms to highlight the business consequences of cyber-incidents. Such translation can allow risk treatment decisions to determine how risks are to be treated through:
a) avoidance;
b) removing the threat;
c) changing the likelihood or consequences of the risk;
d) retaining the risk; or
e) sharing the risk with other parties, such as insurers.
Risk treatment decisions should consider the incorporation of cyber-insurance, to improve resilience against such risks. The risk management process provides information on risks and business consequences to align a cyber-insurance policy with the security risk management strategy and risk acceptance criteria of the organization.
6.2 Cyber-incidents
6.2.1 General
A cyber-incident occurs where a cyber-risk becomes a reality and leads to a loss of confidentiality, integrity or availability of data or other assets.
A cyber-incident is caused by a threat that exploits a cyberspace vulnerability typically relating to the use of information systems and networks. The use of the cyberspace brings threats such as denial of service attack, intrusion to an organization’s network, malware dissemination, improper use of information or information systems, and extortion. In addition, there are also other threats such as errors and omissions and system malfunctions. The organization should identify relevant threats in light of its business and technological contexts.
A cyber-incident can be caused by an actor exploiting a vulnerability, by unintentional error, or by a system malfunction. A cyber-incident can impact the organization’s technology and, as a result, require repair or replacement of the impacted asset.
6.2.2 Cyber-incident types
Cyber-incidents, originating from internal or external threat sources, belong to one or more of the following categories:
a) system malfunction: the insured’s system or network is malfunctioning or creating damage to a third-party system or a supplier’s system is not functioning, impacting operations;
b) data confidentiality breach: data stored in the insured’s system (managed on premise, hosted or managed by a third party) has been stolen or exposed;
c) data integrity or availability loss: data stored in the insured’s system (managed on premise, hosted or managed by third party) has been corrupted or deleted;
d) other malicious activity: misuse of a technology system to inflict harm (such as cyber-bullying over social platforms or phishing attempts) or to illicitly gain profit (such as cyber-fraud); and
e) human error: where something unintentional has been done by a human resulting in harm to a system, network or information.
Root causes for incidents can usually be attributed to failure of people, systems or processes.
Each of these incident types can be covered by cyber-insurance.
6.3 Business impact and insurable losses
6.3.1 Overview
A cyber-incident can result in business impacts to the organization. These impacts can include the loss or compromise of personal data, loss of e-commerce revenue, disruption of supply chains and business interruption. During and after a cyber-incident, the organization can be faced with significant costs to restore operations, conduct investigations and settle regulatory fines and legal cases.
Certain business impacts resulting from a cyber-incident can be quantified, for example: loss of sales, lost profit, cost of crisis management, forensic investigations, lawsuits and indemnification, notifications to business partners and customers, regulatory investigations, fines, attorneys and consultants, public relation professionals, and remedial measures. Some business impacts can be difficult to quantify, for example reputational damage, impact or damages to business executives, management, staff and related personnel or leakage of trade secrets and other infringement of intellectual property rights.
A cyber-incident affecting the organization can also occur at a supplier or another third-party organization supplying goods or performing services for the organization.
6.3.2 Type of coverage
Cyber-insurance can cover primary categories of business impacts including the following:
a)liability (6.3.3);
b)incident response costs (6.3.4);
c)cyber-extortion costs (6.3.5)
d)business interruption (6.3.6);
e)legal and regulatory fines and penalties (6.3.7);
f)contractual penalties (6.3.8); and
g)systems damage (6.3.9).
NOTE 1 Item e) applies only where it is allowed.
NOTE 2 With ongoing cyber-insurance product development, additional categories of coverage can emerge over time.
The insured should select the cyber-insurance coverage that best suits its identified risks.
6.3.3 Liability
A cyber-incident can lead to liability costs for the insured through indemnification for losses to other parties. Examples of such liability can include:
a)damages caused by a cyber-incident at the insured affecting individuals or other organizations;
c)data breach of personal, customer or supplier information.
6.3.4 Incident response costs
6.3.4.1 Overview
Different types of response costs can result from a cyber-incident. Cyber-insurance typically provides coverage of some but not necessarily all costs. Subclauses 6.3.4.2 to 6.4.8 provide typical examples of cost-incurring scenarios.
NOTE Insurers, because of their business practices, can exclude certain items from their coverage of cyber-insurance, or they can decide not to underwrite and cover certain aspects.
6.3.4.2 Loss, theft or damage to information
A cyber-incident can result in the leakage of the insured’s confidential information. The financial and non-financial value of the information for the insured is lost if it is leaked. A typical example of information leakage resulting in significant damage to the insured occurs when competitors obtain trade secret or invention information before public disclosure as a patent. Leakage of personal information can accompany payment and other costs in relation to the individual.
A cyber-incident can result in loss of integrity or availability of the insured’s information, information systems and other assets. The loss can adversely affect the business processes of the insured including its internal operations, service delivery, manufacturing and operational technology.
An insured’s information can be damaged or stolen in a cyber-incident. This can incur costs to replace or repair the impacted information through restoring, updating, recreating or replacing to the same condition the information prior to the loss, theft or damage. Stolen information has a value to the insured and this value should be considered a cost where the stolen information is not recoverable. Costs can be incurred by the insured in attempting to recover their information. Additionally, where information is copied in an unauthorized manner, the current value of the information can be diminished as a result.
A special case is the loss or theft of intellectual property, e.g. trade secret, invention before disclosure as a patent and copyrighted material, through a cyber-incident. Lost intellectual property has a current and future value to the insured and this value should be considered a cost where the lost information is not recoverable. Additionally, when intellectual property is copied, the value of the intellectual property can be diminished or reduced to zero as a result. The insured may not be able to recover for the lost value of the intellectual property.
6.3.4.3 Reputational damage
Reputation is a significant business asset for most organizations and incurring reputational damage can be disastrous. It is important for the insured to restore its reputation when it has been damaged as a result of a cyber-incident. The insured should have a suitable communications plan to acknowledge its concern and commitment to resolve the incident, while showing that the insured is in control of the situation. Insurers may be supportive to pay for public relations consultants to assist mitigate reputational damage.
6.3.4.4 Customer or employee notification costs
A cyber-incident can involve customer or employee data and potentially impact the insured’s customers or employees. Where individual’s information is involved, it is possible that these individuals, as well as regulators, can seek responses to questions about the extent of the cyber-incident and the steps taken to minimize the damage that has already been incurred. Where such a cyber-incident occurs, the insured can incur costs associated with notifying the affected individuals when their information has been impacted. These costs can include the need to establish a special cyber-incident customer call centre to handle calls from the notified individuals.
NOTE Certain jurisdictions, laws, regulations or regulators require that notification to affected individuals occurs. Unless the costs of notification are specifically covered in a cyber-insurance policy, then the insured pays such costs.
6.3.4.5 Customer or employee protection costs
When a cyber-incident that includes loss of customer or employee data occurs, these individuals are more susceptible to risks such as identity or medical fraud. Expenses can be incurred in that the insured needs to provide credit or identity theft monitoring services to decrease the level of risk exposure for a defined period of time. Costs incurred can also include legal, postage, and advertising expenses where there is a legal or regulatory requirement to notify individuals of a cyber-incident, including credit monitoring and public relations media assistance costs.
6.3.4.6 Specialist expertise costs
A cyber-incident can raise complex issues that can incur costs associated with the engagement of a specialist individual or team to assist the insured respond adequately. For example, a cyber-incident can be associated with national and international legal and regulatory requirements which require specialist knowledge to determine how best to comply. Another example can be to assist the insured with a crisis communication specialist to advise on media communications and media relations and drafting crisis communication plans and appropriate incident communication documents and notification letters to affected and interested parties. Special resources to assist the insured through a cyber-incident can include the establishment of a special cyber-incident 24/7 hotline and associated call centre to handle calls from the notified individuals, IT forensics specialists to stop an ongoing breach from continuing and to investigate the breach.
6.3.4.7 Operational cost to manage incidents
Costs can be incurred to manage a response to the cyber-incident and to contain any business impact resulting from the incident. For example, the redirection of existing experts away from their normal duties to being part of a rapid response team, overtime costs, operational costs to restore systems, networks or data.
6.3.4.8 Staff and personnel costs
A cyber-incident can result in costs that affect staff and personnel, for example, time off work, loss of productivity, staff replacement and loss of personal reputation.
6.3.5 Cyber-extortion costs
Cyber-extortion involves attempts to extort money by threatening to damage or restricting the insured’s use of technology, or releasing information copied or stolen from the insured. Examples of cyber-extortion risks include:
a) making the insured’s information inaccessible through encryption by malware;
b) undertaking, or threatening to undertake, a hacking attack, denial of service, or introduce malware into the insured’s information systems;
b) deleting, disseminating, divulging or utilizing information stored in the insured’s information systems;
c) damaging, destroying or altering the insured’s information systems; and
d) requesting a ransom to decrypt information.
NOTE There are jurisdictions where insurance coverage for selected cyber-extortion risks is not permitted.
6.3.6 Business interruption
Business interruption involves a loss of income or loss of profit and increased operating expenses resulting from a cyber-incident. Further business interruption impacts can include reduced operational effectiveness and efficiency, failure to meet deadlines and delayed deliveries to customers.
6.3.7 Legal and regulatory fines and penalties
A cyber-incident can result in the insured being subjected to:
a) civil penalties;
b) regulatory penalties and fines resulting from an investigation or enforcement action by a regulator; or
c) other compensatory awards decided by a legal system.
NOTE There are jurisdictions where insurance coverage for certain legal and regulatory fines or penalties is not permitted.
6.3.8 Contractual penalties
A cyber-incident can result in the insured not fulfilling contractual obligations. This can result in penalties from these parties.
6.3.9 Systems damage
A cyber-incident can result in costs to repair or restore systems, data and software applications not otherwise covered by the insured’s existing insurance policies; for example, where these are specifically excluded.
6.4 Supplier risk
A cyber-incident affecting the insured can also occur at a supplier or another third-party organization providing goods or performing services for the insured. Such cyber-incident can result in the loss of data or can disrupt one or more services provided to the insured. The insured should seek confirmation that costs due to a cyber-incident at a supplier or another third-party organization contracted to provide goods or perform services will be recoverable either through the third party’s own insurance arrangements or that of the insured.
The insured can also be subject to investigation costs, defence costs, and civil damages as a result of a cyber-incident at its supplier or other contracting third-party organization.
On the other hand, a cyber-incident at the insured can impact customers or other external entities, whereby the losses incurred by these external entities can result in claims or financial obligations against the insured.
6.5 Silent or non-affirmative coverage in other insurance policies
Some potential impacts of a cyber-incident can already be covered in the insured’s existing insurance policies, if cyber-incidents are not excluded as a clause. An example is a cyber-incident creating a fire or explosion, which can be covered in a property policy.
The insured should consider potential coverage as well as exclusions of cyber-risks in existing policies.
6.6 Vendors and counsel for incident response
The insured should develop and maintain relationships with suppliers, vendors and counsel in order to prepare for a cyber-incident and to enhance their ability to respond in an effective and timely manner. These preparations should be regularly tested and reviewed as part of the insured’s business continuity planning. These services can be available as a service from the insurer or sourced independently by the insured.
6.7 Cyber-insurance policy exclusions
A cyber-insurance policy cannot cover all types of losses. Therefore, it is important that the insured understands what risks are excluded from a cyber-insurance policy. Policy exclusions can include the following:
a) first-party and third-party bodily injury and property damage arising from a cyber-incident are usually excluded under a cyber-insurance policy;
b) terrorism: a cyber-loss caused by hacking groups that are classified as terrorist organizations in some countries, or by internationally recognized organizations;
c) acts of war and other hostile acts: there is no generally recognized definition of cyber-war. The definition is expected to be linked to actors, for example nation state, and to the level of disruptive or destructive impact, whether war is declared or not;
d) impacts due to loss of intellectual property, for example, patents, copyrights or trade secrets;
e) theft or loss of confidential information where the information is not directly owned by the insured; and
e) loss of reputation. The insured should check all exclusions in their cyber-insurance coverage.
6.8 Coverage amount limits
The potential business impact and losses that can be incurred by the insured should be reviewed and clarified to carefully determine and consider how much cyber-insurance coverage to buy. The amount of cyber-insurance the insured can purchase can vary depending on the insured’s financials, industry, operations, and cyber-risk exposure. For example, the number of personal records held by the insured.
Cyber-insurance policies can have an excess or deductible applied, which is the amount of money the insured should pay before a claim can be made against the cyber-insurance policy. There can be an aggregate limit either as a policy whole or an aggregate for a single event per annum. The size, and nature of the excess or deductible should be agreed during the preparation of the cyber-insurance policy. Cyber-insurance policies can also include a waiting period of several days before business interruption cover begins to apply. Further, the length of business interruption coverage in a cyber-insurance policy can be limited. Most policies cover lost income resulting from a cyber-incident only for a certain period of time.
To assist in evaluating potential cyber-losses that would allow determination of the appropriate amount of coverage to purchase, advice can be sought from research organizations that regularly publish industry benchmark information on the cost of past cyber-incidents around the world.
People also ask this Questions
- What are the aspects of coverage?
- What data are covered by cyber liability insurance?
- Are there any regional restrictions on the policy?
- How long after a breach occurs do you have to report it without losing coverage?
- What is cyber insurance?
- What is cyber risk?
Infocerts, 5B 306 Riverside Greens, Panvel, Raigad 410206 Maharashtra, India
Contact us – https://www.infocerts.com
