Category: Cyber Insurance

Top Cyber Insurance Companies – Hiscox

Hiscox have managed to establish themselves relatively quickly as probably the market leader in cyber liability insurance, in part based on the policies they provide, in part on the resources and risk modelling they help with, and in part on the existing customer base which has a high focus on small business and various types of liability insurance.

All these areas are hugely important regarding cyber insurance. The scale of cyber security and related risks is almost  so big that it is virtually impossible to comprehend. As such, as Warren Buffett recently pointed out, many insurance companies do not want to enter the market because it is so difficult to determine levels and cost of risk.

What Hiscox have done is essentially to build on that existing customer base, and the reputation they already have, to advance what is both an insurance policy in terms of financial indemnity, but also to provide a risk management process that actually deals with the realities of any data breach of cybercrime.

Hiscox Customer Base

While Hiscox may be active in many areas of insurance, one of their main areas of focus is on small businesses and related liability insurance. This focus brings together a significant number of what could be termed niche areas of business, but which all share common liability threats.

These liability threats could be around general business liability, public liability insurance, e and o insurance,  product liability insurance,  employers liability insurance etc. Whilst every business is different, they have a thread of similar needs that means these types of liability insurance can be both general and specific the same time.

What this has allowed Hiscox to do is to develop specialist insurance policies that in fact can be targeted at very specific industries and professions.

This has given them a fairly unique access to understanding the needs of a variety of different trades and businesses, which they have been able to very successfully build on in understanding the needs that relate to cyber insurance, for every type and size of business and organisation.

Hiscox Cyber Insurance Policies

Cyber insurance policies can vary quite widely in terms of the level of coverage and the cost of accessing them. What Hiscox have done  in terms of coverage is to provide what is pretty much a gold standard as to how a data breach claim should be dealt with.

This means that aside from any financial indemnity that the policy provides, the policy also provides a working incident response team, which can help manage both the immediate and longer term realities of what a data breach involves.

In practice this means that a Hiscox insurance policy will provide access to a team of selected individuals and companies who can manage a number of areas of the claim. This can include IT specialists, lawyers, PR companies, financial analysts  etc.

The work of this team will revolve around dealing with and paying any ransom that may be demanded, restoring  the integrity of an IT system, dealing with any reputational damage that the company or business may suffer and notifying and dealing with any registry bodies may need to be notified of the breach.

The team should also include specialists who can forensic examine and come to understand the reasons for the data breach, and put in place systems to make sure it does not occur again once the integrity of the IT system has been restored.

The insurance policy should also provide some type of business interruption insurance until the IT system and the business itself is up and running again as per its normal practice.

In addition, the policy is likely to provide help for individuals with information has been accessed unlawfully, such as providing access to credit monitoring systems in relation to identity theft.

Cyber Security and Risk Management

Hiscox offer a significant number of tools and resources to both potential customers, and signed up clients, which give them a significant amount of advice regarding risk management of cyber security. There are two particular reasons this is done.

One is simply that everything a company can do to reduce its risk exposure to a cyber security threat reduces the likelihood of a claim under its either insurance policy. This should be good news for everyone in terms of reduced levels of claims exposure for the insurer, and hopefully reduced costs by way of premiums and deductibles for the company or business being insured.

The other reason is that it creates a level of trust around the insurers ability to understand the security risks at how best to deal with them.

Cyber insurance is a fairly new type of specific insurance policy, and part of its growth and appeal is the fact that insurers like Hiscox  are very active in taking the lead to help companies understand the nature of cyber security risks, and how best they can be managed.

Many companies and businesses of all sizes are still to an extent in the dark on the reality of cyber security risks, either through complacency or lack of resources.

Providing risk management assistance allows Hiscox to gain a foothold on virtually any companies radar, and to be able to build on it by way of providing cyber insurance policies if and when needed. It becomes a self-fulfilling loop that should in theory benefit both sides of the industry.

Cyber Insurance Cost Examples – Equifax

The data breach at Equifax sent shockwaves throughout the Internet, and throughout the financial community generally. This is in large part is because of the huge amount of sensitive data that all credit rating agencies hold on individuals, and the fairly natural assumption that data is kept safe.

According to CNN, the breach involved the theft of personal data of approximately 145,000,000 people, and the theft was only revealed two months after it happened.

Whilst the delay in revealing the theft was not as long as that of Yahoo or some other companies, two months is still a huge time in terms of the risk of identity theft. With the breach of Equi the risk of identity theft is probably as strong as it possibly could be, and any delay is potentially hugely important.

Equifax Data

All the main credit rating agencies potentially hold a huge amount of personal and financial information on  millions of people worldwide.  Their role is to provide an accurate assessment of an individual’s creditworthiness, that can give a value to document to any bank or financial student looking to lend them money or any type of credit.

Anyone applying for any type of credit or loan  will have had their application assessed and determined on the basis of a credit score/credit report which will have been prepared by a company such as Equifax

In preparing such a report, Equifax would collect a significant amount of data on an individual. Such information would normally include their name, the date of birth, address, their telephone number, that Social Security number or their social insurance number, their drivers license details, their passport and their current and previous employers.

They would also look at the individuals credit history. This would include information relating to payment history of any credit loan or arrangement, the use of current available credit to them, the length of their credit history, the number of enquiries they have made regarding obtaining credit, and the type of credit they use this frequently.

Their financial history would also be looked at. This would involve obtaining information from public records regarding things such as bankruptcy. Also look at their banking history regarding overdrafts, bounced checks and any closed accounts.

They will also look at things such as loans, mortgages, lines of credit, store cards and credit cards and worst of all payday loans.

Anyone looking at this type of report would realise pretty quickly that the amount of information held on an individual by a credit bureau is massive.

Not only in the size and scale of it, but in the scope that it provides for identity theft. The fact that there could be a breach to the extent that there was highlights the enormity of the type of centralisation of this information.

Equifax Breach Causes

According to CNN, Equifax blamed the breach on one single individual, advising Congress that this individual had subsequently been fired !   It is perhaps more scary that a breach of this size and scale could have been effected by one individual.

Any cyber security policy that is meant to protect this type and scale of data has surely got to have some type of safeguards built in,  so that any individual doesn’t have either this type of responsibility for this type of power on their own

Cyber Insurance Cost Examples – Yahoo Data Breach

Yahoo provides one of the best examples of the enormity and severity of what can happen with a data breach. Although a few years old, Yahoo suffered three data breaches which were only reported two or three years after they happened.

Estimates of accounts breached ranged from 500 million through to every single one of the accounts. The information that was lost or accessed included names, email addresses, telephone numbers, dates of birth, passwords and sometimes encrypted security questions and answers.

Someone at Yahoo tried to make the point that at least no credit cards or credit card numbers were accessed, but that is in many ways fairly irrelevant.

The importance of the Yahoo breach focuses on several certain areas.

Firstly is the issue of when and how Yahoo reported the breach.

Any delay in letting people know that the information has been accessed by someone who should not have a right to it increases the chance of that information being used for any criminal purpose such as identity theft.

Tracing and reporting and trying to undertake identity theft is a hugely complex process. Anyone who has suffered it will tell of the enormous difficulties they face in trying to prove that they are not the person that someone else has said they are.

Identity Theft

Anyone trying to prove identity theft will find it difficult to prove where the other person got the information from, especially if it was two or three years previous.

Any company who experiences a data breach has a moral as well as normally a regulatory duty to disclose information to whoever has been affected by the breach as soon as possible. The danger is that any company is going to be afraid of the reputational damage at acknowledging such a breach is likely to cause.

This is one reason why most cyber insurance policies include some provision to pay for a PR company some description to help manage the fallout and restore some type of reputational credibility.

Even if a company such as Yahoo is taken to task by any regulatory authority for not disclosing a breach earlier,  in many ways the damage has already been done.

The other main issue that a data breach at companies such as Yahoo highlights, or perhaps the question it raises, is anyone safe. This question is almost the most important one that can be asked.

It is not about Yahoo’s technology systems or their cyber governance policies. It is about the fact that Yahoo is one of the oldest and was one of the most respected technology companies since the foundation of the Internet, and if they can be breached and hacked to this extent then presumably anyone can.

The breach at Yahoo is not about whether they have the most secure IT systems almost. It is almost more about the credibility of the Internet, and a sense of whether or not a technology company of its stature should be able to be breached, and if they are probably dealt with it.

What does Cyber Insurance Cost ?

For many people, the cost of cyber insurance is about two distinct issues.

Firstly is the actual cost of insurance in cash terms, relative to the coverage provided and secondly is the question of whether it is worth having cyber insurance at all.

Any business or organisation needs to break the cost issue down into three specific areas.

Firstly is to decide what level of risk they believe that business is at. Secondly what they can do by way of cyber governance to reduce any risk and thirdly whether or not they need cyber insurance at all depending  on what other types of business insurance they already have.

This is one area of insurance where it is well worth considering using an insurance broker, which will not increase a businesse’s cost at all, but can provide invaluable information both about cyber risk modelling, as well as cyber insurance policies and their costs.

In terms of  cost in cash terms, like any type of insurance, it is very difficult to generalise. However reports by Reuters and others seems to suggest that rates have increased by anything from 30 to 50% over the last two or three years, that the size of deductibles has also increased and the amount of coverage has been significantly reduced.

Cost of a Data Breach

What can be more easily quantified is what a data breach can cost a company.

Reuters recently reported the cost to MERCK of a data breach costing its insurers around US $ 275 million.  The cost to Target, the well-known retailer, of a data breach in 2013 was estimated to have been US $ 264 million.

Research by the Journal of Cyber Security in 2016 estimates the total cost of cyber events at approximately US$8.5 billion annually. They go on to suggest that the most common type of  data breach is where customers credit card numbers and healthcare information have been compromised.

Any company or organisation holding this type of information is therefore more likely to be at risk, and be charged higher premiums.  Their research also  points to certain industries being most at risk, namely retail, information, manufacturing, finance and insurance.

Insurance premiums  for these sectors of business are likely to be higher than others.

Cyber Liability Insurance Cost

Any insurance policy is about risk. An insurance company offering cyber insurance will look at a business or organisation, and try to assess the level of risk and then decide how much to charge for the coverage they are offering.

As Warren Buffett recently said,  trying to assess the risks of cyber security is almost impossible, partially because it is such a relatively new area of insurance, and partially because it is  inherently difficult to assess the level of risk.

There are however a number of major insurers are offering cyber insurance, such as Hiscox, AIG, Travelers etc. Their assessment of risk will be focused on a number of areas including type of business, revenue, number of employees, cyber security governance etc.

Premiums do vary widely, and anecdotal evidence available suggests premiums can vary from US$ 500 / 6oo  a year up to US$100,00 a year and more. The insurance rates charged for the policy will largely be determined by the coverage limit of the policy, and what deductible is applied.

Cyber Attack Cost to Business

The second question is in a way that easier to address, as it is normally focused either on the question of whether or not there is any risk, and if so if that risk is already covered by some type of e and o insurance, or a general business or liability insurance policy that the company or organisation already has.

Any business or organisation of any size is potentially open to a cyber attack or data breach. What they need to work out is what it would cost them if they had one, and below are some of the areas that would incur most of the cost.

Unsurprisingly, these are the areas of coverage that most cyber insurance policies provide, and in a way to make it easier for a business to assess whether or not it needs to pay for a specific cyber insurance policy.

  • having to restore lost data
  • having to fix or replace any network system or software, including hardware, that has been damaged
  • dealing with the fallout in terms of reputational damage, and having to hire some type of PR company to help fix
  • offering  to pay for any customers to have some type of credit monitoring system as a result of a breach
  • the cost of bringing in any outside experts necessary to investigate and possibly fix  what caused the breach
  • potentially massive costs of lawsuits from customers/clients etc
  • any regulatory fines or penalties that may be imposed
  • loss of business due to inability to trade whilst network systems are being restored and investigated

Cyber Governance

Cyber Governance is a phrase given to the structure, policies and procedures that any business or organisation has in place (or does not) that reflects its understanding of and approach to dealing with cyber security.

The level of cyber governance will to a large extent  be reflected in the cost of any cyber insurance policy, or any restrictions that the insurance company puts in place on such a policy.

A really good tip for any business or organisation is to get hold of a cyber insurance proposal form, such as that from Hiscox, which asks numerous very detailed and specific questions about a company’s approach to cyber security.

This tells you their thinking more than anything else. Their thinking reflects both the experience of cyber security, and their understanding of the best way to prevent any cyber attack.

Using any proposal form as a template for a companies cyber governance plan  is a good way to structure such an approach, and also a good way to realistically reduce the cost of any cyber insurance policy that may be taken out,  either with Hiscox or any other insurance company.

Who are the top Cyber Insurance Companies?

Cyber Insurance needs to provide not only financial indemnity, but also some type of Incident Management Team.This normally includes IT Specialists, Lawyers, Ransom Negotiators etc.

Finding the right Cyber Insurance Company can be tricky, and expensive if you get it wrong.

Cyber Insurance is a relatively new form of insurance, and until quite recently was thought of as being quite specialised.

What this means in practice is that there are fewer insurance companies or providers who offer it, compared with other types of business insurance, and those who do offer it tend to vary quite considerably in terms of coverage and cost.

This is likely to change in the next few years as the need for some type of cyber insurance becomes more mainstream.

The risk of cyber crime has grown massively in the last couple of years, and the changes in technology in relation to smart homes, autos, travel etc means cyber security will need to become a feature of everyone’s life, at home, work and play.

Cyber insurance will have to follow this, either as a stand alone policy, as at the moment, or incorporated into other insurance policies.

Cyber Insurance Companies

It is worth just distinguishing between insurance companies, brokers and agents.

An insurance company, sometimes called a carrier or provider, does the actual insuring of the cyber security risk. It assess the level of risk, decides what level of cover it is willing to provide, and decides how much it wants to charge the business by way of an insurance premium.

This process is known as insurance underwriting. Insurance companies can be based in any country, but often operate on a worldwide basis, or in certain geographical areas.

Lloyd’s of London is fairly unique in the sense that it is not simply one insurance company, but operates effectively as an umbrella organisation for a number of different insurance companies, who trade under the Lloyd’s name, and will normally insure things on a worldwide basis, either under their own name, or the Lloyd’s name.

An insurance broker is an independent agent, who acts on behalf of their client, and approaches several different insurance companies to determine best conditions and price for their clients needs.

This means they need to really understand their clients company and business, as well as the cyber insurance market. They receive a commission from the insurance comapany by way of payment, but legally are always the agent of the insured, not the insurance company.

An insurance agent can be a slightly confusing term. It normally refers to an individual or organisation who acts as an agent of a specific insurance company, sells their products only and receives a commission as a result.

They will always be an agent of the company, not the insured. An insurance agent may also be involved with or representing another institution such as a bank or financial institution.

If they are offering advice on cyber insurance, or any type of insurance, they should always declare if they are an agent of a particular company, or independent. Most do, but not all. It is always worth checking.

Cyber insurance hasn’t made it to cost comparison sites yet, and with the variations in cover and cost, it is well worth considering going to an insurance broker with knowledge and experience of the market.

Cyber Insurance Hiscox

Hiscox have quickly established themselves as one of the leading cyber insurance providers.

For a long time, they have been regarded as one of the foremost insurance underwriters for small businesses, specialising in professional liability insurance, errors and omissions policies, business owners insurance and workers comp.

The move into cyber liability insurance was a fairly natural and obvious one.

Hiscox Cyber Insurance policies  will not only offer financial indemnity like any traditional insurance policy, they also deal with the management of the incident or data breach, through what is known as an incident management team.

This will normally consist of a number of negotiators who can deal with any type of cyber crime such as ransom ware, as well as companies who deal with reputational damage, and IT specialists who can restore the integrity of any hacked system.

A cyber insurance policy should also have some provision for loss of income or business interruption in the event that the cyber attack or data breach renders the normal day-to-day workings of the business untenable for any period of time.

Hiscox have also focused on producing a number of risk prevention models, training models and practical tools for risk management for a wide range of companies and organisations.

Cyber Insurance AIG

AIG are another leading insurer who have built up  a specialism in Cyber Insurance, with three specific policies they underwrite, known as

CyberEdge,

CyberEdge Plus and

CyberEdge PC.

These insuarnce policies cover the financial cost associated with data breach, as well as cyber extortion, restoring an IT system or network, business interruption etc.

AIG also invest heavily in cyber security advice and cyber crime prevention through training and risk managemnt services, both online and face to face.

Cyber Insurance Chubb

Chubb are one of the largest insurance companies in the world, and trade for a strongly in North America.

On their website, they claim to be the world’s largest publicly traded PMC insurance company, and the largest commercial insurer in the US.

Whilst this gives them an undoubted presence and strength in North America, it also means they have the resources to be a major force in cyber insurance worldwide.

Chubb have four major cyber insurance policies

Cyber Enterprise Risk Management

Digitech Enterprise Risk Management

Forefront 3.0 – Cyber Security

Integrity+

These policies have a wide range of different components, which range from standard cyber protection, to extensive loss mitigation and incident response services, privacy notification and crisis management expenses.

A good cyber insurance policy will include basic financial indemnity, but also a wide range of support services to both manage the immediate crisis, and to deal with the resulting fallout.

This applies both in terms of notification to individuals about a potential data breach and its consequences, through to advising and informing any relevant regulatory bodies of the same relevant breach.

Cyber Insurance Companies and Lloyd’s

Lloyd’s is the oldest and most established insurance market in the world, and justifiably has a reputation for both tradition and innovation in insurance related products.

As a market covering a number of different companies, as of 2018 it has approximately 77 cyber risk insurers under one roof, as it were, who can both initiate and cover all types of cyber risk insurance.

Many of the specialist underwriters at Lloyd’s view cyber liability insurance in the same way as they do another specialist type of insurance, kidnap and ransom insurance.

They view cyber liability as being not simply about financial indemnity, but about managing the incident itself in the quickest and most effective way possible. Most Lloyd’s policies will  have provision for and cover the following areas

Breach Response

Liability

Regulatory

Extortion

Business Interruption

Reputational Harm

PCI DSS Assessment and Fines

Perhaps the main advantage that Lloyd’s has over most other traditional insurance companies is twofold.

It has a reputation, normally justified, for producing types of insurance policies that are both relatively fair, cost wise, and are highly innovative in terms of the level of cover they provide.

They also have a reputation for swift and effective claims management handling.

With cyber liability insurance the speed and effectiveness of dealing with the management of the data breach is often as or even more important as dealing with any long-term financial or reputational damage.

Cyber Insurance Allianz

As well as providing insurance cover, Allianz  have a number of what they refer to as risk engineers, who specialise in IT security, and who have their own specialism in evaluating a company’s level of IT security and maturity generally.

They seem to take the approach that they would like to work with companies of all sizes in developing and safeguarding their IT infrastructure, and developing ways of pioneering safe practice.

They refer to this practice as IT maturity. Against this background they then develop any type of cyber insurance that may be needed.

Allianz have two types of relevant insurance policies

Allianz Cyber Protect

Allianz Reputation Protect

The Cyber Protect policy is the one mentioned above, whereas the reputation protect policy covers the potential risk of reputational damage caused by a number of incidents, some of which could be related to a data breach, and others related to other types of risks depending on the nature of the business.

These can include health and safety incidents or accidents, various types of product liability related claims, business interruption and legal and regulatory investigations.

It seems likely that Allianz separate out these two types of policies because they believe that the reputational damage cover needed that can occur from a number of incidents can be as valuable as simply having that level of cover within a cyber liability insurance policy.

For some people this may be more relevant than others.

Cyber Insurance Aviva

Although Aviva  is a fairly well-established name in the insurance market, it is a relatively new player in the cyber insurance market.

This isn’t necessarily a positive or negative thing, and it’s cyber insurance cover has three main elements, cover for a data breach response, computer cover, and third-party liability.

It is unclear at the moment what level of risk management incident management help it provides when compared with other major players, such as Hiscox and Chubb,  but this may suit some people who simply want a more standard type of insurance policy.

Cyber Insurance QBE

QBE  is often thought  of as an insurance company that is strongest in Asia, Australia and New Zealand. It does in fact have a very strong worldwide presence, and in relation to cyber insurance it does lay very heavy emphasis on what it terms providing crisis support.

Their panel of experts include companies such as Experian and Norton Rose, and they seem genuinely thorough in terms of their approach to helping to manage risk.

They also have a number of very well thought through and concise articles on their website that deal with current data protection legislation and implications for individuals and small businesses.

Whilst it may not always be strictly relevant, the more an insurance company relly understands the nature of cyber security, and puts in place protective tools and training for companies of all sizes to help them prevent cybercrime, it is not only good PR for the insurance company, but also helps mitigate and reduce risk, and should result in lower premiums and better levels of crisis management as well.

One other advantage of being a global company, is that QBE can provide policies in different languages, and for companies of all sizes who operate in different geographical areas, they say they are able to provide global cyber programs,  which may be valuable for companies who operate in different countries.

Cyber Insurance Marsh

Marsh is essentially the trading name of Marsh and  McLennan, one of the world’s oldest and largest insurance brokers. Whilst the size of a company like this may sometimes seem slightly more of a disadvantage than an advantage, in relation to cyber insurance it is probably an advantage.

Sometimes really big companies become quite institutional, and lose their sense of being able to innovate and deal effectively with new and cutting-edge needs and technologies.

With regard to cyber insurance, the history that Marsh has in terms of providing insurance for a wide range of different businesses and industries probably gives it the edge over most other brokers in terms of understanding the needs of businesses generally.

It is this understanding of how an industry or business works that allows it to model the risk to the business in terms of cyber liability, and make recommendations accordingly.

Any insurance broker is only as good as its knowledge and understanding of the industry that it is arranging insurance for, as well as its knowledge of the insurance market it is working in.

Cyber Insurance Symantec

Symantec is a name more commonly associated with cyber security, being one of the most well established players in anti-virus and malware software.

In the last couple of years it has taken the initiative to team up with a number of insurers to help provide them with the knowledge and experience of what developing cyber risks are, and what needs to be done both to mitigate risk and develop insurance solutions relevant to meeting those risks.

There is no doubt in the value of a company like Symantic using its vast experience to help insurers really understand the nature of cybercrime and how it is developing in ways that insurers would not be able to do themselves.

In some ways this may be more helpful to insurance brokers rather than insurance underwriters, as a large part of the work that a good insurance broker will do will be to help model risk, and advise companies at what level of risk they can self insure, and where they need some type of cyber liability insurance policy to cover risks they cannot manage.

Cyber Insurance Aon

Aon describes itself as a leading global professional services firm providing a broad range of risk retirement and health solutions.

Goes on to talk about 50,000 colleagues in 120 countries empowering results for clients etc. For people who like jargon this is fine, but is alos unfortunate because it could put people off looking at them as a prospective broker.

In fact they have a significant place in providing cyber insurance advice and experience, and have a wide range of products and services which could be extremely useful to a wide range of businesses. It may not help their credibility by advertising in their products section that they provide bedbug insurance (which may well be useful for some people) alongside cyber insurance.

In February 2018 Aon teamed up with Cisco, Apple and Allianz to provide what they term a new cyber risk management solution, bringing together the various strengths of the four companies involved.

Partnerships like this could well be a significant move forward in terms of providing solutions that integrate technology, insurance and risk management.

In addition, Aon have their own cyber diagnostic tool online that allows companies to fill out a questionnaire online which will allow Aon to provide a detailed report back to the company analysing their potential to cyber risk and cybercrime liability.

Cyber Insurance PWC

PWC, long thought of as one of the world’s leading accountancy firms, also have a strong reputation as a leading firm of business consultants. With regard to many areas of business, this often puts them in a unique position to help advise a wide range of organisations, and this is certainly true of cyber insurance.

Their consultancy experience allows them focus on managing cyber risk, with a special emphasis both on the business and technical side. They have a defined approach to what they refer to as cyber resiliency, which allows them to advise on risk management, best use of technology and operations and incident response.

Their work is often thought of as purely preventative, which is not necessarily a bad thing, but should also be thought of as part of helping a business or organisation of any size or type build and develop a culture where there is an understanding of and respect for the need for cyber governance at all levels of the operation.

Cyber Insurance Nationwide

Nationwide describes itself as a mutual insurance company, although there is a disclaimer on its website that not all companies  associated with it are mutual, so it is difficult to be clear whether or not it is a mutual company in the traditional sense of how they are understood to operate.

This can be important to some people, as mutual insurance companies are thought of much in the same way as credit unions, and many people respect this type of mutual benefit.

Notwithstanding that, Nationwide together with Hartford Steam Boiler, offer three fairly standard cyber insurance policies, that cover data compromise protection, identity recovery protection and Cyber one protection, which focuses on protecting against damage caused by malware or viruses. There is also some general advice about securing your business against risks from data breaches, denial of service etc.

Although Nationwide are a well-respected company, it is not clear from their website exactly how much experience they really have in this type of insurance, and whether or not they should be considered a serious player at the moment.

Cyber Insurance Munich Re

Munich Re are one of the oldest insurance companies around, and have a strong and valued reputation for all types of insurance.

With regard to cyber insurance, they offer an insurance policy called cyber one protection, designed by Hartford Steam Boiler. It is not clear whether or not this is the same insurance policy issued by Nationwide as above.

The cover offered seems fairly solid, by way of coping with data recovery for both electronic and non-electronic information, restoring the integrity of the system that has been breached, helping with any loss of business or business interruption as the result of the cybercrime, and helping with reputation damage limitation.

There is also some coverage for third-party liability and potential damages resulting from that.

Cyber Insurance Willis

According to claims data released by Willis Towers Watson, approximately 2/3 of all side of breaches caused by employee negligence or wilful action. This is quite a powerful statistic, and unsurprisingly goes to the heart of the approach by Willis to dealing with the whole issue of cyber risk.

Willis, traditionally known by the name of Willis Faber, are one of the world’s oldest and leading insurance brokers.

Their approach to cyber insurance has a threefold basis, that of assessment, protection and recovery, with a heavy emphasis on developing in-house  strategies that involve both technology and people, as well as developing a strong ethos of cyber governance throughout the organisation.

Their approach to dealing with cyber insurance seems to embrace best practice as ready outlined above.

In addition, they do lay heavy emphasis on providing what they refer to as deep forensic analysis of any data breach or cyber crime, to make sure it is understood how and why it happened and quickly putting in place any preventative measures necessary to make sure it doesn’t happen again.

Cyber Insurance Zurich

Zurich it is often thought of as a fairly traditional type of insurance company, and what it offers by way of cyber insurance is a fairly standard type of policy compared with most of the other ones around at the moment.

It does have a number of risk engineering tools and services which can be helpful, and also the fact that it is a global  underwriting company with a number of offices and agencies around the world can add an element of attraction for some people.

Cyber Insurance Travelers

Travelers is a well respected and well established insurance company, and seems to be making a fairly intense effort to establish itself as a serious player in the cyber insurance market.

It has a number of tools and resources to help individuals and companies manage cyber risk for any breach, and to deal with the fallout of any situation post-breach.

It has teamed up with Symantec  to help companies assess levels of risk, and put in place procedures and policies and training which can help manage the risk and reduce it as far as possible.

It also has a number of specific policies for different types of organisations and businesses. It has a policy called Cyber Risk for a range of different industries and businesses, and a policy called Cyber First for technology companies and public organisations.

It also has a policy Cyber First Essentials for small businesses and SMEs.

Travelers has a range of cyber security coaching and support services available to help organisations and businesses plan and deal with any breach. They have what they refer to as a Breach Coach, a Symantec Cyber Security Coach and an HIPAA Coach.

Travelers also has an e-risk hub which brings together a range of its policies, wordings and benefits. There is also a cyber academy, which has a range of videos and training tools which give people easy to understand information about the ongoing types of cybercrime and cyber risk, and how best to reduce and manage them.

Tata AIG

There is a fair amount of talk that tech companies in India do not take cyber security and insurance seriously as they should, given the size and growth of India as a major player in both providing and servicing so much of the world’s technology industry.

Whether that is true or not, Tata AIG  have structured what looks to be one of the most comprehensive cyber insurance policies around, and has very clear and detailed information about data liability covers, in terms of loss of personal information, loss of corporate information and outsourcing, as well as network security.

It also provides extensive cover for reputation and response costs in relation to forensics services needed to restore integrity of the system and the company, repairing and restoring the company’s reputation, notification of a data breach to individuals that information has been stolen and reporting to regulatory bodies where appropriate and necessary.

Their policy also provides some help with credit monitoring and provides optional extensions for multimedia liability, cyber privacy extortion and network interruption.

Tata AIG also have a range of directors and officers liability, professional indemnity, errors and omissions insurance policies, and as part of that also have a crime and fidelity insurance policy. This policy addresses the unpleasant issue of senior and trusted staff stealing from, or in some way allowing criminal activities to happen within a company.

No one likes to think that this is  likely, but as the claims report from Willis shows, approximately 2/3 of all cyber security crime arise from staff negligence and malfeasance. Intentionally or not, the need to have some level of security regarding activity inactivity by senior staff and often those below them is fairly evident, however unpleasant that maybe.

Cyber Insurance JLT

JLT ( Jardine Lloyd Thompson )  are perhaps not as well main at some of the major insurance brokers, and would perhaps be regarded as a specialist London Market insurance broker.

Whilst they are certainly specialists in the London market, they also operate worldwide, and have an outstanding reputation in all areas of insurance they provide advice on, with cyber insurance being one of their specialities.

They provide extensive levels of advice and guidance to companies on how best to manage cyber risk, especially to companies who are new to the idea that their business may need help.

They have a unique data organiser tool which helps businesses assess risk and provide details of the company’s cyber risk exposure.

They also advise companies where cyber insurance excludes certain types of risks such as patient, software and copyright infringement, failure to take required security measures and certain employment-related claims.

Cyber Insurance Hartford

Hartford  is a well established and a well-respected insurance company, and certainly provides cover for cyber insurance.

It seems to have a slightly more distant approach than some other insurance companies, in that it has cyber liability insurance and data breach insurance, coverage of which can be added to existing business owners insurance policies and general liability insurance policies already underwritten by the Hartford.

It also has its own cyber choice first response which is designed to develop a cyber incident response plan, advise on cyber security and provide a coordinated defence to any cyber attack, and help deal with the consequences of any incident that might happen.

Cyber Insurance Arthur J Gallagher

Arthur J Gallaher have a well-deserved reputation as a broking firm of high integrity, which whilst you would hope most insurance brokers do have, can make a real difference when dealing with a significant amount of cyber liability risk, which often involves dealing with areas of certain businesses where trust is significantly lacking.

As a company, they have significant experience in cyber insurance, and are well able to structure individual programmes and policies to the nature of a particular business organisation.

They also have a significant knowledge center available to clients, which can provide background information and detailed reports about the current nature of cybercrime, what are the most likely cyber risks, and the best way to provide varying levels of protection within a company or business

 

 

What is Cyber Insurance and What does it Cover?

Cyber Insurance is a dedicated insurance policy, that provides both financial cover and practical help to anyone who has been victim of a cyber crime. At the moment, this type of policy is mainly aimed purely at businesses and organisations, of all sizes, any of whom could be vulnerable to a cyber attack or a data breach.

This is likely to change significantly in the near future as more and more areas of people’s individual lives are becoming vulnerable to Cyber attacks, such as their cars and their homes,  and the whole nature of cyber insurance will have to evolve to deal with these threats.

This is likely to mean that either people’s home insurance or their car insurance will have to start covering the risks of a cyber attack, or cyber insurance policies will have to evolve themselves to cover these areas.

Cyber Insurance and Indemnity

Insurance companies talk about indemnity, which is an important concept to understand. It means that the insurance policy is designed to put the insured in the same position as they were before the loss happened.

With regard to cyber insurance this means that not only is there financial protection included as part of the insurance policy, but the insurance policy  should also cover practical areas of help, such as lawyers, I.T. technicians etc. Some cyber insurance policies do include these extra areas of help, and some don’t.

Deciding what type of cyber insurance policy to buy is often determined by how much additional help is available, in the policy, in the event of a data breach, and quite often the cost will reflect this.

Cyber Crime

Cyber crime is considered one of the, if not the fastest growing area of criminal activity, and is widely evolving and quickly changing. This makes keeping up with an understanding of current threats more difficult, but there are a number of specific areas that need to be understood.

Cyber crime normally refers to a situation where information or data has been stolen from an individual or an organisation, normally known as a data breach, and there is either some financial loss as a result, some reputational damage, or something such as a ransom demand to release a computer or network that has been encrypted by a third party hacker.

Cyber Insurance Policy Cover

These are the basics of what good cyber insurance policy can offer,  although as said above, policy cover will differ significantly between insurance companies.

Incident Management Team

This is a general term for a team of specialists who can effectively take over and oversee the management of any claim as soon as there is a known reporting of a cyber crime. This can include the paying of any ransom demand,  and the restoration of any I.T. systems that have been breached as a result.

This support team  should be able to investigate the data breach, find out how it happened, restore any computer systems to full integrity, notify any clients or customers that the data breach has happened and it’s implications, and notify any relevant regulatory or statutory bodies that need to be told.

The incident management team should also include a legal team, a company that can offer access to a credit monitoring system to help with the risk of identity theft, a PR company who can help with reputational damage, and a specialist who can negotiate in the event of a kidnapping demand for a time of information or ransomware.

The Cyber Insurance Policy  will also need to have a significant financial indemnity cover, which may be needed to pay any ransom demand, loss of income  or business interruption, any type of cyber extortion or criminal activity. and any costs needed to repair the infrastructure of the computer or network system involved.

Who is at Risk ?

People often tend to associate cybercrime with big companies such as Facebook or Sony, or with governments, as data breaches that affect them tend to be the ones that get the most publicity.

In fact anyone who owns a computer that is linked to a network of any type is potentially at risk.

This applies to people who have a computer connected to the internet in their own home, as well as any computer they may use at work, it also applies to any smartphone that they may have, and quite soon will apply to the car they drive and the washing machine and refrigerator in their home as well.

Whilst it is difficult to predict trends in this area,  there is quite a lot of anecdotal evidence that cyber criminals are increasingly targeting normal everyday people for relatively small amounts of money, through various types of ransomware and threats, as well as big companies and corporations.

It is very easy to scare people into giving away small amounts of money, relatively, and in some ways this can be much more cost effective from the criminals point of view. From the point of view of the person who has experienced the crime, they are like his feel as violated as if they had either been physically attacked or their home had been broken into.

The Internet of Things

There is often reference nowadays to the internet of things, normally in the context of how it is going to change everyone’s life within the next 5 years.

What it is really referring to is that virtually every device that is not being produced is being given a wireless capability so that it can connect to the internet, as well as connecting to other devices in the home or office.

This means that anything from a refrigerator or an oven, through to a baby alarm or your car can connect to the internet and speak to other devices. There is a huge area of debate about the implications of this regarding privacy and other things,  although what is absolutely clear is that it is going to present a huge potential risk of cybercrime.

Companies love the idea of be able to connect their devices or products to the internet and other devices, and the rush to do so and get them to market often means that the security capabilities are not as carefully thought through as they should be, and that software updates are not issued or installed automatically as they should be either.

Some people like the idea of a smart home or office, other people find the idea pretty horrible. Either way in the next few years virtually everything that every individual owns or uses is likely to have the capability of connecting to the internet wirelessly.

This has huge security implications,  and is an iisue the insurance industry has not fully caught up with them. This means that most people standard home or auto insurance policy is vague about its cover in this area, and people could be left in limbo as to whether or not they are covered for any data breach that happens in their own home.

Identity Theft

The risk of identity theft has been around for some time, but with the growth of cyber crime and the amount of personal information that is shared online and through smartphones means that the risk of identity theft is probably now greater than ever.

From an insurance point of view, some home insurance policies do already provide some degree of cover for identity theft, either as part of the policy or add an additional section that can be bought at  extra cost.

The problem with the existing level of cover is that all it really does is help provide access to additional levels of credit checks and a few other useful but not really that important areas of restitution.

What most identity theft insurance protection does not do is actually help the person recover any loss that may have been incurred as a result of their identity having been stolen.

What tends to happen is that a person will have their identity stolen, and then the criminal will use that  person’s identity to obtain bank loans or credit cards or other financial benefits in that person’s name, and then run.

When  the original person discovers that their identity has been stolen and fraudulently used,  the anecdotal evidence is that most banks and other institutions are relatively unsympathetic, and the onus is on the individual to prove that they did not take out the loan or credit card etc.

This  is where an insurance policy could probably help,  but at the moment there seems to be little by way of practical benefit that most policies offer. This  may well need to change with the growth of cybercrime and cyber insurance.

Cyber Bullying

It  is worth flagging up cyber bullying as being a major element of cyber crime,  although it is not often thought of as such because the bullying tends to be emotional rather than financial.

The consequences of cyber bullying can be devastating for individuals and families, and whilst there may not be an awful lot that an insurance policy can do, the overall approach to cyber security can have a hugely beneficial effect in terms of minimising the effect of bullying, and taking steps to deal with its perpetrators.

Liability Insurance

Many  companies and organisations believe that they already have enough  cyber security insurance under different levels of liability insurance that they have already taken out. These types of insurance policies can include product liability insurance, errors and omissions insurance  or simply a public liability insurance policy.

In truth, they are unlikely to have sufficient cover, and any cover they do have is likely to be financial only, and not include any incident management team as specified above.

One of the problems is that there a lot of companies and organisations who do not have a sufficient cyber governance program, and therefore do not take cyber security as seriously as perhaps they should.

Cyber Governance

This is the name given to any structure within a company or organisation, which should represent best practice for establishing policies and procedures that both minimise the risk of, and deal with any data breach  that may occur within the company.

It can be thought of as similar to a risk management structure,  and depending upon the size and structure of the business, should have a dedicated board member partner who has specific responsibility all aspects of cyber security.

This position does not have to be a person  who has a lot of technical knowledge of computers,  but needs to be someone who can implement a policy which includes both technical and non-technical assessments of cyber security risks and how best to deal with them.

ABOUT / CONTACT

Hi – I am a freelance writer specializng in Cyber Insurance and Cyber Security.

Insurance is about identifying and managing risk, and this site aims to help promote an understanding of the main issues around Cyber Security in order to do that.

Insurance does not necessarily mean an insurance policy, it can also be about self management of risk, although people don’t often think about in in that context.

With Cyber Security that is crucial, given the transformation technology has effected in our society in the last few years, and what is likely to come in the near future

Please feel free to contact me as below

Dominic

Dominic Birt – email : db@cyberinsuranceandsecurity.com

What is a Smart Home Security System?

Most people would probably give slightly different answer to the question of what is a home security system, let alone a smart home security system.

Any security system in a home is often thought of largely as an alarm system, possibly coupled nowadays with various types of CCTV cameras and other types of technology that can alert and detect intruders.

A home security system certainly can be that, but can also be a lot more.

The traditional method of securing a home has always been locks and mortar.

As time has gone on, technology has allowed more and more sophisticated devices to let people believe that home is safer.

A smart home, both now and in the future, is one where essentially all the systems and devices in the home can connect or talk to each other wirelessly, and can be centrally controlled either through a smart phone app or some type of voice recognition system.

Inevitably a smart home security system will consist of a combination of locks on windows and doors that can be controlled wirelessly, as well as a combination of burglar alarms, CCTV cameras and various other security devices.

Smart home security system

The proponents of a smart home security system will argue that the combination of all these factors, and the fact that they can be coordinated and controlled through a central wireless system makes the whole process of safeguarding and securing a home much easier.

That can certainly be debated, but to an extent misses the point.

While there certainly may be some advantages from a convenience view point of the ability to co-ordinate various connected devices, it does also leave someone’s home much more vulnerable to the possibility of being hacked.

The idea of cyber security and internet safety is one that most people are probably aware of, even if it is only the notion of computer viruses and computer malware.

Most people who have a PC or tablet in their home are likely to have some type of antivirus software installed, may or may not have a firewall activated and most likely don’t take the risk of being hacked to seriously.

The scenario changes significantly in the event of a smart home existing, and a smart home security system being the main or only line of defence against any intruder or unwelcome visitor.

There are already many anecdotal instances of baby monitor alarms being hacked by individuals who then use that device to say things and shout things that will upset or disturb the baby or child near the device.

Whilst these reports are certainly disturbing in themselves, they should also be disturbing to the manufacturers of these devices.

The vulnerability of these devices lies not only in the devices themselves, but in the continual upgrades they will need over their lifetime in order to keep them secure.