The temporary shutdowns of a large fuel pipeline network in the United States and meat processing facilities in North America and Australia are just the latest in a string of high-profile, highly disruptive cyberattacks this year.1 The pipeline ransomware attack was reportedly conducted by a shadowy organization that offers ransomware attacks as a service.2 The “professionalization” (if we dare call it that) of the cyber-criminal underworld has thrown into sharp relief the risk that businesses of all sizes can face from cyber threats.
As businesses and organizations assess their cybersecurity posture and risk management strategies, a cyber insurance policy can play a critical role in business continuity and resilience in the face of an attack.
How cyber policies can help mitigate risk
Following a successful cyberattack, businesses and organizations can face a range of expenses including:
The costs of investigating the breach: A company may need to hire outside experts to investigate an attack and determine its scope.
The costs of notifying and helping affected customers: Some states may require companies to notify their customers, including those whose data has been compromised, and offer credit and identity monitoring for a year or longer.
The costs of restoring and replacing data: In addition to denying access, some ransomware attacks steal company data.3 Companies that suffer an attack typically have to restore and/or replace some, if not all, of their data.
The costs to mitigate reputational damage: Businesses face at least two distinct reputational risks when a cyberattack occurs. The first is that the attackers could steal sensitive company information (including emails, strategy memos, and confidential documents), potentially embarrassing a company and its officers. Second, if news of the attack becomes public, companies can face a serious loss of trust among their customers and an ensuing public relations crisis even if no sensitive material is made public.
The costs to manage long-tail liability risks: Long after the virtual dust settles on a cyberattack, organizations may face lawsuits from affected parties for not securing private information and for an employee whose mistakes (like clicking on a mystery link in an email) may have paved the way for the attack.
Verisk cyber policy program
To help insurers tackle the wide range of cyber risks today, Verisk’s cyber policy program addresses several first- and third-party exposures. The first-party cyber policy forms address the damage the insured experiences following a cyberattack, and third-party policies address liabilities.
The Verisk cyber program’s first-party policy language addresses, among other issues:
- Security breach expenses
- Replacement and restoration of data
- Lost business income and extra expenses
Third-party language helps address:
- Programming errors and omissions liability: This generally protects, in part, against unintentional mistakes that lead to cyber breaches.
- Security breach liability: This typically provides protection in the event a business is sued following a breach.
- Website publishing and media liability: This is an optional coverage that provides, in part, protection against libel, slander, and defamation stemming from a wrongful act.
Verisk’s cyber policy program can accommodate limits as low as $50,000 and up to $100 million, depending on the individual carrier’s risk appetite. Additionally, we’ve nearly doubled the size of our cyber dataset through the acquisition of additional cyber incident data. This data will help us further hone our advisory prospective cyber loss costs.