Cyber threats are real and growing. And the cyber insurance market is responding with more comprehensive coverage, including specialized policies to protect against ransomware attacks, privacy breach coverages (including coverage for business interruption), cyber extortion losses, third-party claims, social media liability and protection against distributed denial of service attacks.
But do all companies need this coverage? Or do they just want it?
The reality is that cyber incidents can have far-reaching implications, often stretching beyond business interruption and privacy concerns. What about reputational damage? Regulatory penalties and fines? Defense costs (including legal fees)? Or the rising costs of cyber losses not covered by insurance, including investigation and forensic services, data breach notification programs and remediation?
A 2014 Ponemon Institute report found that cyber incidents caused an average of $7.1 million in direct costs to companies. The biggest area of concern for our clients is the threat of a breach, followed by regulatory fines and penalties and then customer litigation. Clearly, attack prevention is their top priority.
But prevention starts with knowing your risks. That's where cyber insurance can help. Cyber-risk specialists at Marsh, a part of the global team at Swiss Re, have identified five key elements that determine whether a company needs cyber coverage. These include:
1. The value of the data held by the insured business and its exposure to cyber incidents
2. The exposure of the insured business to potential regulatory fines and penalties, third-party claims or client litigation due to a cyber incident
3. The ability and willingness of an insurance company to defend and indemnify the insured for cybersecurity events if no coverage exists (examples include breach notification costs)
4. The potential for interference with the use of technology systems used by the insured business
5. The extent to which cyber risks are distributed between consumers and producers, including information sharing
The Cyber Risk Matrix is a new tool that helps companies identify their critical data assets, conduct risk assessments and determine if they have adequate coverage. This matrix also provides opportunities for discussion with your insurance advisors and brokers about what to expect in today's complex global cyber risk environment.
Choosing the right coverage means understanding your risks in this changing landscape, recognizing how they may impact a company's reputation and even its existence, and determining whether current policies meet all of their needs—with or without cyber insurance.