What should risk managers look for in a cyber policy?

What should risk managers look for in a cyber policy? | Insurance Business

What should risk managers look for in a cyber policy?

Cyber risks have been gaining prominence in recent years, and the accelerated shift to remote working caused by the COVID-19 pandemic has further magnified the need for organizations to manage cyber risk properly.

While there are various ways to manage cyber risk, one important component is cyber insurance. But the cyber market is relatively new and is still in its early development stages, which means information is scarcer than with more established lines.

“Before the pandemic, cyber liability was already set to become the most important type of coverage for a business,” Luis Gazitua (pictured), principal of JAG Insurance Group, told Corporate Risk and Insurance. “With the uptick in digital dependencies as companies transitioned to remote work, cyber protection became increasingly prominent as different organizations and companies fell victim to hacks and Zoom bombs.”

According to Gazitua, with companies transitioning to hybrid work environments, cyber liability will become the most important protection need.

“With individuals and companies saving data to the cloud, commercial cyber liability must be incorporated into business plans to prevent data breaches and other cybercrimes,” he said. “Similar to how technology changes, cyber protection is also evolving, but it is evident that the cyber liability market has become one of the prime insurance markets.”

To help risk managers navigate this new space, Gazitua gave several tips on what to look for in a cyber policy.

“Reviewing a cyber policy is similar to reviewing most insurance policies, due to the fact that risk managers must be aware that the amount paid for a cyber insurance premium varies based on the type of business,” Gazitua said.

He stressed that unlike other types of insurance, deductibles in a cyber policy are based on a timeframe, usually 72 hours, instead of a dollar amount.

Also, the type of cyber coverage a company should purchase is heavily dependent on their industry.

“For example, with the Equinox hack, the companies’ main concern was the sale of personal customer information, which in turn would result in loss of reputation,” Gazitua said. “Meanwhile, the recent hacks on pipelines and meat distribution centers resulted in a shutdown of operations and loss of profit. Therefore, risk managers must have a detailed conversation with their agent to review what coverages work best and what cybercrimes would be the most damaging.”

Aside from cyber insurance, there are other ways to how businesses can reduce their cyber liability exposures. One of the most important is education.

“To reduce exposures, companies need to educate employees on potential security issues, such as recognizing a phishing email and bonafide messages aimed to retrieve credentials or release malware,” Gazitua said. “In addition, tightening current security systems with two-factor authentication is a simple and free tool organizations can implement to reduce hacks. Some other tips include backing up digital files, making sure all operating systems are up-to-date, and having an incident response plan in place. Although this may seem rudimentary, these steps are often overlooked and are key in preventing attacks as cyber criminals seek to take advantage of the most vulnerable.”

In recent times, observers have noted that partnerships between insurance companies and cybersecurity firms have become more common. According to Gazitua, this is beneficial and provides more convenience to companies.

“If you are operating a fledging business, wouldn’t you want your cyber security and cyber liability all in one swoop?” he said. “Cyber security companies can also audit companies’ current capabilities, therefore making submissions easier for insurance agents. Thus, it is a mutually beneficial partnership that will give all parties involved an advantage.”