Today, businesses are increasingly purchasing cyber-specific insurance in an effort to mitigate the financial impact of a breach or other cybercrime. In terms of what might be covered in a cyber insurance policy, there are basically two types of coverage – “first party” coverage and “third-party” coverage. First party coverage covers the types of losses that your company might suffer directly in the event of a data incident. That may include losses, some of which may be covered and some not, such as data destruction, denial of service attacks, incident response, crisis management, public relations, forensic investigation, remediation, breach notifications, credit monitoring, data restoration, business interruption, lost intellectual property, theft and extortion, or damage to reputation. Third party coverage refers to coverage for claims that may be made by third parties against your company arising out of a data incident, such as data breach lawsuits, for example.
The cyber insurance market is set to triple, from 2014 annual sales of around $2.5 billion to $7.5 billion by 2020. In some sense that news is not very surprising and the number not so high: news of large-scale hacking incidents involving the theft of millions of records seems alarmingly regular. Given what is at stake for companies that possess and could lose large amounts of valuable data, buying insurance makes sense. Cyber-related crime already costs the global economy $400 billion per year, and that number is expected to rise.
But key questions remain. Are cyber risks covered by more general policies that are not cyber-specific? If not, what should cyber insurance look like? Looking at some recent cases involving the still nascent cyber insurance market is revealing.
CONTINUE READING . . .