Appendix I:

Cybersecurity insurance

Because most commercial insurance policies exclude coverage for cybersecurity-related damages, a separate policy, or rider, is required. This is especially true for organizations that have significant customer or client PII, that process online credit card payments, or that are otherwise highly dependent on the web to conduct their business.In addition to insurance that covers losses relating to damage to, or loss of information from, IT systems and networks, policies generally include significant assistance with and management of the incident itself, which can be essential when faced with reputational damage or regulatory enforcement.The National Association of Insurance Commissioners has provided a primer for cyber insurance on the US Federal Trade Commission resource page addressing cybersecurity for small businesses. While this primer is targeted to small businesses in the United States, the concepts captured below are widely applicable.³⁶Insurance should cover cyberattacks on data held by vendors or other third parties as well as attacks on your own network. As noted, coverage should include theft of personally identifiable information. It should also cover terrorist attacks and attacks that occur anywhere in the world. Other considerations include legal expenses, excess coverage over any other applicable coverage, and access to a breach hotline.The ’Cyber Insurance’ primer explains first- and third-party coverage as follows:³⁷First-party cyber coverage protects your data, including employee and customer information. This coverage typically includes your business’s costs related to:

Legal counsel to determine your notiﬁcation and regulatory obligations

Recovery and replacement of lost or stolen data

Customer notiﬁcation and call center services

Lost income due to business interruption

Crisis management and public relations

Cyber extortion and fraud

Forensic services to investigate the breach

Fees, ﬁnes, and penalties related to the cyber incident

Third-party cyber coverage generally protects you from liability if a third party brings claims against you. This coverage typically includes:

Payments to consumers aﬀected by the breach

Claims and settlement expenses relating to disputes or lawsuits

Losses related to defamation and copyright or trademark infringement

Costs for litigation and responding to regulatory inquiries

Other settlements, damages, and judgments

Accounting costs

While cybersecurity insurance is an important aspect of an organization’s strategy, it should not replace best practices, policies and controls. In fact, insurance provider underwriting requirements and fee structures are increasingly dependent upon effective cybersecurity policies and programs.