Candice Sutherland, Cyber Underwriter, ITOO Special Risks (Pty) Ltd
We understand cyber insurance can seem complex, however it is important to draw a distinction between the complexities of a company’s underlying IT environment as well as the attack vectors which are constantly evolving.
Designed to cover the resultant costs and damages from a network security or privacy breach, a cyber insurance policy covers what has previously been an uninsurable risk. While called cyber insurance, the policy is far broader than the name would imply extending to cover a host of incidents including but not limited to:
- Cyber extortion (ransomware, to prevent denial of service or publishing of stolen data)
- Denial of service (disruption to operations)
- Downstream attack (a compromise of the insured’s environment resulting in damages to others)
- Insider and privilege misuse (unauthorised access and unauthorised use of systems and data including by employees and service providers)
- Malware (virus, ransomware, etc.)
- Physical theft and loss (both devices and physical hard copy data)
- Threats posed by third party access into a client environment
So what does cyber insurance cover?
The policy provides comprehensive cover to respond to a network security or privacy breach. Cover extends from the incident response process through to business interruption losses and the defence and settlement of ensuing liability claims.
First party cover:
- Business interruption losses and increased cost of working resulting from a disruption to operations including from a denial of service attack;
- Costs to obtain professional (legal, public relations and IT forensics) advice, including assistance in managing the incident, co-ordinating response activities, making representation to regulatory bodies and coordination with law enforcement;
- The costs to perform incident triage and forensic investigations, including IT experts to confirm and determine the cause of the incident, the extent of the damage including the nature and volume of data compromised, how to contain, mitigate and repair the damage, and guidance on measures to prevent reoccurrence;
- Costs to restore, recollect or replace data lost, stolen or corrupted;
- Crisis communications and public relations costs to manage a reputational crisis, including spokesperson training and social media monitoring;
- Communication costs to notify affected parties;
- Remediation services such as credit and identity theft monitoring to protect affected parties from suffering further damages;
- Cyber extortion costs to investigate and mitigate a cyber-extortion threat and where required pay ransoms; and
- Fines and penalties to the extent insurable by law.
Third party cover:
Defence and settlement of liability claims arising from:
- Compromised sensitive or personal information, this extends to include physical hard copy information;
- A system security incident which results in harm to third party systems and data e.g. the insured’s environment is compromised and used to launch attacks against others including via access to third party environments; and
- Disseminated content (including social media content) resulting in defamation, unintentional copyright infringement or infringement to right to privacy.
Following an actual or suspected security or privacy breach it is important to confirm the incident, investigate and understand the nature and severity thereof and then contain, manage and recover from the incident. The efficiency and effectiveness of the incident response process has a large impact on the ultimate damages suffered by the insured and affected parties alike.
IT specialists assist with incident triage and forensic investigations to:
- Confirm the incident;
- Determine the cause as well as the nature and extent of the compromise;
- Contain the incident and prevent further loss of data;
- Assist in bringing operations back online and recovering data as quickly as possible;
- Guidance on actions to prevent reoccurrence;
- Provide insights to assist in guiding further incident response actions required; and
- Collect evidence in a forensically sound manner so that it is admissible in court should there be any ensuing litigation
While sold as an insurance policy, cyber insurance should be seen as part of a risk management strategy: A retainer for incident triage and forensic services, crisis communications and public relations, affected party notifications, remediation and legal services – with the added benefit that business interruption, increased cost of working and settlement of legal defence and settlement costs are also provided for.