According to a recent PwC report (for a copy of the report, ), the cyber insurance market is set to triple to $7.5 billion by 2020. With major cyber incidents being reported almost weekly, businesses are looking carefully at cyber insurance as a means to mitigate the cost of dealing with cyber incidents.
Before buying cyber insurance, businesses should undertake the following steps to ensure that they are getting the right product based on their actual needs. This assessment should include the following steps:
Risk Assessment. Evaluate internal policies and protocols related to human, physical and network security, privacy and cyber incident preparedness.
Risk Mapping. Identify potential exposure. This can be done in a variety of ways including, for example, keeping a risk scorecard of the business’ divisions/departments, conducting a gap analysis of the business’ cyber incident response policies and protocols, and developing a risk map identifying and evaluating of key privacy and information security risks.
Benchmarking. Consider the various cyber incident scenarios (from “mild” to “catastrophic”) and benchmark the costs associated with a each scenario based on industry comparables.
Insurance Coverage Gap Analysis. Review the business’ current insurance policies to determine what’s covered and what is not.
Based on this assessment, the business will be well positioned to determine the types of cyber risks it is willing to seek insurance for (e.g., privacy and network security, regulatory liability, crisis management, network interruption, information asset coverage, extortion, etc.).
A business’ size, industry in which it operates, type of data it holds, potential risk exposures, and other considerations will affect the scope of the cyber liability coverage they seek. A clear understanding where it stands on the cyber risk spectrum will be critical in ensuring that a business gets the right cyber liability coverage.
Where appropriate, businesses should retain consultants and/or external counsel to assist with assessment phase described above.