1. Why should I take out a cybersecurity insurance?
Today, computer networks are indispensable to your business: from storing data in the cloud, e-mails and electronic payments, to securing confidential information on your servers. Digitising your business activities is often costly and requires new processes to achieve the necessary efficiency.
Although companies are investing in digitisation, proper security of their computer systems is often not a priority. However, the cyber risks that may arise are far-reaching: hacking, phishing, ransomware, data leaks and viruses are common problems for companies today. Statistics show that by 2020, 71% of cyber security companies see an increase in cyber threats. Belgian companies pay around 100 million euros in ransomware to cybercriminals every year.
Companies should certainly be aware of this explosive rise in cyber threats and arm themselves against these threats with appropriate precautions. After all, cyber-attacks can have a major impact on your business operations. Examples include the unavailability of essential network facilities, liability for breach of contractual obligations due to cyber-attacks, data loss and disclosure of confidential data and/or trade secrets. Due to the high dependency on network facilities, a company can be completely paralysed in case of cyber-attacks.
You can protect yourself against these risks on two levels: preventive and curative. Preventively, you can take certain security measures, such as encrypting your company’s data, taking secure backups and installing firewalls on your network facilities, as well as drawing up a good prevention policy and providing good training for your employees. However, this is not enough, as security measures never cover all risks and fully protect against cybercrime. In such situations, the importance of a broadly covering cybersecurity insurance becomes clear, which serves as a curative measure when the harm has already been done. The preventive and curative measures are therefore complementary and not exclusive. A choice for one or the other measure is insufficient to protect your company against cyber risks.
2. What is a cybersecurity insurance?
Cybersecurity insurances usually have three main elements: third-party liability coverage, coverage of the company’s own damages and assistance in the event of a cyber-attack. These elements are commonly found with all insurance providers, albeit in different forms and varying degrees of coverage. Insurance providers often also provide a preliminary analysis of your company’s cyber risks and formulate preventive measures.
Assistance in the event of a cyber-attack or intrusion usually consists of 24/7 assistance to mitigate the consequences of an attack and, if necessary, take action to unblock your business processes. IT specialists, legal advisors, public relations managers and crisis assistants are often called upon.
For your company’s damages in case of cyber-attacks, the coverage depends very much on the insurance company with which you take out the cybersecurity policy and on the formula you choose. Examples of damage covered are business losses, damages due to data loss, the ransomware costs, financial losses in case of phishing, costs of specialists made available to your company in the context of assistance, (administrative) fines that your company may incur as a result of the cyber-attack such as fines for data leaks under the General Data Protection Regulation and the costs of reporting the cyber-attack to third parties.
The third element, liability for third-party damage, includes the costs of legal proceedings and consequential damages, damage to third-party computer systems in the event of spread of computer viruses or other harmful software and compensation for loss and/or disclosure of (personal) data. The insurance coverage for this element also strongly depends on the insurance formula and the insurance provider you choose.
The premium you pay for a cyber insurance can be due on a monthly, quarterly or annual basis and is highly dependent on the size of your company, your business activities and the potential cyber security risks your company faces.
3. What are the points of attention when looking for the right cybersecurity insurance for my company?
Each cybersecurity insurance policy is different in terms of premiums, deductibles, risks covered and assistance. Below, we list some points of interest when choosing a cybersecurity insurance policy:
- First, it is important that your cybersecurity insurance policy is tailored to the risks and activities of your business activities. For example, a company developing mobile health applications face at much higher risk of cyber-attacks than a garden contractor. It is therefore important to choose a formula that fits your risks and business activities and to seek customized advice;
- Next, it is important to consider preventive security measures you have already taken to cover cyber risks. Your cybersecurity insurance can complement weaknesses you may find in your analysis. Other insurance policies, such as professional insurance, should also be taken into account;
- You should also take into account the exclusions and limitations of your cybersecurity insurance policy. Indeed, every policy contains such exclusions and limitations, which determine the extent of coverage. For example, your coverage may be limited only to a certain amount or only to direct damage to your computer systems, with no coverage for other damage to your business operations. Also, some insurance policies exclude coverage if insufficient preventive security measures are taken. It is therefore important that you seek customized advice so that you choose a policy that is appropriate for your business;
- The deductible, i.e. the damage you have to bear yourself before the insurance policy intervenes, is also an element to take into account. After all, the damage will often be smaller in smaller companies and your deductible must be adjusted accordingly;
- Of course, the insurance premium is also important when choosing cybersecurity insurance. Although this premium does not outweigh the potential damage in the event of a cyber-attack, your company must also be able to cover this amount;
- Finally, you should consider the assistance that is offered. When can you ask for assistance, within what time frame are cyber problems solved and which specialists are available? These questions are important to be able to swiftly resume your activities.
It is important to take the above points into account when choosing a cyber security insurance policy and entering into contracts with your suppliers and end customers. After all, the level of coverage offered by the insurance policy will also be an important factor in the liability distribution you can accept. Also, proper cybersecurity insurance is a factor in demonstrating that you are taking sufficient technical and organisational measures to protect personal data, which is required under the General Data Protection Regulation.
Monard Law is happy to assist you with your legal questions regarding cybersecurity insurance, its impact on your contractual relationships and other questions regarding IT agreements and the General Data Protection Regulation.