Cybersecurity insurance is a type of policy purchased to protect against losses caused by damage, loss or theft of data caused by the failure of cybersecurity or data protection. Businesses of all sizes use cybersecurity insurance to mitigate the risks of doing business online.
Cybersecurity insurance may cover first-party losses to a company from physical data destruction, theft, cyberextortion, insider threats and hacking. Other policies may cover third-party losses that the holders are liable to for other companies. Liable coverage can include loss of data, leaks, errors, omissions and even defamation.
Typically, to qualify for coverage a company must submit to a security audit or use an assessment tool such as the Federal Financial Institutions Examination Council cybersecurity assesment tool. Coverage is purchased for first-party for damages direct to the insured or third-party for liability issues. First-party coverage is more common in the United States where mandatory breach notification laws force companies to reveal this potentially damaging information.
Cybersecurity insurance is often ineffective in covering intellectual property issues, damage to reputations or associated loss of business. It is important to note that coverage is not often for the total amount of damages. Companies often buy insurance to cover amounts beyond which they would be able to recover from.
Because threats are constantly changing, and even large enterprises are often unaware of their own security risks, existing cybersecurity insurance providers are adding more provisions to contracts as this new market develops. Traditional insurance companies tend to hold back from the market for these same reasons.