Cybersecurity insurance, also called cyber liability insurance, is a contract that an entity can purchase to help reduce the financial risks associated with doing business online. In exchange for a monthly or quarterly fee, the insurance policy transfers some of the risk to the insurer.
In the United States, most major insurance companies offer customers cybersecurity insurance policy options. Depending on the price and type of policy, the customer can expect to be covered for extra expenditures resulting from the physical destruction or theft of information technology (IT) assets. Such expenditures typically include costs associated with the following:
- Meeting extortion demands from a ransomware attack.
- Covering damages to hardware from fire or flood.
- Notifying customers when a security breach has occurred.
- Paying legal fees levied as a result of a privacy violations.
- Hiring computer forensics experts to recover compromised data.
Traditional insurance policies typically exclude cyber-risks and this has led to the growth of cybersecurity insurance as a separate, stand-alone type of coverage. Potential customers include any company that accepts digital payments or stores personally identifiable information (PII) about customers, including medical and financial information.
Many entry-level cybersecurity insurance policies only cover first-party losses but some insurers are beginning to offer policies that cover third-party liability losses as well. Many cybersecurity policies exclude preventable security issues caused by humans such as poor configuration management or the careless mishandling of digital assets.
Typically, pricing is based on the insured entity's annual revenue and industry. To qualify for coverage, the individual or entity typically has to submit to a security audit by the insurance company or provide documentation with the assistance of an approved assessment tool, such as that offered by the Federal Financial Institutions Examination Council.
As of 2019, the cybersecurity market is still young and many companies are choosing to forego this type of insurance because of its uncertain return on investment (ROI). In the United States, the Cybersecurity and Infrastructure Security Agency, which operates under the Department of Homeland Security, is encouraging businesses to improve their cybersecurity in return for more coverage at more affordable rates.