What Is a Cyber Insurance Risk Assessment?

What is a cyber insurance risk assessment?

Before you get cyber insurance, your insurance carrier will likely conduct a cyber insurance risk assessment on your company. This assessment aims to identify the risk areas and security gaps your company faces. A cyber insurance risk assessment considers your technology, company protocols and daily employee procedures that may create security risks. “A cyber risk assessment is an objective evaluation of an organization’s cybersecurity posture,” explained Mario Paez, national cyber risk leader at the Marsh McLennan Agency. 

Why do you need a cyber insurance risk assessment?

The risk assessment benefits both the insurance carrier and the company it’s assessing. Insurance carriers gain the knowledge needed to underwrite the risk appropriately. A business with many areas that are vulnerable to security breaches will be at higher risk — and incur a higher premium — than a company with fewer issues.

The assessment also benefits the company because the insurer provides a checklist to help label vulnerable areas. With this information, the company can take measures to reduce or eliminate risks. Shoring up exposed systems and processes may prevent hacks and breaches while reducing the premiums the business must pay the insurer.

“Being prepared is essential to minimizing the impact of a potential cyber-related event,” said Rishi Baviskar, global head of cyber risk consulting at Allianz Commercial. “An insurer will conduct a risk analysis to determine the likelihood of events like data breaches as well as a potential for cyberbusiness interruptions.”

How do you conduct a cyber insurance risk assessment?

While an insurance carrier performs the cybersecurity risk assessment, businesses can help the process go smoothly by understanding what the carrier must examine and what systems it must access. “We recommend working with an objective third-party partner to conduct a holistic assessment based on a globally accepted cybersecurity framework, such as NIST CSF and ideally an industry-specific cybersecurity framework that establishes a baseline from which your organization can rank and prioritize next steps for what tools and services to invest in,” said Paez.

While the sequence of events during a risk assessment may vary by insurer, it will generally follow these five steps:

1. Initial preparation: Your insurer will start identifying your crucial information technology (IT) and data assets, including servers, cloud-based operations, customer information and intellectual property (IP). This preparation helps the carrier understand the scope of what you’re protecting. [Related article: What Is Intellectual Property Insurance?]
2. Asset valuation: Your insurance carrier will assign a monetary value to each business asset to quantify the financial impact of a breach or loss. The carrier will consider data recovery fees, IP infringement fees and possible loss of revenue. 
3. Risk analysis: Your insurer will conduct a risk analysis to determine the likelihood of events like data breaches. At this stage, it will consider your current security measures and assess their effectiveness.
4. Assessment report: When the risk analysis is complete, the insurer will send a risk assessment report detailing each physical and nonphysical asset and highlighting the areas of greatest concern.
5. Business review: The business will study the assessment report and the insurer’s proposed strategies to protect your company against identified risks. The company may develop or update its cybersecurity plan and inform the insurer of planned actions. During this step, the business and the insurer can discuss potential amendments to their proposed cybersecurity insurance coverage.

“It’s important to set expectations ahead of starting the assessment — the goal should not simply be to conduct the assessment but also to be prepared to act on the baseline review and results from the assessment, which can be one of the more difficult challenges for organizations,” said Paez.

What is cyber insurance?

A cyberpolicy is business insurance that includes first-party and third-party claims. You’d file a first-party claim if your business had hard costs associated with a breach. Other people could file a third-party claim against you, alleging that your company didn’t adequately safeguard personal and private data. 

First-party cyber insurance covers the destruction of your property, including the following:

• Investigation costs
• Repairs to damaged equipment
• Lost revenue
• Consumer notification costs
• Consumer credit monitoring costs
• Ransom paid to a hacker to restore files

Third-party cyber insurance covers consumer data liability, including the following:

• Legal fees
• Settlements and court judgments
• Regulatory fines

Picking the right business insurance policy is crucial. Many of the best business insurance providers will provide both first-party and third-party coverage associated with cyberincidents as well as other associated business needs. 

What is cyber liability insurance?

Cyber liability insurance is part of a cyber insurance policy. It protects against third-party claims that the business didn’t adequately or effectively secure personal and private data. Employee error and failure to implement safeguards could be listed as the cause of the data breach.

How does cyber insurance help companies mitigate risk?

Cyber insurance won’t remove the risk you face from bad actors or employee errors; systems can still be vulnerable and you could experience a loss. However, starting with the cyber insurance risk assessment, you can get a better handle on your most significant risk areas to avoid common business scams or mitigate an incident’s damage.

In addition to providing insight, cyber insurance helps pay for the damages resulting from a data breach. Many businesses wouldn’t be able to handle a security incident’s out-of-pocket costs, such as reporting, credit monitoring and regulatory penalties, or pay a hefty ransom to get their business back up and running. Without cyber insurance, a company would have a challenging time surviving the damages associated with a cyberattack. 

Depending upon the policy, noted Paez, cyber insurance can also help: 

• Businesses remain operational and resilient after an incident
• Provide peace of mind
• Provide wide-ranging protections for items like privacy right violations, media liability, trademark infringement and more. 

Jeremy Bender and Mark Fairlie contributed to this article.