How do you know whether cyber insurance is useful or of added value to you as an entrepreneur? Or which insurance is right for you? In this article, you will find several questions and answers that can help you and we list a few concrete steps that you can take when considering cyber insurance.
What is cyber insurance?
There is not a uniform definition of the term cyber insurance. An insurance policy is basically a payment of a premium from an entrepreneur to an insurer, whereby the risk is transferred from the entrepreneur to the insurer. Cyber insurance is insurance that can cover direct or indirect damage that you incur to or through digital components of your company. For instance, if you become a victim of ransomware or theft of company or customer information. A problem specific to cyber insurance is that insurers use different definitions. So, be aware that the coverage, service, and premium can differ per insurer.
Why cyber insurance?
The added value of cyber insurance increases if you depend on digital systems and the information in those systems for your business operations. Other reasons for taking out cyber insurance may be that customers or suppliers of your company ask for this, because you run an increased risk. For example, due to the products or services you sell, or because you have specific knowledge (intellectual property, such as designs). The risks that you want to insure are the risks that have a high impact, but do not occur often. In the physical world fire or theft would be included. Fire or theft are, usually, uncommon. But when it happens, the damage can be great and the costs usually add up quickly. So always consider whether you can and want to bear the risk yourself, or not. If you cannot or do not want to liable, cyber insurance can have added value for your company.
Do I have to take out cyber insurance?
The cyber insurance market is evolving. The choice of whether cyber insurance has added value for your company is based on your personal risk assessment. Be aware of what you want to protect and choose an insurance policy that covers that. In choosing an insurance policy, make sure that you are not overinsured.
What questions should I ask about cyber insurance?
To help you determine whether or not to take out cyber insurance, here are some concrete questions:
- To what extent is your company exposed to digital risk? You can use information from your sector association, bank, or advisor to answer this question.
- What are the possible consequences and costs of a cyber incident and can or do you want to bear these yourself?
- Check whether your current insurance policies, for example, your liability, building, goods, or inventory insurance, provide cover in the event of a digital incident. Pay close attention to overlap between insurance policies. You can find more information about this in your policy conditions, from your insurer, insurance broker, or advisor.
- Do not assume that your existing insurance policies also automatically cover damage caused by cyber incidents. You can find more information about this in your policy conditions, from your insurer, insurance broker or advisor.
- The cyber insurance market is evolving. As a result, cyber insurance policies are not identical and may differ per module, cover, and premium.
- Premiums and coverage have limitations. What limits are there to the coverage? Are there ceiling amounts or time intervals or both? Do they fit your risk profile?
- What does the insurance cost and is the premium in proportion to the cover and the risks that you run with your company?
What is covered by cyber insurance?
The consequences of a cyber incident can take various forms. As mentioned, it is important to determine what you want to insure and what risk you can and want to bear. The costs of an incident (in Dutch) can quickly add up. Cyber insurance can cover:
- Direct costs of a cyber incident: including repairing or replacing hardware and software, restoring data, retrieving information, and rebuilding the administration. Direct costs include hiring specialists for repair, and loss of (production) hours or turnover.
- Indirect costs: including reputational damage, fines from regulators (e.g., GDPR fines), compensation to victims.
Insurers can also offer services related to cyber incidents, such as:
- Awareness, knowledge, and skills for the entrepreneur or staff. For example, through offering support with online training.
- Incident support: for example, a 24/7 emergency centre and technical support.
- Legal support: for example, in the event of data breaches under the GDPR.
- Forensic services: finding out who is behind an attack.
In order to be eligible for insurance, some insurers first want to know whether you have taken security measures. Sometimes, insurers ask you to perform a risk scan (in Dutch) for your company. It is also possible that an insurer requires certain settings, such as having a virus scanner or firewall (in Dutch). Whether these requirements are requested differs per insurer and will be part of the policy conditions.