I recently was reading an article about Cyber Insurance and got intrigue on the type of coverage offered. Recovering from a Cyber attack can be very expensive and cyber security insurance offers the ability to transfer some of the risks to an insurance company. Some estimates that 1 in 3 company currently have cyber insurance. Then I found this presentation [2] that identified 10 misconceptions about Cyber insurance and provided an answer about each of them. I found very interesting the #1 Objection "We outsource our IT Services" and one of the 3 answers is even if the data is outsourced, "Legal responsibility CANNOT be transferred by contract", it is the data the company has been entrusted to protect.

I started looking around and found several companies offering various type of coverage that range from:

• Covering direct costs responding to an incident
• Lawsuits or claims resulting from a cyber incident
• Reputation management
• Regulatory fines payments.

The policy cost will vary according to several factors such as the industry, the company size, past claims (if any), security in place, etc.

For example, Equifax 2017 data breach cost them an estimated 1.4 billion [3] and they had only $125 million covered by insurance. In the past, this type of breach would have probably bankrupt the business.

I tried one of the Cyber insurance website to get a basic quote for a small IT company with 1 million in liability and the annual cost is $885 per year. Here is the result:

[1] https://www.zensurance.com/cyber-liability-insurance
[2] https://www.schinnerer.com/Content/Industries/Cyber/Documents/Cyber_Webinar_-_Overcoming_Cyber_Insurance_Objections.aspx
[3] https://www.databreaches.net/equifax-reaches-1-4-billion-data-breach-settlement-in-consumer-class-action-also-agrees-to-pay-575-million-as-part-of-settlement-with-ftc-cfpb-and-states-related-to-2017-data-breach/

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu