Why Cyber Insurance

Cyber Insurance
Protection for the Modern Business

What is Cyber Insurance?

Cyber insurance* today covers a broad range of risk mitigation services, breach response services, and compensation for losses brought about by a cyber or data breach event.

 

Do I need Cyber Insurance?

Organizations invest heavily in IT systems, data management and the security for those systems. What happens if those investments fail or data security is breached? 

Failure of those safeguards may cause sudden serious financial and reputational loss. Cyber insurance provides companies with the financial resources as well as expert talent to address a cyber breach, lawsuit or act of cybercrime.

What does Cyber
Insurance Cover?







Cyber Insurance is About More Than Technology

There are a range of services and coverages often found in these policies.

  • Employee Training
  • Executive Training
  • Educational Tools
  • Posters
  • Documentation – up-to-date and comprehensive, including incident response, data recovery, and business continuity plans
  • Alerts on evolving cyber threats

This coverage is not available in the $250,000 or smaller policies. It may be available from one or more of our AM Best A+ rated insurance partners.

  • Privacy counsel may determine whether a breach has occurred and the legal duties facing the organization, including notification of regulators and third parties, under state and federal law
  • Computer Forensics to determine the cause of an event
  • Notification costs including professional notification as required by law
  • Public relations and crisis management expertise and related costs 
  • Cost associated with credit monitoring services including identity theft coverage to assist the victims of a breach
  • Ransomware. When an organization incurs authorized costs associated with ransomware, they may be covered.[1]
  • Data Recovery and Restoration. Insurance may cover the organization’s costs to recover and restore data.[1]
  • Business Interruption. Loss of profits or operating expenses of an organization may be covered.[1]
  • Contingent Business Interruption. This extraordinary coverage may pay for the costs arising from an organization’s inability to secure services from a services provider upon which the company relies.[2]

[1] This coverage is available under the $250,000 Program
[2] This coverage is not available under the $250,000 Program but may be available from one of our A+ rated AM Best providers on policies of $1M or more.

  • Network liability coverage which provides for the defense costs and payment of damages arising out of a breach of the company’s system that impacts another
  • Privacy liability coverage which provides for the defense costs and payment of damages arising out of a breach of the company’s system that impacts the privacy rights of an individual
  • Regulatory Fines and penalties which support a company for the defense costs and damages in the event a regulator determines an event or its handling failed to meet the appropriate standards

Website media coverage is only available on policies of $1 million or more.

  • Social Engineering. Cyber insurance may cover the loss of funds arising from fraudulent instructions.

Does Cyber Insurance Replace Cybersecurity?

(Hint: The answer needs to start with no.)

Cyber insurance can form part of an overall risk management plan for an organization. Typically, this exposure is not covered under Commercial Property, Liability or Business Owners policies. For larger companies, Directors and Officers insurance needs to be analyzed to help avoid personal liability exposure for members of the board. Without cyber insurance, an organization has made the decision to self-insure arising from a cyber event.  Organizations must ask themselves if they have the expertise, talent and financial resources to handle a cyber event on their own, including a data breach which massively impacts the business. Join us in repeating out loud:
  • Cyber insurance does not replace the need for cybersecurity
  • Regulatory compliance is not the same as cybersecurity
  • Cyber insurance helps manage a defined range of cyber risk

Regulatory compliance may be mandated or represent best practices. Cyber risk assessment, measurement, management, and mitigation are the bedrock of a healthy organization.

AssuredOne - More than Cyber Risk Insurance

We deliver a best in class evaluation of your company’s cyber risk. The benefits of using our system include: objectivity, independence, uniform measurement tools and the ability to customize risk assessment and improvements, consistent with your ecosystem whether you are a boutique, SME, enterprise, or a Fortune 500 company. 

Cyber Health Essentials™, Cyber Pro Maturity™ and TripleHelix®

Right-sized cybersecurity assessments are offered in four tiers of Cyber Health Essentials™– for smaller organizations, typically under $20 million in gross revenue, and in two tiers of Cyber Pro Maturity™, for medium-sized companies. 

The full TripleHelix® assessment is reserved for larger organizations and high-risk organizations. TripleHelix® entails an on-site visit by Assured’s cybersecurity engineers and, itself, is tailored to the complexity of the organization’s ecosystem, indicative threats, history, and third-party data or reliance upon the organization’s products or services. Many proprietary features of Assured’s cybersecurity assessment system inform the thoughtful insights offered by the roadmap and CyberScore®. 

Among the unique assessment tools of a TripleHelix® assessment is AssuredScanDKV® — the world’s only patented Deep Software Scanner. AssurededScanDKV® picks up where network scanners stop and provides precise identification of known vulnerabilities in the binaries of any software. This tool is critical to improving security because more than 80% of all of the successful cyber-attacks exploit known vulnerabilities in the software. AssuredScanDKV® provides reliable step-by-step remediation instructions.

Available in the TripleHelix assessment, the Assured RoadMap™ details those security and risk mitigation measures which are working well, and recommendations designed to mitigate the risk, both cost-efficiently and customized for the client’s needs. For Cyber Health Essentials™ and Cyber Pro Maturity™ an appropriate roadmap report is also provided.

The CyberScore® is a number calibrated from 300 to 850, akin to FICO® score, so that everyone instantaneously understands what the number means. This CyberScore® is based on the facts collected, correlated with threats and critical interrelationships affecting cyber risk in the ecosystem of the client. The CyberScore®, is derived from a sophisticated risk analytics engine, actuarially based, not based on guesswork, not merely scanning the dark web and not dependent on a series of made-up algorithms. The initial CyberScore® serves as a benchmark or snapshot defining cyber risk as of the date of the assessment.  After executing improvements (remediation), a quick refreshment of the CyberScore® may provide a concrete measurement of risk reduction–how the improvements made have impacted on the CyberScore®.

A CyberScore® baseline range defines the range in which the CyberScore® most likely resides. As one proceeds to a more sophisticated tier of Cyber Health Essentials® or Cyber Pro Maturity® the fidelity of the CyberScore® measurement improves. A CyberScore® without the baseline range, is always provided with a TripleHelix® assessment.

Regulatory compliance is not the same as cybersecurity.

Many organizations are faced with legally mandated cybersecurity reporting – defense contractors, banks, credit unions, other financial institutions, electric power generators, healthcare providers, and many others. Increasingly, organizations are self-are holding themselves to best practices standards such as ISO-27001/02. The array of regulatory compliance reports may seem daunting. 

AssuredOne offers online any regulatory compliance reports which any of our clients require. Today we are able to offer dozens of these requirements online including privacy regulations such as GDPR and CCPA. For any client requiring a regulatory compliance report which is not currently available, Assured Enterprises, our parent company, will create and deliver online the required report at no additional cost to the client. We only charge for the actual preparation and delivery of the client’s report. As a result, today we can offer some esoteric or unusual regulatory compliance reports such as OSFI, required for financial institutions operating in Canada, the U.S.-Swiss Privacy Shield and NIAP, required for companies operating in Qatar. 

You can find a list of currently available regulatory compliance reports here.

Remember: Compliance with legally required or self-imposed reporting reduces only the risk of non-compliance. Compliance may demonstrate a generic degree of cybersecurity. Only an in-depth cyber risk assessment of your organization’s ecosystem can illuminate the true cyber risk (likelihood of attack by a bad actor) which can lead to improvement in your organization’s cybersecurity posture and an understanding of how cyber insurance may help manage your organization’s risk.

The identification and elimination of known security holes can eliminate approximately 80% or more of cyber-attacks. We can scan for these vulnerabilities and close the exploitable loopholes. AssuredScanDKV® is Assured’s patented software that uniquely searches binary executable files for known vulnerabilities and provides a prioritized list of potential exploits. This scanning solution does not replicate or replace network scanners. Instead, it is the only scanner of its kind that picks up where other scanners leave off, providing you with more comprehensive, actionable data.

AssuredScanDKV® is approved for use by the U.S. Department of Defense on their most sensitive networks after passing stringent testing and evaluations. DKV has been granted Department of the Navy Application and Database Management System (DADMS) approval for use on systems up to the Top Secret/SCI.

As one official told us “We know what is on the market. We know that no one else can detect known vulnerabilities as you can. This is an incredibly valuable tool.” Director of Cybersecurity Operations for an agency of the U.S. Intelligence Community.

AssuredOne offers cyber risk insurance only from  AM Best A+ rated insurance companies. The AssuredOne Program provides a $250,000 policy, with impressive first party coverage, and no deductible. Policies which provide for third party coverage and higher limits are also available from our team of AM Best A+ rated insurers. Typically, these policy limits are: $1M, $2M, $10M, and $25M. However, specialized coverages and limits may be arranged, including for policies of $100M or more.

AssuredOne also offers Insurance Gap Analysis as a service. We can evaluate all of your existing policies in order to define redundancies, gaps in coverage, inconsistencies between your organization’s risk and your existing policies’ ability to help manage your true risk. In our experience, organizations facing complex threats, maintaining highly sensitive data, including personal identifying information (PII) and other growing risks ought to work with a triumvirate of experts – outside legal counsel, an insurance professional steeped in cyber risk insurance and a cybersecurity engineering team.

AssuredOne's Expertise

Libby Benet, past-president of AssuredOne, discusses effective management of cybersecurity threats in this two part episode of the Paradigm Shift Podcast.

Chairman and CEO of Assured Enterprises Inc., Stephen Soble, spoke with Information Security Media Group in London.

In Episode 68 of the Paradigm Shift Podcast, Libby Benet, past-president of AssuredOne, discusses her path from lawyer to insurance executive to cybersecurity advocate in The Truth and the Myth of Managing Cyber Security Risk.