Cyberattacks, operational errors or technical failures have the ability to paralyze an organization leading to significant financial loss, regulatory actions and fines, halt productivity or operations and create lasting reputational harm. As workforce reliance on technology grows, the likelihood of operational errors causing significant cyber incidents increases dramatically.
At WTW, we strive to provide innovative solutions using our unparalleled analytics and people solutions to not only identify exposures, but also to find meaningful solutions to transfer that risk. The transfer of this risk through the purchase of cyberinsurance will help protect an organization’s balance sheet when faced with a cyber event, and as such, should be part of any organization’s holistic cyber risk strategy.
Key considerations that increase the likelihood of a cyber event:
- Expanding network perimeter: Supply chain risk and the myriad of interconnected service providers.
- New threat vectors: Ransomware and social engineering.
- Regulatory risks: Global privacy regulation, most notably the EU General Data Protection Regulation (GDPR), continues to tighten with substantially increased financial consequences in the event of a privacy breach.
- Internet of Things: Increasing number of connected devices that capture and share data with one another.
Summary of cyberinsurance coverage
WTW’s innovative coverage solutions address specific cyber exposures across certain industries even blending crime, property and general liability exposures into stand-alone cyber forms when appropriate. Cyber product offerings vary widely as there are no uniform set of coverage terms, exclusions, definitions or conditions. Mapping the differences in policy terms is not a simple task and requires careful analysis to obtain the best placements.
We see that building a comprehensive submission facilitates more favorable terms and conditions. As companies continue to make substantial investments to strengthen their security and privacy protections, they will have further leverage to press on pricing and coverage improvements.
There are first and third party coverages provided under most traditional stand-alone cyber policies. First party coverages may include the following:
- Breach response/event management coverage — Direct breach response costs may include those incurred to hire a law firm, complete a forensic investigation, hire a public relations firm, send notifications to affected individuals, set up call center services, complete identity theft restoration, data reconstruction and provide credit monitoring services.
- Business/network interruption — Indemnification for loss of income, incurred extra expenses and claims preparation costs that arise directly out of a network security breach or system failure which disables the insured’s network. This coverage often extends to outsource provider networks as well.
FI, Retail, Transportation, Health Care, Manufacturing
- Cyberinsurance — Key facts and statistics. $3.0b estimated global gross written premium; over $600m total aggregate capacity available for a single risk; 80% GWP from U.S. domiciled entities; 60+ insurance companies with a cyber product offering; key industry sectors FI, retail, transportation, healthcare, and manufacturing
- Cyber extortion — Covers extortion payments and associated expenses to investigate a security threat to release or refuse to unencrypt sensitive information or bring down a network unless a ransom is paid. Coverage extends to those payments made via traditional currencies, as well as non-traditional crypto-currencies, such as bitcoin.
- Social Engineering — Sub-limited coverage may be available for money or securities transferred by an insured to an imposter resulting from the insured’s good faith reliance upon an email or telephone instruction received, but purported to be from a legitimate source.
Third party coverages may include the following:
- Network security and privacy liability coverage — Coverage for indemnity and defenses costs for third party claims and regulatory actions alleging a security failure or privacy event. This insuring agreement usually includes coverage for PCI fines, expenses and costs as well.
- Media liability — Coverage for indemnity and defense costs for third party claims alleging media wrongful acts such as defamation, disparagement and copyright/trademark infringement in the dissemination of internet content and media.
More than half of all cyber incidents begin with employees, so it’s a people problem. And the average breach costs $4 million, so it’s a capital problem, too. No one decodes this complexity better than WTW.
As a global leader in human capital solutions, risk advisory and broking, we are well prepared to assess your cyber vulnerabilities, protect you through best-in-class solutions and radically improve your ability to successfully recover from future attacks.