Cybersecurity and Insurance: Foundations

To understand the relationship between cybersecurity and insurance, we need to build a bridge to support the relationship. We will begin with the insurance side of the connection.

In general terms, insurance is a practice or arrangement by which a company or government agency provides a guarantee of compensation for specific loss, damage, illness, or death in return for payment of a premium.

There are three important elements to the insurance conversation

1. The business of providing the actual insurance
2. Those individuals or entities who pay the insurance premiums
3. The money that’s paid as compensation under a policy

The insurance industry has been around for thousands of years.

One of the first documented loss limitation methods was noted in the Code of Hammurabi, which was written around 1750BC. Under this method, a merchant receiving a loan would pay the lender an extra amount of money in exchange for a guarantee that the loan would be cancelled if the shipment was lost or stolen.

Modern insurance can be traced back to Great Fire of London in 1666, where 30,000 homes were destroyed. A man named Nicholas Barbon, started a property insurance business. Back then, the likelihood of a fire was a high probability event, considering that most structures were made from flammable wood. It was easy to calculate the potential loss amount because the
risk was understood. The insurer could protect against it by charging a fixed amount over time known as a premium.

From the notion of a simple property insurance policy, the industry slowly evolved to protect against emerging risks that required protection.

Some common insurance policies include:

• Crime: designed to address the loss of money, securities, and other assets resulting from dishonesty, theft or fraud.
• Fidelity: sometimes known as a fidelity bond, protects a business owner against the theft of money, property, forgery, or fraud by an employee.
• Kidnap & Ransom: covers a range of crisis perils, including kidnapping, extortion, assault (known as active shooter or workplace violence) and more.
• Technology E & O: designed to protect the specific professional liability risks that people operating in the technology industry commonly face.
• Miscellaneous E & O: also referred to as professional liability, offers more flexible coverage designed for a wide variety of small businesses and sole practitioners.
• Product Recall: covers expenses associated with recalling a product from the market. Product recall insurance is typically purchased by manufacturers such as food, beverage, toy, and electronics companies to cover costs such as customer notification, shipping costs, and disposal costs.
• Directors and Officers: protects the personal assets of corporate directors and officers, and their spouses, in the event they are personally sued by employees, vendors, competitors, investors, customers, or other parties, for actual or alleged wrongful acts in managing a company.
• Workers Comp: Workers’ compensation insurance, commonly known as workers’ comp, is insurance that covers medical expenses and a portion of lost wages for employees who become injured or ill on the job. Coverage also includes employee rehabilitation and death benefits.
• Terrorism: A commercial terrorism policy covers damaged or destroyed property—including buildings, equipment, furnishings and inventory. It may also cover losses associated with the interruption of your business. Terrorism insurance may also cover liability claims against your business associated with a terrorist attack.
• Umbrella: A commercial umbrella policy extends the limits of some of your primary liability insurance policies, such as general liability insurance and commercial auto insurance. The property damage and bodily injury costs exceed your business’ commercial auto liability limits.
• Auto: Its primary use is to provide financial protection against physical damage or bodily injury resulting from traffic collisions and against liability that could also arise from incidents in a vehicle.
• General Liability: Commercial general liability insurance is a broad type
  of insurance policy which provides liability insurance for general business risks.
• Excess Liability: provides additional coverage after an underlying liability policy has reached its limit. It covers any claims that would have been covered in the underlying policy. However, it excludes any claims the underlying policy did not cover.
• Pollution: designed to respond to claims stemming from the release of pollutants into the environment.
• Product Liability: transfers the risk of defects, including expenses related to product lawsuits and other claims related to faulty products.

This list is not exhaustive, but it shows how insurance has become more widespread and vastly adopted. In tandem, cyber risks have begun to impact these policies.

In the next blog post we will provide a very basic overview of how insurance policies are structured from a financial perspective and begin walking across the bridge towards the other side of the connection: cyber risk.

Check out our recent fireside chat about the SolarWinds attack and how organizations insurance portfolios may be impacted by this incident.