What Do CIOs Need To Know About Cyber Insurance?

The idea is simple but the devil lies in the details
The idea is simple but the devil lies in the details
Image Credit: GotCredit

When you are the CIO, you deal with things like servers, networks, firewalls and the like. You are not generally called on to deal with other business related issues such as insurance. However, with the rash of ransomware attacks and denial-of-service attacks that have been happening, CIOs are now being asked to help out when the company goes shopping for cyber insurance. The problem is that cyber insurance is new and it raises more questions than it answers. CIOs need to study this new area if they want to be able to guide their company correctly.


What Needs To Be Covered?

The first issue that a CIO has to deal with when the company starts to consider paying for cyber insurance is just exactly what this insurance would cover. The key question is what is the company’s biggest risk area is. After this, they need to spend time thinking about what they would lose if they were attacked. The answers to these two questions will allow the company to tailor their insurance coverage to meet their specific needs.

So what needs to be covered? For most companies the areas the need to be covered include data restoration, reputational damage and the costs of government regulatory fines if the company suffers a data breech. The key is for the company to both understand and assess its level of risk.


What’s The Difference Between 1st Party And 3rd Party Insurance?

Just to make things more confusing when it comes to trying to determine what kind of cyber insurance the company should get is that there are different types of insurance out there. One kind, first-party insurance is the type that covers the company’s own direct losses if they are attacked. This can cover such events as denial of service, data loss, and extortion. This insurance can also cover any lost income because of the attack. Depending on how the insurance is written, it may also cover the costs that the company incurs as they attempt to clean up after an attack. Companies that store customer’s sensitive personal information typically get first-party insurance.

The other type of insurance is called third-party insurance. This kind of insurance covers companies that permitted a data breech to happen on a client network. This type of insurance can cover reimbursements for legal fees, damages, settlements, and fines.


What Kind Of Incidents Are NOT Covered?

Of most importance to both CIOs and to their companies are what kinds of incidents are NOT covered by cyber insurance. Ok, so let’s be straight here – your insurance will not be covering mistakes made by your company that they should never have made in the first place. There is a minimum level of security that you will be expected to maintain at all times. Another area that insurance will not be covering will be the careless handling of sensitive information by employees. Somewhat interestingly, malicious acts by employees probably won’t be covered. Other actions that are not covered include stealing intellectual property or trade secrets.


What All Of This Means For You

The times they are a changing. What this means for CIOs is that tasks that they may have never been involved in may now be something that they are asked to help out with. One such area has to do with cyber insurance. The company may come to the CIO in order to sort out what types of coverage they should pay for. CIOs need to understand how this type of insurance works and both what it covers and what it doesn’t cover.

The first question that a CIO has to deal with is to figure out just exactly what the company needs to have covered. The CIO needs to determine what the company’s biggest risk is and what they would lose if they were attacked. There are different types of cyber insurance that can be purchased. First-party insurance covers the company’s own direct losses if they are attacked. Third-party insurance covers companies that permitted a data breech to happen on a client network. CIOs need to be aware of what things a cyber insurance policy won’t cover. These generally include anything that the company should have taken care of as a minimum level of cyber security.

The world is a dangerous place and there are lot of people out there that are looking for ways to break into your company’s network and its servers. As the CIO it is your job to take steps to make sure that they can’t get in. However, if they do get in and cause problems for the company the firm may need to have cyber insurance to deal with the aftermath. As the CIO you are going to be called on to provide the company with the guidance that it will require in order to make a good purchase decision when it comes to selecting a cyber insurance policy.


– Dr. Jim Anderson Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™


Question For You: Do you think that a company should purchase more or less cyberinsurance – is this a waste of money?


Click here to get automatic updates when The Accidental Successful CIO Blog is updated.
P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time

As a CIO, do you feel like you are always “on”? When you were in the office, there were always meetings, phone calls, and people wanting to drop by your office to talk with you because of the importance of information technology. In our new age where everyone is working from home, it seems like things have only become busier and busier. The start of the day is defined by the first time that someone can get in touch with you and it doesn’t end until you finally walk away from your desk. More and more CIOs are starting to understand that what they need to do is to find ways to unplug themselves in order to be able to do their job better.