Industry-Specific Risks

Most businesses apparently do not believe they are at risk of losing one of their most valuable assets -- customer data -- to cybercriminals. Anyone who reads the daily news knows that is a foolish gamble to make. It is common, if not mandatory, for U.S. companies to purchase a variety of insurance policies, including commercial general liability (CGL), directors' & officers' (D&O), and errors & omissions (E&O).
Not all CGL, D&O, and E&O policies are identical; often they are industry-specific. For example, a company building and selling bicycles is radically different that an e-commerce retail business (like Target) that collects PII and credit card data (regulated by the payment card industry (PCI). Cyber risk for bicycles may not exist, but bicycle manufactures and sellers would need insurance for faulty design. On the other hand, an e-commerce retail business surely would need cyber nsurance.
New companies should invest the time to investigate cyber insurance needs for their industry, and understand the risks of being sued by customers for loss of PII, PCI data, or personal health information (PHI).

How Are Insurance Premiums Set?

Insurance companies use historical data to set premiums based on business and industry categories. In the foregoing example, an insurance company would have no problem offering traditional insurance policies to the bicycle manufacturer, given the long history of manufacturing and selling bicycles in the U.S.
The same cannot be said for CLIC policies, since cybercrime is relatively new and cyber risks change frequently. Even the most sophisticated companies have difficulty keeping up with the ever-evolving and prolific number of cyber risks.
Nowadays, once a chief information security officer (CISO) fixes a potential cybersecurity risk, the cybercriminals unleash a new form of cybercrime. This makes the underwriters' job of identifying and quantifying risks tricky.
The limited data available to underwriters further compounds the issue. All 50 states now require some form of reporting for cyber intrusions when PII is compromised, and many insurance policies provide those impacted individuals with credit protection (think Lifelock) for 12 months. Oftentimes, however, organizations fail to report the full impact of breaches in order to avoid negative publicity that could damage the trust of customers.
Since quantifying and identifying specific cybercrime threats is so challenging, insurance companies tend to focus on types of losses -- which are more fixed in nature (e.g., first-party losses and third-party claims) -- when determining premiums.
In addition to a company's industry, insurers look at the type of services that company provides, data risks and exposures (e.g., does the company store and maintain sensitive customer PII, PCI data or PHI?), security protocols in place (if any), policies, and annual gross revenue.

What Happens When a Cyber Insurance Claim Is Filed?

Insurance companies study every claim to see if there will be insurance coverage irrespective of the type of business -- be it the bicycle manufacturer or e-commerce business. Because there is more historical data for the bicycle industry, the insurance company generally can make a decision pretty easily.