Jamison Cush: Recent surveys show that nearly 50% of companies have cyber insurance policies, up from 34% just two years ago. This rise correlates with the reluctant acknowledgement that no organization is immune to security incidents. Experts a comprehensive cyber security program combined with a cyber insurance policy is non-negotiable in today’s threat landscape. At its most basic, cyber insurance helps in the aftermath. For example, covering digital forensics investigation costs, or providing access to cyber security experts that help with damage control. Sherri Davidoff: Cyber insurance does not have a standard form. It’s not like your car insurance. And so often, you’re comparing apples to oranges. Jamison Cush: Sherri Davidoff, author of Data Breaches: Crisis and Opportunity, has 20 years of cybersecurity experience. Here’s how she compares cyber insurance to other insurance policies. Sherri Davidoff: A lot of organizations have cyber coverage but don’t know exactly what it includes. So one policy might have coverage for your information security and your privacy liability expenses, but not cover things like network interruption or media liability. Whereas another policy may cover that and also cover cyber extortion issues. So it’s really important for not only individuals and businesses but for the brokers themselves, your insurance agent, to have a solid understanding of what the options are, and what each policy includes. That can be challenging because the industry is evolving very rapidly. So we need a lot of education. Jamison Cush: Education and good cyber hygiene, which insurers align with policy. In fact, insurers can deny a customer cost coverage if a customer misrepresents security measures mandated by a policy. For example, a stolen laptop cost might not be covered if it’s revealed not all devices were encrypted. Sherri Davidoff: When a normal insurance event happens, the insurer covers costs associated after the fact. So you get in a car accident, the insurer can’t cause you to swerve and avoid the accidents entirely. They’re just going to cover the costs, after the fact. But with data breaches, they can actually help make the crisis less bad. Jamison Cush: Cloud creates unique challenges too. Is the cloud provider or organization responsible for a data breach? Who notifies customers? Who pays for notification costs? Are PR campaigns covered by the plan? As threat actors become more and more sophisticated, security pros need to think about all these security hypotheticals, just as they must make cyber insurance part of their supplier vetting process.