Considering that a breach will cost companies an average of $4.5 million, the need for cyber insurance has never been so high.
But what is cyber insurance exactly, and is it right for your business and industry? In this article, we will try and answer the questions most frequently asked about cyber insurance.
Cyber insurance is a type of insurance to offset cyber risk.
The U.S. Department of Commerce's Computer Security Resource Center defines Cyber Risk as "The risk of depending on cyber resources (i.e., the risk of depending on a system or system elements that exist in or intermittently have a presence in cyberspace)."
That means any type of computer resource, or any device connected to the internet. These days, that's pretty much any business!
When a company's network is compromised, its technological infrastructure is brought into an abnormal state. Ransomware can prevent access to data altogether, while malware can result in malfunctioning systems. These can bring down entire sections of the company's frontend and backend systems, resulting in costly losses for the company.
As hackers get better at what they do, the potential for cyber risk grows higher.
Cyber insurance offsets cyber risk in two ways:
- Reducing financial loss caused by cyber attacks by removing the risk off of the company balance sheet and ensuring the business is financially able to stay in business.
- Coordinates post-breach event privacy compliance and breach response with pre-vetted and authorized professionals that respond to breach-crisis events 24/7/365, all directed by a privacy attorney who acts as your breach coach.
For example, after an attack, a privacy attorney will advise you on a coordinated response by bringing in the the proper response vendors and help you navigate the patchwork of privacy laws locally, nationally and internationally. Forensics teams will likely be required to determine how the attack occurred and what data was compromised. A Public Relations (PR) firm may need to help mitigate the potential reputational harm and notification and monitoring services could be required based on the type of data that was disclosed. Breach events can be very costly the longer it takes for you to respond and remediate. If your company does not have an insurance policy nor an incidence response plan and team in place, costs could be significant and negatively impact the company balance sheet.
There can be many different types of losses associated with a cyber attack, and there are different types of insurances that protect against these losses, whether they be first party expense loss, third party liability loss or response costs.
Cyber risk applies to organizations of any size, but it can be especially debilitating for smaller companies that might not have the resources to survive the financial devastation of an attack. For small companies, cyber insurance is vital.
There are many types of cyber insurance products.
All cyber insurance exists to mitigate financial loss. Some of the ways this is done are:
- Meeting ransomware extortion demands
- Paying defense costs for third party liability demands
- Paying legal fees for privacy compliance
- Paying for computer forensics teams to help recover from the attack
- Paying for lost business income due to a disruption of business due to the attack
- Repairing lost, stolen, or corrupted data assets
- Paying regulatory defense costs, fees, and penalties
Cyber insurance can be offered in a number of ways on several different policies but are often limited in terms and have concerning exclusionary language. However, third party loss, first party expenses and breach event response costs can be purchased through a stand-alone cyber risk policy for complete cyber risk business protection.
Having a comprehensive cyber insurance policy in place removes the risk of financial ruin and helps facilitate investigation and response by alleviating the financial burden of such a response.
Some of the key areas of cyber insurance coverage are:
Responding to an event may require hiring a privacy attorney, notifying victims, hiring data forensic investigators, bringing in a PR firm to handle reputational damage, and so on. Response coverage would help cover these costs.
This type of coverage helps a company defend itself against potential lawsuits brought about by victims of an attack.
Institutional loss coverage protects against business losses that were directly caused by the attack. Whether the attack resulted in damaged relationships with third parties, or direct loss through phony transfers, this coverage assists against that.
Cyber extortion coverage is specifically for those incidents where hackers have taken data of yours or locked your network down and require a ransom payment to release it. This type of insurance will pay the ransom and/or consultants to come in and deal with the situation in the best possible way.
Most jurisdictions and regulators have very specific protocols that must be followed after a data breach, including properly disclosing the breach. Failure to comply with these regulations can result in hefty fines. This type of coverage would pay for these fines.
It's important to note that cyber insurance will not cover losses caused by illegal acts, breaches of contracts, and dishonesty, however.
A cyber insurance claim is usually a cooperative effort between the insurance provider and your legal team.
Let's imagine a case where some customer data was exposed, and the company suffered the following financial losses from the breach:
- Regulatory fines
- Indirect financial loss from reputational damage
If a cyber insurance policy is in place the best practice is to call the 24-hour hotline, provided by the insurance company, once you know of or even suspect there has been an attack or intrusion. The 24-hour hotline puts you in touch with the privacy attorney who will qualify the incident and start coordinating an immediate response. Based on the type of attack, every moment that you wait may cause more damage to the network and cost more, overall, to remediate.
The privacy attorney, who is acting as your breach coach will work with your team and advise next steps. Separately, it will be important to notify the insurance company (or insurance broker) who will formally file a claim. The claims adjuster will work with your team to collect supporting information including any receipts and evidence to show what financial losses were caused.
Oftentimes, companies choose to report the claim through their broker to work on your behalf and advocate policy coverage for optimal results.
Cyber risk is simply too high these days to be without insurance. Out of 550 organizations studied by IBM for its Cost of a Data Breach Report 2022, as many as 83% had suffered a data breach within the previous 12 months! And of those that were attacked, 60% raised prices to their customers to cope with the costs.
Cyber insurance can help reduce the overall impact and cost of a breach so that a company can become operational as quickly as possible, and ensure the balance sheet remains intact.
All companies, big and small, are at risk. But the costs to smaller companies can be crippling.
The average cost of cyber insurance in the USA for 2021 was $132 per month ($1,589 per year). This is an incredibly reasonable price to pay considering that it costs an average of $36,000 for a small company to recover from a data breach.
The specific cost of cyber insurance depends on the company's size, revenue, cyber environment, and market sector. For example, companies in the health sector might pay more for insurance because private health information commands such a hefty price tag on the black market and the industry is highly regulated making compliance more complex and costly and punitive fines and penalties for non-compliance more likely.
If your company has strong security protocols in place as well as a strong business continuity/disaster recovery plan and proper incident response plan, the premiums will likely be less than those with lax security and controls
Absolutely! And they probably need it more than large companies need it. Recovering from a data breach costs an average of $36,000 for small businesses. Cyber insurance typically covers a business up to $1 million.
Unfortunately, we live in a world where companies should take the attitude of "when" they're attacked, rather than "if." That doesn't mean that every company will be attacked — those with resilient security procedures and technology in place are far less likely to be attacked, but it can still happen.
When it does happen, the two elements that can greatly mitigate financial fallout are:
- An excellent Incident Response (IR) plan
- Adequate cyber insurance.
If you already partner with a Managed Security Service Provider (MSSP) such as SolCyber, they can help you find a reliable insurer. If you don't, we recommend doing some research for insurers that work specifically in your market segment.
Another option is to ask existing vendors or partners who they use that they could personally recommend.
Ransomware is an evolving aspect of the cyber insurance industry. When the coverage was first written, cyber extortion was intended to address requests by hacktivists who demanded a picture, statement or specific content be removed from a public website or threaten to do harm to the network. However, with the advent several ransomware tools/families, the threat has evolved and so too has the coverage on the policy to address it. The coverage typically pays for the ransom demand, the consultant that will negotiate with the threat-actor to decrease the ransom amount and to ensure the data the threat actor releases is usable and uncorrupted.
That companies need ransomware protection is without question. The average incident duration of a ransomware attack is 23 days. Expecting a company to survive a disruption to operations without insurance is unrealistic.
As with traditional insurance, there are certain types of losses that cyber insurance doesn't protect against. These would include losses caused by acts of war (most policies do include coverage for cyber terrorism), intentionally criminal or dishonest acts, stealing trade secrets, unfair trade and employment practices, and similar exclusions.
There might also be specific cyber elements that a policy won't cover and it's important to read the policy in detail to understand what is covered and what isn't. Generally speaking, cyber insurance policies tend to be quite comprehensive.
Investing in cyber insurance ensures that a company has all its security bases covered.
SolCyber has partnered with Converge to provide affordable cyber insurance to companies as part of their Insurance+ Program. SolCyber Foundational Coverage customers receive pre-approved cyber insurance and discounted premiums through this industry-first program.