You obviously don’t want to be in a car accident or natural disaster, and you certainly don't want your house burgled. Yet, you anticipate such grim situations by purchasing insurance to cover your properties and other assets.
However, despite the rising number of cyberattacks and data breaches—which cost about $4 million per attack on average—only 38% of IT professionals we surveyed* are sure their business has cyber insurance.
Like any other insurance, cyber insurance can't turn back time and undo an incident, but it can cushion you against many financial repercussions.
In this article, we explain what cyber insurance is, its importance, and how to choose the right cyber insurance policy for your organization.
Cyber insurance is a form of insurance that helps businesses hedge against potential losses caused by internet-based risks such as malware, DDoS attacks, and phishing.
Cyber insurance policies differ in their coverage and premium payments based on the plan you choose. Coverage may include costs around damaged or stolen IT infrastructure, business revenue losses due to downtime, virus attacks, investigation into security incidents, and lawsuits.
Additionally, some insurance providers offer optional coverage for ransomware and extortion, copyright infringements, and IT system outages on an "all risk" or "named failure" basis. Discuss your needs with cyber insurance providers and explore available policy options.
Here, we'll look at some benefits of cyber insurance as realized in real-world examples of businesses that were saved from paying large sums in liability because they had coverage.
Your cyber insurance policy will help you cover income loss resulting from business downtime that is a result of a cyber attack or IT failure. It may also compensate you for remediation costs to get your systems up and running again.
Example: An online retailer's website was inaccessible for six hours due to a DDoS attack on its data center. The retailer's insurer helped the company work through the crisis and paid out 144,000 pounds (approximately $180,000) for business interruption loss, recovery costs, and incident response expenses.
Cyber insurance policies protect against data breach and privacy liability costs. They typically help cover charges involved in notifying customers, managing privacy infringement claims, and other associated legal costs. Privacy breach clauses not only cover malware attacks but also data loss due to accidental human error.
Example: An HR recruiter for a healthcare firm accidentally attached the wrong file when sending an email to four job applicants, compromising the personal information of over 43,000 employees. The insurance company helped the healthcare firm manage the regulatory implications of this action and resolved the incident, bearing a total cost of 186,000 pounds (approximately $242,000) in privacy liability and incident response.
From WannaCry to Sodinokibi, the threat of ransomware and cyber extortion is increasing, and businesses are forced to pay hackers to restore their systems and networks. Cyber insurance compensates the money paid as ransom or extortion, should you find yourself in a similar situation.
Example: Lake City, Florida, was hit by a malware attack that locked the city's computer files for more than two weeks. After much deliberation, the city agreed to pay 42 bitcoins as ransom to get the files unlocked, as recovering those files from backups would've cost a lot more. The insurance company reimbursed most of the ransomware cost, other than the $10,000 deductible.
Note: Cyber extortion and ransomware are not generally included in base cyber insurance policy plans and need to be specifically requested.
Often, cyber insurance agencies also provide aid intended to prevent cyber threats and improve IT systems.
Example: An insured hospital was notified by the U.S. Secret Service about a potential HIPAA breach involving the data of about 40,000 patients. The insurance company helped the hospital engage forensic investigators and breach coaches to handle client notifications, create call centers, implement identity-monitoring devices, and report properly to the state regulatory agencies.
Lack of policy standardization, irregular coverage and pricing structures, and unreliable cyber insurance providers are some of the challenges that businesses face when trying to choose a cyber insurance policy.
Here we list five steps to help you make the right cyber insurance policy buying decision.
Understanding the risk exposure to your business is the first step in identifying the extent of coverage you might need. Some questions to ask yourself:
What types of data do I store—e.g., sales data, personally identifiable information, payment card information, customer data?
Are all these types of data equally sensitive and in need of the same level of protection?
What types of risks have industry peers faced—are they mainly ransomware, malware attacks, phishing, or a mix of all of the above?
With which regulations do I need to be compliant?
What is the probability of an attack?
This step involves determining how much insurance coverage you need versus how much risk you can afford. Here are some pointers that can help you weigh your risks against the premium cost:
The average cost of a cyber attack for a small business is $3 million.
Annual cyber insurance premiums for small business range from $1,000 to $7,500.
The cyber insurance premium you'll need to pay will depend on your existing security posture—often, strong security systems help reduce premium costs.
Understand the total insurance coverage and how adequately it covers different cyber risks your organization faces. For example, if your total coverage is $25 million, financial losses due to phishing may be capped at 20% of the limit, i.e, $5 million. Check whether the total coverage and the limit for individual risks meet your needs.
The policy definition, coverage options, and terms and conditions offered by various cyber insurance providers will differ. For instance, what is considered a security event will vary from one provider to another. The different security events covered may also vary by provider as well as between different policies from a single provider.
Here are some questions to ask the insurance providers to help you compare different policies.
Does the policy cover business interruption costs due to cyber attack at a partner or client firm?
When does the policy take effect?
Which types of risks are covered, and which are not?
What data types are insured? Is there any specific data breach that is not covered?
Does the policy cover costs due to human error, identity theft, etc.?
What costs and services are included in the premium?
Read reviews of cyber insurance providers to understand how users rate them. Check out providers’ websites and brochures to see what type of clientele they service. Some points you may want to look at include:
Do they have clients in the same industry as yours?
Do they service businesses of your size?
Seek advice from peers in your professional network to learn which cyber insurance providers are trustworthy and offer the best coverage.
If you are unable to decide on a cyber insurance policy or provider, engage external finance and IT experts to help you decide on the total coverage and premium amounts appropriate for your business size and type.
Even as you buy a cyber insurance policy, remember that having cyber insurance is no substitute for strong cybersecurity.
Cyber risk insurers will audit and assess your security posture even before issuing a policy. And your insurance claims may get rejected if your company fails to maintain its cybersecurity systems. You must continue to patch systems regularly, dispose of outdated machines, encrypt communication channels, use strong passwords, and deploy security tools such as antivirus, network monitoring, and firewalls.
*The data security survey referenced in this article was conducted by GetApp in June 2019 among 714 respondents who reported full-time employment in the United States.
Visit GetApp's IT security directory for a catalog of vendors offering IT security software.