Almost everyone has bought or been covered under insurance, it’s an important aspect of our daily lives and is considered essential to protecting yourself in an emergency. Cybersecurity is no exception, having the proper insurance can save your business thousands or millions of dollars in a Cybersecurity Crisis. About 60% of small to medium sized businesses that suffer a data breach, go out of business within 6 months. The average cost of a data breach in the US for 2019 is $3.9 million. If you’re an extremely large company maybe this isn’t a huge deal but for small to medium businesses an unexpected cost of this size can have a big impact on the company. Here I’m going to outline what cyber insurance is, what events and situations it covers and how you can get started getting your company insured:
What is Cyber-Insurance?
Cyber insurance is a specialty line of insurance that covers both businesses and individuals from internet based risks. Cybersecurity attacks aren’t covered in traditional insurance policies.
What does Cyber Insurance Cover?
Cyber Insurance typically includes first party coverage against many of the losses associated with hackers. This includes:
Denial of Service attacks
Liability Coverage for damage done to other companies
Regular security audits
Post Incident Public Relations
Criminal reward funds eg paying ransoms
Notifying customers about a data breach
Credit monitoring for affected customers
What are the types of Cyber Insurance?
Unfortunately, there’s not one type of Cyber Insurance that covers all of these areas. So you’re going to have to evaluate your own risks and see what type of insurance makes the most sense for your company. Here are some of the common ones to consider:
Network Security: This insures you against cyber attacks and hacks. This is the most broad and wide ranging type of insurance. This is what most people will think of when they hear cyber insurance.
Theft and Fraud: Covers destruction or loss of your data as a result of a criminal act or fraud. It also covers the illegal transfer of funds.
Forensic Investigation: Covers the Legal, Technical and Forensic work necessary to determine whether a cyber incident has occurred, to assess the impact of an incident or determine how to stop an ongoing cyber incident.
Business Interruption: This covers lost income and any business costs incurred due to a cyber event.
Extortion: This covers costs associated with investigating threats of cyber attacks against the policyholder’s systems. It also covers payments to extortionists who threaten to take, delete or disclose company information. A common example of this would be payouts to hackers following a ransomware attack.
Reputation Insurance: This provides protection against reputation attacks/cyber defamation. This is usually necessary if the hackers publish confidential information after a successful data breach.
Computer Data Loss and Restoration: This covers physical damage to computer-related assets and the retrieving and restoration of data, hardware, software and other information lost as a result of a cyber attack.
Information Privacy: Covers liabilities from actual or alleged non compliance to information privacy regulations. It also includes legal fees like a defense attorney or monetary settlement.
What to look for when buying Cyber Insurance
Like any business insurance, cyber insurance premiums and coverage varies by insurer and the type of policy you choose. You want to make sure you outline your company’s main pain points and choose a policy that covers you on those key items. Here are some key tips you can use:
Understand your deductibles: You want to understand how much you are obligated to pay during an incident.
Know how coverage applies to both first and third parties: This applies to your third party service providers as well as any companies to whom you are a third party service provider.
Ask if the policy covers you for any attack you are victim to or only targeted attacks against your company
Understand if the policy includes time frames for coverage: Advanced Persistent Threats (APTs) can last months or years so you need to know if you will be covered if you discover one after a long period of time on the network.
Know if the policy covers non-malicious actions by employees(negligence)
Does the policy cover social engineering?
Does it cover credit monitoring for affected individuals?
Compare to other insurers: In order to get the best coverage and premiums you need to shop around. Every insurer is different so take time to find the one that best provides what you need.
How Do Cyber Insurers Assess Companies?
Like all other forms of insurance, insurers want to deal with companies that are low risk. Therefore, they will do an assessment of your company based on multiple factors. Some of these factors are within your control while others are not. What they find during their assessment will affect the coverage and premiums of your insurance. Here are some of the factors you will be assessed on:
Security Posture: The security practices and controls that you’re organization has in place to reduce the risk of a security breach
Security Policies: These are the outlines that define what it means secure for an organization. They are essentially your internal standards for security within your company.
Annual Gross Revenue
Types of Services Provided
Data Risk and Exposures
How to Make A Business Case For Cyber Insurance
Security breaches can have a big financial impact on companies, on average it cost companies $3.9 million per data breach. While bigger companies may be content with paying these expenses as they occur, for smaller companies this is not feasible. Symantec found that over 30% of phishing attacks in 2015 were against companies with less than 250 employees. In 2016 they found that 43% of all attacks were targeted at small businesses. For larger companies the average costs of a data breach is still a big impact and having the proper Cyber Insurance can reduce those costs, allowing for that money to be used for another aspect of business.
Cyber insurance covers the cost associated with cyber based attacks for individuals and companies. This cost can be too much for many smaller companies that don’t have money or resources to deal with a security breach. To prevent these disasters cyber insurance is one of the most comprehensive and non technical safeguards you can get. If you decide to invest in cyber insurance be sure that you create a risk profile so you know what areas of your business you need protected and be sure to compare multiple insurers so you can get the best rates and overall coverage.