Download our in-depth report: The Ultimate Guide to IT Security Vendors
Can your company afford to lose $4 million? According to Ponemon Institute's 2016 Cost of a Data Breach Study, that's the consolidated cost of the average data breach. Even the smallest companies have to pay up after a cyberattack, and every compromised record containing sensitive or personal information costs a company about $158. That adds up quickly, and unfortunately for many businesses, it's a financial hit they are unable to survive.
Cyberattacks are a part of doing business in a digital world, and as many security experts warn, it isn't a matter of "if" a company will be attacked, but a matter of "when." And the smaller you are, the harder you'll fall. According to Small Business Trends, 43 percent of all cyberattacks are targeted at small businesses, and 60 percent of those businesses can't recover. While defending the network and data from threats by using multiple layers of security tools is absolutely necessary, many companies are now turning to cyber insurance as a way to limit post-incident damage.
Not surprisingly, the cyber insurance industry is growing and is predicted to reach $14 billion by 2022. That growth will be driven by three things:
- The increasing awareness in the boardroom that cyber risk requires management and insurance is a recognized way of managing this risk
- The increase in legislation and regulation globally
- The increase in unforeseen and unanticipated attacks, particularly on large enterprises
See our picks for top cyber insurance vendors
What is cyber insurance?
Cyber insurance – also referred to as cyber liability insurance or cybersecurity insurance – covers an organization from a variety of issues related to cyber incidents, including situations such as data breaches and related costs and fines, business interruption costs where revenue is tied to an incident, and data loss and destruction resulting from cybercrime or fraud. In addition, cyber insurance is designed to protect a business engaged in ecommerce or that creates, processes or stores data within its internal electronic network. Some cyber insurance policies also offer protection in the case of regulatory compliance issues and DDoS attacks.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Cyber insurance works by providing a business with coverage up to a policy limit, similar to auto insurance, said Greg Reber, CEO of AsTech. For example, if a business has a breach that has an overall cost of $5 million but has a policy that covers only $2 million, that company still faces a $3 million loss.
Why do you need special insurance coverage for cyber-related incidents? Although the company's general liability insurance or other insurance policies may cover data loss due to some type of physical damage – a fire or equipment theft, for instance – digital incidents aren't covered in typical insurance policies. The coverage itself is often more specialized and is such a new area of insurance coverage that insurers vary greatly in what they offer. Cyber insurance is also of growing importance in the battle against ransomware (see Ransomware Insurance: Cyber Insurance May Be the Best Protection).
Types of cyber insurance policies
There are two types of cyber liability insurance: First-party covers data breaches that affect your own computers and systems. Third-party covers breaches on your clients' networks if you are responsible for those systems.
Depending on which type of cyber coverage you need, the policy will include different coverage, said Mark Thompson, senior vice president at Insureon, a small business insurance provider. "First-party cyber liability Insurance, which covers the cost of breaches to your own network, may help pay for customer notification, anti-fraud protection for customers, and security incident investigations," Thompson said. "Third-party cyber insurance includes coverage that can pay for attorneys to defend your company, settlement costs and court-ordered damages if you're found liable for a client's data breach."
If your business is internet-based, it makes the most sense to go with a policy that places an emphasis on protecting the business from all costs associated with a breach, such as credit monitoring, fines levied by card processors and issuing banks. In any situation, however, all policies should protect the business from criminal activity such as fraud and extortion as well as data loss and destruction.
Also, one must consider the regulatory environment that often dictates the security requirements for a business. PCI, HIPPA, FFIEC and other agencies have strict sets of guidelines, and your cyber risk insurance policy may cover violation fines, but that's dependent on the language in the policy. If you deal with any compliance regulations, it is important to ensure that you will be covered if necessary.
Cost of cyber insurance
Any variations in cost of cyber risk insurance tend to be industry-related. Industries that deal in highly sensitive data and transactions, such as healthcare, retail, e-commerce and the financial sector, will have a higher cost because their risk and exposure are greater.
Cyber insurance policies tend to cost two to four percent of the liability limits, Reber said. "As with any insurance policy, the greater the precautions and the lower the risk, the lower the premiums. Small businesses would do well to examine their need to directly process internet-based transactions."
According to Data Breach Insurance and cyber insurance broker Cyber Data Risk Managers, you can break down your premiums by your company's annual income, the policy's dollar limit, and your industry vertical. A company in the healthcare industry, for instance, will pay a premium that's double that of a company in education with identical incomes and limits. A traditional retail business should expect to pay less than an e-commerce business.
When purchasing cyber insurance, the focus should be on the needs and coverage areas first, cost second. If you aren't sure, the insurance broker should have experience working with your specific industry and business size and help you avoid a one-size-fits-all policy.
Organizations need to go into any cybersecurity insurance negotiation with their eyes open and do the homework before starting the purchase process. You should be able to answer these two questions:
- What do you need to insure?
- What is the cost to the business of an attack on those assets?
According to Steve Durbin, managing director of the Information Security Forum, by knowing the answer to these two data points alone will give you a strong idea of the areas you need to cover and the cost to the business of not covering them.
How cyber liability insurance can improve overall security posture
The benefit of having a cyber insurance policy is to cover the losses associated with a breach or other computer-based crime. If a business is storing sensitive information, a cyber insurance policy can afford a necessary level of income protection. It can also help raise the security standards within a company.
"There are costs associated with security and consequently with the insurance," said AsTech's Reber. "If a business raises its level of security, they lower the risk for the insurer, thereby lowering their premiums."
The need for good insurance policies is something that boards of directors understand, but they don't always understand the importance of good security policies. Cybersecurity insurance can play an important role in emphasizing the need for security systems and protection against potential risks to organizations.
Insurers can also assist their customers in having the right insurance coverage by requiring regular independent risk profiling and have customers provide the insurer with a risk audit. Durbin said that while some insurers do take this action, it presents an opportunity for the insurance industry to take a lead in ensuring that companies understand their risks and the associated costs. This reinforces the idea that insurance is but one weapon in the cybersecurity arsenal.
Cyber insurance companies
How do you choose the right insurance company to best protect you from cybercrime and hackers?
- Look for an established company with a revenue base that can easily absorb losses.
- Select a provider that is familiar with your industry and your type of business.
- The insurer should be someone who will scrutinize your business's specific security system and needs.
Cost is certainly a consideration, but it shouldn't be the primary driver of your decision. In the end, you want an insurance partner that will be with you through the long term and make you stronger.
Some cyber insurance vendors to consider (and see our picks for top cyber insurance vendors):
- Travelers Insurance
- Philadelphia Insurance Companies