Other people make many insurance decisions for us. Mortgage lenders and governments, for example, aren’t interested in our opinions about carrying homeowners or car insurance. Plenty of companies, on the other hand are still wrestling with the question of, “Do I need cyber insurance?”
That, of course, depends on your business and your tolerance for risk. But one fact is non-negotiable: If a hacker finds their way into your business, your bottom line is going to suffer—probably for longer than you think.
Among small and midsize businesses, a Kaspersky survey found that the average data breach costs around $100,000. That financial toll carries a long tail, with IBM research showing that about 39% of the breach’s costs come after the first year. The price tag includes obvious issues such as re-creating lost data, but victims also pay via business lost when customers lose faith in your ability to protect data. IBM shows that lost business represents about 40% of a breach’s cost.
For many small businesses, the accumulated impacts of a hacker’s blow prove mortal. The National Cybersecurity Alliance reports that 60% of small companies are out of business within six months of being hacked.
Cyber insurance doesn’t replace a strong cybersecurity plan. But it does provide another layer of protection that businesses increasingly want. Between 2015 and 2018, the cyber insurance market tripled in size, according to a Marsh-Microsoft study.
As you assess how much cyber insurance you need, how to choose the right cyber insurance policy and more, use these questions as a guide.
How common is cyber insurance?
Overall, according to the 2019 Marsh-Microsoft study, 47% of organizations say they have a policy in place, up from 34% in 2017. The number definitely skews toward bigger companies, with 57% of firms with revenues over $1 billion carrying cyber insurance and 36% of companies with revenue under $100 million carrying it. But remember what we just learned about how frequently small companies go out of business after getting hacked. There’s almost certainly a correlation between lack of insurance and fatal hacking events.
Companies are growing more confident in knowing how to use cyber insurance. In the 2017 Marsh-Microsoft study, 44% of companies said they were uncertain about how cyber insurance meets their needs. In 2019, that number was down to 31%.
Your company’s contractual agreements may drive your cyber insurance decisions. Take, for example, a logistics company that could face breach of contract charges if they’re out of service for as little as 8 hours. Considering that one famous breach temporarily crippled the shipping giant Maersk, which has ships arriving in ports every 15 minutes, it’s easy to see how the costs could rapidly escalate. In September, Hartford, Connecticut, schools had to postpone the first day of school due to a ransomware attack, and a Chilean bank had to close all of its branches after it was hit by ransomware. Obviously, your cyber insurance decisions need to involve consultation with your attorney and a clear review of your exposure to business interruption.
How much cyber insurance do I need?
Like all insurance discussions, the right coverage depends on your situation, your risk tolerance and discussions with your insurance carrier. But one marker is a 2019 Capgemini study that concluded only 18% of companies have adequate cyber insurance coverage.
Insurance companies are constantly revising their own opinions on coverage and premiums as new threats keep arriving through innovations such as the Internet of Things (IoT) introducing thousands of new vulnerability points.
As with all insurance, your calculation must consider your potential losses and how much you can afford to pay out of pocket. You’ll have to consider costs to recover/recreate your data, how long you could be out of business while recovering, what lawsuits you might face, etc. Don’t get lulled into thinking you’re covered just because you have a policy and the number sounds impressive.
What does a cyber insurance policy cover?
Coverage typically breaks down into two categories:
- First-party Coverage: This pays for your direct costs to recover from a breach, such as restoring data.
- Third-party Coverage: This pays for costs that others hit you with after a breach, such as government fines or lawsuits by customers/partners who were compromised during your breach.
Don’t assume your overall business interruption coverage includes cybersecurity events. In most cases, you’ll need a separate policy to cover those specific issues.
You also should review the details of which cybersecurity events your specific policy covers. Some default policies exclude coverage for breaches caused by social engineering, such as phishing e-mails or pretexting phone calls, labeling them “voluntary transfers” of information. Since most studies show that about 90% of attacks come through social engineering, that’s an exclusion you can’t ignore.
Some policies also exclude events caused by willful breaches by employees. You need to understand that exposure and decide how it aligns with your risk tolerance.
How much do cyber insurance policies cost?
The underwriting process will determine your premium through a detailed look at your industry, your data usage, your cybersecurity policies and more. Using multifactor authentication, for example, could reduce your premium. But for a general price check, consider a 2019 AdvisorSmith study that found an average annual cost of $1,500 for a $1,000,000 policy with a $10,000 deductible.
It should go without saying, but honesty is critical during the underwriting process. Misrepresentations of your security posture will almost certainly come to light in the event of a claim, opening you up to a voided policy or potential legal action.
How do I choose a cyber insurance provider?
Look for a company with significant cyber insurance experience—and skills specific to your size and type of business. Plenty of companies have rushed into this space in recent years, and many of them have limited experience with relevant underwriting and claims.
Underwriting cyber insurance typically includes a long list of questions about your preparedness, and you should be skeptical of companies that ask vague questions. It’s a red flag if a company asks for a simple yes/no answer to a question like, “Are you compliant with all applicable security standards?” Which standards? You and the insurance company must completely understand and agree with each other to avoid a denied claim when problems arrive.
Does good cyber insurance reduce how much I have to worry about security?
Think of it like your homeowner’s insurance. Just because you’re covered, will you consider it no big deal if a storm rips your roof off? Let’s assume not. Disasters carry costs far beyond the simple cost to replace what was broken or stolen.
Plus, insurance companies will set your premiums and decide on claims with a careful eye on your overall cybersecurity preparedness. If an insurer finds sloppy security work on your part, they may reject a claim. Plus, even if insurance does pay to restore your data, cash payments only do so much for restoring your reputation with customers. So in summary, don’t get lazy on protection, no matter how strong your insurance game.
For help clarifying how cyber insurance fits into your overall security policy, contact Pratum’s team.