What is cybersecurity insurance? How does it work? Who should buy it and how much should they expect to pay in premiums? In this blog post, we will answer all of those questions and more.
Cybersecurity insurance has become an increasingly important tool for businesses of all sizes in recent years. With data breaches becoming more common, it’s essential for companies to have some form of protection against potentially devastating financial consequences. Sixty percent of small companies go out of business within 6 months of a cybersecurity breach. While larger companies might be able to absorb the financial impacts, the reputational damage can affect them for years. According to a Forbes report, a moderate reputational impact will cost, on average, $468,000 over the next two years. A “substantial” disruption to business can cost upwards of $5.25 million dollars over 24 months, an impact that most small- to mid-sized companies could never absorb.
A cyber insurance policy can cover things like loss of data, legal expenses, and even reputation damage. How much coverage you need will depend on the size and type of business, as well as the industry you are in.
How does cybersecurity insurance work?
When a data breach or other cyber incident occurs, the first thing you should do, after containing the incident, is to contact your insurance company. They’ll assign a case manager to work with you and help you through the process.
The case manager will likely ask for some information about the incident, including when it occurred, how many people were affected, and what kind of data was involved. They will also want to know what steps you have taken to mitigate the damage and protect your data in the future. In this situation, it can be helpful to have a cybersecurity team on your side to communicate with your case manager, take all the necessary steps, and help you navigate the technical side of the conversation.
Once the case manager has all of the necessary information, they will work with you to determine what coverage you have under your policy and how much you can expect to receive.
What does cybersecurity insurance cover?
Most cybersecurity insurance policies will cover some or all of the following:
- Loss of data: This can include the costs associated with restoring lost data, as well as any revenue that is lost as a result of the data loss.
- Legal expenses: If you are sued as a result of a data breach, your policy will cover the costs of your defense.
- Reputation damage: If your business suffers reputation damage as a result of a data breach, your policy will cover the costs of repairing that damage.
- Cybercrime: If you are the victim of cybercrime, such as ransomware, your policy will cover the costs associated with that as well.
What cybersecurity insurance doesn’t cover
As with any other insurance policy, there are exclusions. These exclusions can be used to deny your claim. It’s important to know what they are and how to avoid being trapped by them.
- Lack of proper security – If the insurance company believes you didn’t provide adequate protection, they can deny your claim.
- Physical injury to a person or thing – Since a security breach should never cause physical injury, insurance companies won’t pay claims that include physical damage.
- Vicarious liability – If a third-party system is breached, the insurance company will deny your claim, but you might have a claim through the other party.
- Public authority – Any recommendations from a government or public authority that leads to a breach will likely be declined.
- Loss of a device – Many breaches occur when an employee leaves a laptop in a car or a portable storage unit in a cafe. Insurance won’t cover that.
- Network interruptions – If data is lost due to a network interruption, it likely is not covered, but the company providing your network may be liable.
- War or conflict – The insurance company can deem something an act of war and decline the claim.
The “act of war” clause has been popping up more frequently. The Russian invasion of Ukraine, cyber hostility from China and North Korea, and Kremlin-aligned Russian hackers can and have been deemed acts of war insurance companies.
It’s not necessary that your facility is not directly invaded. If the bad actor is operating as part of overall military or geo-political hostilities, it can be denied. The problem is that this is a significant percentage of the breaches, particularly from Russia and China.
Read more about recent events at CPO Magazine: https://www.cpomagazine.com/cyber-security/cyber-insurance-wont-cover-acts-of-war/.
Another excellent article at DarkReading explains the situation well: https://www.darkreading.com/attacks-breaches/cyber-insurance-and-war-exclusions.
The only right way to avoid this is to make sure your defenses are as tough as possible, to prevent the attack in the first place.
How much does cybersecurity insurance cost?
The cost of cybersecurity insurance varies depending on a number of factors, including the size of your business, the industry you are in, and the amount of coverage you need. Generally speaking, you can expect to pay anywhere from a few hundred dollars to a few thousand dollars per year for a policy.
While, for a small company, this can feel like a large expense, a single moderate breach can cost hundreds of thousands and close most small businesses.
Who should buy cybersecurity insurance?
Most businesses can benefit from carrying some form of cybersecurity insurance. However, there are some businesses that are at a higher risk for cyber incidents and may need to carry more comprehensive coverage. These businesses include those in industries that are commonly targeted by hackers, such as healthcare, financial services, and retail. If you store sensitive customer data or handle large amounts of money, you should consider carrying a policy.
How can I lower my premiums?
There are a few things you can do to lower your cybersecurity insurance premiums. The primary way to reduce premiums is to invest in security measures to reduce the risk of a data breach. This can include things like firewalls, intrusion detection systems, and employee training.
All of this can and should be handled by a team of cybersecurity experts. If your company doesn’t have the resources for a cybersecurity team, you can contract with one to protect your company. They can implement all the recommended protections an insurance company would like to see.
Cybersecurity insurance is an important tool for businesses of all sizes. If you don’t have a policy in place, now is the time to get one. And if you already have a policy, make sure it is up to date and provides the coverage you need.