Cyber threats keep growing. In a recent survey, 72% of respondents reported an increase in cyber risks. 42% reported experiencing phishing and social engineering attacks.
In this environment, more leaders are asking themselves if they need cyber insurance. Cyber insurance is designed to mitigate financial and operational losses from cyberattacks or data breaches. It is good protection against financial fallout. However, cyber insurance is not a substitute for good cybersecurity.
What is Cyber Insurance?
Cyber insurance may also be called cyber liability insurance or cybersecurity insurance. It is designed to provide coverage for businesses if they are victim of any cyber threat. Small businesses can find cyber insurance valuable.
Cyber insurance provides coverage for the following:
- Data breach response and notification costs. Cyber insurance can help cover the cost of notifying customers, which may be a legal requirement after a breach and is always best practice. They can also pay for the IT costs of restoring systems and for bringing in a cybersecurity consultant.
- Ransomware/extortion payments. While it’s not recommended that you pay the ransom after an attack, some small businesses may find they have no choice (prior mitigation can reduce the risk). Cyber insurance can cover those payments.
- Business interruption losses. This is often the most significant part of a payout. Insurance will cover you for business interruption costs, such as lost orders due to your website being down, production losses, etc.
- Legal and compliance fees. You may need to hire a lawyer and face regulatory fines after a breach.
- Public relations and reputational management. A good policy will also cover the costs of working to restore your reputation after a breach, such as hiring a PR firm.
Bear in mind that it does not typically cover criminal proceedings, intentional acts by you or your employees, and issues with computers owned by third parties, such as cloud providers or subsidiaries not under your direct control.
Cyber insurance also comes in two types:
- First-party coverage covers your costs to recover from an attack, such as data recovery and digital forensics.
- Third-party coverage covers your legal expenses if you are sued because of a breach.
Most businesses should get both.
Why Businesses are Turning to Cyber Insurance
According to a report by IBM and the Ponemon Institute, the global average cost of a data breach was $4.4 million. Fortunately, this is a drop, people are getting containment faster, but it’s still a lot of money, especially for a smaller business. And the number of incidents continues to increase.
On top of that, regulators are pushing companies on privacy more than ever. The GDPR applies to anyone doing business in Europe. Healthcare providers in the U.S. must comply with HIPAA. In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) impact private-sector organizations. At this point, these laws are well established, but the ongoing push for privacy at both the regulatory and cultural levels mean companies are more likely to be fined and/or sued for breaches than ever before.
Clients and partners may even ask for proof of cyber insurance coverage, especially if there will be any integration between IT systems. SaaS companies are increasingly having to have coverage to keep clients. Cyber insurance is not enough on its own, but it is increasingly viewed as part of a holistic risk management strategy.
The Benefits of Cyber Insurance
So, why should you get cyber insurance? Here are some benefits:
Financial Protection
Cyber insurance helps cover the direct and indirect costs of a breach. These include hiring someone to recode your website, business interruption after ransomware locks your network, etc.
Companies with insurance can access funds to do this, allowing them to recover faster, absorb costs, and reduce downtime.
Crisis Management Support
Many cyber insurance companies offer support during a crisis. They can help you find specialists in forensics, PR, or legal affairs. Because their goal is to reduce the claim, they will help with breach response and compliance to reduce your costs and theirs.
Encouragement of Better Cyber Hygiene
Insurers typically require baseline security standards such as MFA, encrypted backups, etc. This can help motivate your organization to strengthen its posture. They may also offer a premium break if you meet higher standards.
Peace of Mind for Executives and Stakeholders
Having insurance means that leaders and other stakeholders are less worried about financial exposure and can focus on other matters. Worry can impact your ability to do your job.
The Limitations of Cyber Insurance
Cyber insurance has some limitations you should consider.
Coverage Gaps and Exclusions
Read your policy carefully. Not following policy conditions can void coverage, including requirements such as MFA or patching all software. They may also not cover specific attacks or blatant human error. Few policies cover intentional acts, even when committed by a disgruntled employee.
High Premiums and Deductibles
The growth in attacks has also hit cyber insurance providers. Premiums are increasing and likely to increase further, often significantly. Deductibles are also rising. Small to mid-sized businesses may find premiums out of their reach.
Reactive, Not Preventive
Although following an insurer’s guidelines can help, insurance does not prevent attacks. It mitigates the impact after they occur. Insurance should be used in combination with security best practices, not on its own.
Complex Claims Process
Like all insurers, cyber insurers may be reluctant to pay a claim. They may have a complicated process or engage in lengthy investigations. Often, they will try to dispute the cause to argue you are not covered or negotiate down the scope of your loss.
When Cyber Insurance Makes Sense
Cyber insurance makes a lot of sense for businesses that handle sensitive data, such as financial and health data. Such organizations are at greater risk of lawsuits and fines and may face increased attack risk.
It also makes sense if your digital assets are critical, such as for a cloud provider, or if your clients or contracts require coverage. Businesses that lack high capital reserves may not be able to absorb breach costs.
When It Might Not Be Enough
While cyber insurance can help in the event of a breach, some firms end up relying on it too much. This is a bad practice; you also need to invest in cybersecurity controls. Other businesses may decide they don’t need incident response planning, but that’s not true. While insurers provide resources, you still need to plan.
Some high-risk industries may not benefit from insurance because the policy limits are too low. Again, read your policy carefully so you know what is covered.
Best Practices for Evaluating a Policy
When reviewing a cyber insurance policy, make sure you understand what is covered and what is excluded. Read the policy carefully and ask the salesman or broker any questions. Don’t choose the first provider or automatically go with, say, the company that provides your business interruption coverage. Instead, compare several policies and providers.
Ensure the coverage aligns with your business risk profile and compliance needs. Ideally, choose a provider with a good track record in your industry. Then work with a cybersecurity advisor, such as Yobihouse, to ensure your practices meet your insurer’s requirements.
Cyber insurance can be a wise business investment, but it must be combined with strong cybersecurity practices. Never let cyber insurance replace prevention, but consider it part of resilience, and choose your policy carefully.
If you need help with your cybersecurity, contact Yobihouse. We can help you design policies and procedures to support both prevention and resilience. Remember that being unprepared for a cyber incident is more expensive than prevention or any insurance premium you might be charged.
