According to IBM’s Cost Of A Data Breach 2022 report, the average total cost of a data breach is a staggering $4.35 million USD, a 2.6% increase on the previous year. Not only that – but 83% of the organizations contacted have suffered more than one data breach. Taken together, these two statistics highlight how potent the threat of data breaches is, and that this threat is only increasing.
The cost of a data breach can spiral from employing forensic investigators, to replacing damaged services, fixing security loopholes, dealing with customer lawsuits, and even fines or penalties if personally identifiable information (PII) is lost.
Many of these areas can be covered under cybersecurity insurance. This type of insurance can help to mitigate some of these costs and ensure that your organization can recover, economically, from a cyber-attack. This article will explore how cybersecurity insurance works, the coverage that it provides, and the type of organizations that would benefit from it.
How Does Cybersecurity Insurance Work?
Cybersecurity insurance is designed to protect your organization, economically, should you become the victim of a cyber-attack. Cyber insurance can also cover the costs associated with a network failure that prevents you from operating as usual. Depending on the policies that you choose (first- or third- party), the insurance can also offer coverage against reputational damage and loss of earnings. The primary areas that are covered by cybersecurity insurance are:
- Network security and privacy liability – data breaches, malware infection, cyber extortion demand, ransomware and BEC are covered under this area. The privacy liability repercussions such as legal action as a result of a data breach, reputation management, and customer notification are also covered.
- Network business interruption – if your network is attacked and you are unable to operate as normal, you can recover lost profits, fixed expenses, and additional costs due to the network disruption.
- Media liability – this covers intellectual property infringement (excluding patient infringement), often as a result of competitors imitating details from your advertising copy.
- Error and omissions – if your organization is unable to provide a service as contractually obliged due to a cyber event, this type of coverage can cover the expense of legal proceedings.
It is worth taking the time to consider your organization’s level of exposure, the threats that you are likely to face, and the areas that you need to be covered by your insurance policy. A medical organization, for example, holds quite different information and faces different risks to an eCommerce website. By understanding how you’re your organization operates, you can tailor your policies to suit you. As with traditional types of insurance, cybersecurity insurance is offered as First- or Third-party cover.
A First-party policy will cover your organization’s financial loss as a result of a cyber breach. In the aftermath of an attack, your organization may have to spend money replacing or fixing damaged IT systems, investigating the breach, as well as the loss of earnings attributed to an inability to operate as usual. Areas covered by a first-party cybersecurity insurance policy are:
- The cost of extortion demands because of a ransomware attack
- Notifying customers about data breaches if there is a legal or regulatory requirement to do so
- Employing specialists in computer forensics to recover compromised data, and build a comprehensive picture of the attack timeline
- Restoring the identities of customers and users whose PII has been compromised
- Repairing or replacing damaged or compromised computer systems
- Business interruption during network downtime
- Reputational damage as a result of a security or privacy breach where intellectual property or customer data is affected
Third-party insurance will protect your organization from claims made by a third-party, i.e., your customers or users who are affected by an attack on your network. If a third-party seeks damages or tries to sue, third-party insurance can cover the consequences of this. As such, third-party cover will insure your organization in these key areas:
- Investigation and remediation of a security breach
- Costs associated with civil damages and defence costs
- Multi-media liability. This covers investigation, defense costs and civil damages from defamation, breach of privacy or negligence in a print or electronic publication
- Loss of third-party data
- Payment of compensation to customers for network downtime and service failures
- Fines or penalties from a regulatory body.
Due to the wide variety of services offered by organizations who could benefit from cybersecurity insurance, there is more of a need for specific and tailored insurance for your organization, than there is with traditional forms of insurance. The vast majority (96%) of cybersecurity insurance claims are made on a first-party policy, with only 4% of the claims being for a third-party policy.
What Is Not Covered By Cybersecurity Insurance?
Cybersecurity insurance offers coverage over multiple areas to protect your organization against a variety of impacts. It is worth considering the details of what is not covered by cybersecurity insurance, or features that might invalidate your cybersecurity policy.
- The cost of remedying the effects of a prior (or pre-existing) cybersecurity breach that occurred before the policy was taken out
- Future or predicted profits that are unfulfilled because of a cyber attack
- Cyber-attacks that were caused or initiated by an employee or someone inside the organization
- Infrastructure failures that are not caused by a cyber attack
- An attack that utilizes a known vulnerability – if your organization is aware of any security loopholes, it must work to remedy this, otherwise your policy will be invalidated if you suffer an attack
What Are The Benefits Of Cybersecurity Insurance?
By having an insurance policy that it tailored to the cyber industry, the coverage offered is specific and proportionate to the effect of an attack. The cost of a data breach can exceed expectations of the traditional insurance sector. Without having cybersecurity insurance, the cost of fixing infrastructure and managing the repercussions of the attack can quickly become exorbitant. Proving you have comprehensive insurance cover might also ensure that investors and customers are reassured that their data, and money, is protected.
The effects of a cyber-attack are not only economic but can result in legal proceedings if PII is stolen. Cybersecurity insurance can, not only cover these expenses, but provide advice and contacts to help navigate the legal fallout.
The same can be said for the forensic support required to analyze the timeline and entry points of an attack. This may be an external contractor, or a support team within the insurance broker. This type of technical knowledge will be invaluable if legal proceedings are carried out and can help your organization protect itself in the future.
This is a broad overview of cybersecurity insurance. We have explained what cybersecurity insurance can offer and how the policies work, but who would benefit from this type of insurance?
Who Should Have Cybersecurity Insurance?
Any organization that uses data and online systems should consider having cybersecurity insurance. If you have data that can be stolen, or digital systems that could be affected by an attack, then cybersecurity insurance will stand your organization in better stead, should you be attacked.
Depending on how your organization operates, you might not need to take out all of the policy options. Business interruption might be a more significant threat than data loss, depending on your sector. It is worth speaking with a broker to ensure you are getting the right policy for your organization.
There are sectors where a cyber-attack would leave them particularly exposed: financial and medical organizations. These sectors store large amounts of PII, and are heavily regulated, therefore any security breach would result in large penalties, as well as reputational damage. Even if these organizations have robust security systems in place, they are still an enticing target for hackers. If a hacker was able to obtain a large amount of PPI, it would be very valuable on the dark web.
SMBs are also vulnerable sectors due to their size. The cost of restoring systems or paying ransomware may not be feasible for many small to medium organizations. This can be exacerbated by previous cybersecurity decisions. If an organization has not invested sufficiently in their cybersecurity setup, they are more likely to be affected by a cybersecurity attack. Relative to larger organizations, insurance cover for SMBs will require less cover, and be more affordable.
A broker might want specific details regarding your technical, procedural, and human security control to understand how protected your organization is against a cyber-attack. If you have a proactive approach to cybersecurity, you are less likely to suffer a security breach, and are therefore less likely to make a policy claim. By proving that you have extensive, authenticated cybersecurity tools, some brokers will reduce the cost of your premiums.
Questions To Ask
Before you choose a cybersecurity insurance solution, it is worth considering the risks that your organization faces. How much data does your organization store? How large are the fines and penalties of this data being stolen? How long might it take to restore secure network access in the aftermath of an attack? What is the value of lost revenue if your organization is unable to operate? Once you have answered questions, you will have a better understanding of your organization’s insurance needs. You can then find a suitable broker, and tailor policies to fit your organizations way of working.
How To Qualify For Cybersecurity Insurance
As cybersecurity insurance policies can provide millions of dollars in coverage. Insurance brokers will, therefore, carry out a cybersecurity risk assessment. Depending on the organization, broker, and type of cover, this might be as simple as a questionnaire, or as extensive as a detailed analysis of your existing infrastructure.
Cybersecurity insurance brokers will want to ensure that your organization has a proactive approach to security and has implemented robust measures to decrease the chances of making a claim on the policy. Essential aspects of your security set up might include MFA, antivirus and malware software, a network firewall, and data backups. Having these features in place will put you in a much better position to recover from a cyber-attack.
You can read our article on the benefits of MFA here.
Cybersecurity can be an important asset to your organizations’ portfolio. If you are the victim of a cyber-attack, cybersecurity insurance can help to remedy the situation and ensure you do not face economic ruin in the aftermath. Cybersecurity insurance does not, however, decrease your chances of being attacked. It only changes the aftermath of an attack. In fact, if it is public knowledge that your organization has ransom or extortion coverage, your organization might be seen as a more enticing target as hackers are aware that there is money to be “claimed”.
You should not invest in cybersecurity insurance at the expense of robust and comprehensive cybersecurity infrastructure. Ensuring that your network is as secure as it can be – that your staff have completed security awareness training, MFA is in place, your SEG, SIEM or SOAR are tailored and effective – has the double benefit of securing your organization whilst driving your insurance premiums down.