Cybersecurity insurance, also commonly referred to as cyber liability insurance or cyber risk insurance, is a type of insurance cover that organizations can buy to ensure they receive support in the event of a cyberattack.
In today’s digital age, almost one third of US business is conducted online, with organizations increasingly relying on the internet to deliver their services and reach out to new customers. But web-based attacks aren’t the only threat modern businesses are facing; we’re increasingly seeing companies of all sizes and across all sectors being targeted by sophisticated endpoint attacks such as ransomware, and email-based attacks such as spear-phishing, which use a business’ operational dependence on technology to tap into their systems and wreak havoc, both financially and in terms of data security.
When a business invests in cybersecurity insurance, they pay a monthly or quarterly fee to their insurance provider who, in return, accepts some of the risk associated with a cyberattack. This means that the business doesn’t have to deal with the attack alone; their insurance provider will help them get back on their feet. Depending on the policy chosen, this support can involve mitigating business disruption, providing financial protection, and navigating legal actions once the immediate effects of the incident are dealt with.
Cybersecurity insurance is generally not included in business liability insurance policies, which cover injuries and property damage for which a business or its services may be responsible. This means that, if a company wants cyber insurance, they have to invest in it separately. And that leads to some important questions…
What does cyber insurance cover? How much does it cost? And, finally, is it worth buying?
In this guide, we’ll explain the key benefits of cyber insurance, including incidents that cyber insurance policies may cover. We’ll also break down the cost of cyber insurance, to help you decide whether it’s something that your business needs.
What Are The Benefits Of Cybersecurity Insurance?
There are a number of reasons for your business to invest in cybersecurity insurance:
General liability insurance policies often don’t offer organizations protection when it comes to loss of their virtual assets, such as data lost in a breach. But data loss can have catastrophic financial consequences that often outweigh the cost of recovering physical assets. The average cost of a data breach is 3.86 million dollars and, if that breach involves the personally identifiable information (PII) of customers, it can cost even more—up to four dollars more, in fact, per lost or stolen record. Investing in cybersecurity insurance can provide a business with the assurance that their finances are protected, and help them minimize the potentially devastating costs associated with a breach.
Cyber insurance can also provide support in the event of cyber extortion through an attack such as ransomware, in which an attacker holds corporate data hostage until their victim hands over a large sum of money.
If a business suffers a data breach, they’re required by law to notify anyone who could be affected that the breach has occurred. In the UK, this is mandated by GDPR; in the US, there isn’t a federal data breach notification law—the rules change from state to state, so it’s important to check exactly which processes you should follow depending on where your company is based. However, most states require that you report the breach immediately to your customers, usually in writing.
If third-party data is lost in a breach, the company that was breached may choose to seek legal assistance—which can be very expensive. But with a cyber insurance policy in place, organizations can more easily afford the legal support they need following an attack.
While data breaches often cause immediate financial and data loss, they can also lead to longer-term loss of money due to operational interruptions. This can also cause increased reputational damage and a loss of customers; if you can’t provide the service they’re paying for, for an extended period of time, they’re likely to look to your competitors for that service instead.
Some cybersecurity insurance policies cover loss of income due to operational downtime. And if your business finds a way to keep operations running but at a higher cost to the business, some insurance policies also cover those increased costs.
After a cyberattack, organizations have to carry out in-depth investigations of their virtual environments to work out how much damage the breach caused, and how the attacker infiltrated their systems in the first place. This is called a forensic investigation, and is usually carried out by a computer forensics team.
Some cybersecurity insurance policies offer reimbursement for the cost of forensic investigations; others go a step further, even offering 24/7 support from dedicated technical experts to ensure the investigation is completed thoroughly and efficiently so that you can get back on your feet more quickly and confidently.
What Does Cyber Insurance Cover?
Most cyber insurance policies cover losses that directly impact the first party (your business) and any third parties due to their relationship with your business. First-party coverage often includes the cost of:
- Hiring a forensics team to investigate the incident, help recover lost data and restore your systems
- The loss of income caused by operational downtime
- Extortion payments
- Notifying third parties (such as your customers) that a breach had occurred
- Repairing or replacing compromised devices and systems
Third-party coverage usually includes:
- Damages and settlements
- The cost of legal defense against claims of a data protection breach
- Support in restoring the identities of any third parties whose personal data was compromised
But, as comprehensive as it is, cyber insurance doesn’t cover everything. And because the cybersecurity insurance market is still relatively new, policies vary widely between providers; no two policies are the same, so you need to make sure you’re choosing the best one to meet your business need.
How To Choose The Right Cybersecurity Insurance
Before you invest in cybersecurity insurance, you need to be aware of how closely linked your business’ data, devices and systems are to your operations, so that you can choose the right level of cover. You also need to have a good understanding of the most common types of threat your business is facing, so that you can find a provider that offers support in the case of such an incident. Some insurance providers, for example, don’t cover financial loss in the case of business email compromise (BEC); others won’t cover financial loss in the event of a repeat incident, or may require you to have certain preventative technologies in place before they’ll agree to cover you.
So, you need to make sure that the policy you choose offers protection against the types of threat you’re facing, that’s also suitable for your digital environment.
To do this, there are some key questions that you should ask any prospective insurance providers before investing:
- Does the policy cover compensations claims by third parties in the event that their data is lost during a breach at your business?
- What services does the provider offer in immediate response to a cyberattack to help manage recovery?
- What services does the provider offer to help your business improve its cyber resilience, so that you can avoid repeat attacks?
How Much Does Cyber Insurance Cost?
Like other types of business insurance, the cost of cybersecurity insurance varies according to several key factors. These include your annual revenue, the industry you’re operating in, the level of network security you already have in place, and the types of data that you typically handle. Certain industries and types of data are more at risk of being targeted by cybercrime; with more people turning to virtual streaming and gaming platforms for recreation in the last two years, the entertainment industry is currently the most breached sector, with attackers increasingly targeting web applications and utilizing malware to steal personal data and login credentials. However, the healthcare industry suffers the most in terms of the cost of a breach because of the amount of personal health information (PHI) and PII handled.
To qualify for cyber insurance coverage, you usually have to submit to a security audit conducted by the insurance provider. Alternatively, you can give them documentation of your security by using an approved assessment tool, such as the one provided by the Federal Financial Institutions Examination Council (FFIEC) in the US. This will help the insurance provider work out the type of coverage best suited to your specific need, as well as calculate the cost of the insurance.
Who Needs Cybersecurity Insurance?
If your business handles electronic data at rest, in storage or in transit, it’s worth looking into cybersecurity insurance. Your data—be that corporate data or the personal information of your customers—is at the very core of everything your business does. Cybercriminals know this, and they use businesses’ reliance on their data to exploit them. And the attacks by which they gain access to that data are becoming increasingly sophisticated and difficult to prevent.
Investing in cybersecurity insurance can help with the cost of dealing with a cyberattack, including the immediate response and longer-term recovery.
We particularly recommend cyber insurance to organizations that handle payment data, such as credit card numbers and customer addresses, as they may benefit from the liability coverage that cybersecurity insurance can provide.
While cybersecurity insurance can help a business recover more effectively, efficiently and affordably from a cyberattack, it won’t prevent a security breach. In fact, investing in cyber insurance can create a false sense of security; after buying insurance, some organizations may not dedicate as much resource to developing security policies and their security infrastructure.
But just as drivers with car insurance are expected to lock their car and park it in a garage or outside their home at night, it’s critical that businesses continue to implement the proper security measures to protect their data.
We recommend that you start with the fundamentals: email security, endpoint protection, and identity and access security. You should also train your employees to identify and correctly respond to cyber threats.
We’ve put together guides to the top solutions on the market in each of these categories to help you find the ones best suited to your business: