Ransomware is a dynamically evolving risk, impacting organizations around the world with rapidly increasing loss frequency and severity. Last year, the global cyber security insurance market was valued at $7.8 billion. The market is expected to continue growing at a staggering rate, up to $ 20.4 billion by the end of 2025 at a CAGR of 21.2%.
While cyber security insurance is still moderately new, demand for cover is increasing rapidly. Against a backdrop of rising cyber-attacks and increased regulations, organizations are feeling the pressure to ensure they are protected against Cyber molest and data theft & loss.
Globally, over 154 countries have enacted cyber legislation that either mandates or strongly recommends cyber protection, including the need for insurance. For insurance providers, this is a rare opportunity for growth and innovation.
Unfortunately, data breaches and other cyber crimes are becoming way too common. In the past couple years, data breaches have resulted in major fines and legal fees – not to mention headaches – for a discount retail chain, one of the nation’s largest banks, a well-known health insurer, an entertainment network and the federal government.
But it’s not just large organizations that are susceptible to being hacked or getting a virus. Did you know that 55% of small businesses have experienced a data breach and that 53% have had multiple breaches?1
A data breach can damage more than just your small-business computer system – it also can damage your reputation and put your customers and/or employees at risk. That’s why cyber insurance can be a smart precaution for any size business.
Providing cover is not straightforward. Cyber-attacks are not one-size-fits-all, making them harder to quantify from an insurance standpoint. Moreover, new methods of attack are constantly emerging. With causes ranging from human error to ransomware to identity theft, insurers must design extensive and agile policies to ensure they are providing sufficient protection.
Traditionally, insurers have provided cover on a sum-insured basis or conducted physical – and also time-consuming – audits. For the fast-moving world of cybersecurity, this is inadequate, either being inaccurate at the point of underwriting or outdated once completed and resulting in risk levels that do not match what has been logged.
To provide effective insurance, and claim their stake within this growing market, insurance providers must pivot their models to ensure that they can effectually assess cyber-risk. To do this, they must offer competitive price policies, manage risk of the policy portfolio continuously, and also qualify legitimate claims and protect themselves from fraud
Cyber insurance generally covers your business’ liability for a data breach involving sensitive customer information, such as Social Security numbers, credit card numbers, account numbers, driver’s license numbers and health Cyber insurance – also known as cyber-liability insurance – is an insurance policy that helps protect organizations from the fallout from cyber-attacks and hacking threats. Having a cyber-insurance policy can help minimize business disruption during a cyber-incident and its aftermath, as well as potentially covering the financial cost of some elements of dealing with the attack and recovering from it.
“The formal definition of cyber insurance is essentially a contract between an insurer and a company to protect against losses that are related to computer- or network-based incidents,” explains Juergen Weiss, head of global financial services research and advisory at tech analyst Gartner.
Different policy providers might offer coverage of different things, but generally cyber insurance coverage will be likely to cover the immediate costs associated with falling victim to a cyberattack.
“Cyber insurance policies are designed to cover the costs of security failures, including data recovery, system forensics, as well as the costs of legal defence and making reparations to customers,” says Mark Bagley, VP at cybersecurity company AttackIQ.
Underwriting data recovery and system forensics, for example, would help cover some of the cost of investigating and re-mediating a cyberattack by employing forensic cybersecurity professionals to aid in finding out what happened – and fix the issue.
This is the sort of standard procedure that follows in the aftermath of a ransomware attack, one of the most damaging and disrupting kinds of incident an organisation can face right now.
It is also the case that some cyber insurance companies cover the cost of actually giving in and paying a ransom – even though that’s something that law enforcement and the information security industry doesn’t recommend, as it just encourages cyber criminals to commit more attacks.
“The insurance company looks at what the potential incident response and forensic bill might be and that’s going to be bigger in many cases as organisations aren’t prepared, so they’d actually rather pay. It’s very frustrating,” says Theresa Payton, former White House CIO for the George W. Bush administration and founder and CEO of cybersecurity company Fortalice Solutions.
Business email compromise (BEC) phishing scams are another form of cyberattack that can cost a business a large, sometimes six-figure sum of money. These attacks see criminals posing as CEO, supplier, or other trusted contact and duping people into transferring payments.
As the UK’s NCSC points out, some insurance policies will cover money lost in BEC fraud – but it’s often part of a specific policy that’s directly related to BEC. It therefore may not be covered by standard cybersecurity insurance – and your organisation could be left without any aid if that’s the case.
Organisations should, therefore, make sure they know exactly what they’re signing up for when choosing a cybersecurity insurance policy – and that it covers the potential damage of the most likely cyberattacks including ransomware, phishing and DDoS attacks.
The NCSC also notes that it’s worth checking if your organisation already has cyber insurance in place as part of existing policies, such as business interruption or property insurance. This might provide some level of coverage – or may specifically exclude cyber-related incidents.
There are some things that could be important to organisations that don’t tend to be covered by cyber insurance and it’s vital to understand what isn’t covered, so protecting these assets can be properly managed.
“Cyber insurance is still kind of limited compared to the true amount of risk. So don’t think that all forms of cyber risk are covered by insurance,” says Jon Bateman, fellow in the Cyber Policy Initiative of the Technology and International Affairs Program at the Carnegie Endowment for International Peace.
The financial damage caused by loss of intellectual property isn’t covered by cyber insurance and neither is the reputational costs that can be incurred following a cyberattack.
For example, cyber insurance could pay out for the costs associated with dealing with the direct aftermath of a cyberattack, but in the longer run the company might lose business due to public perception of having poor cybersecurity. A cyber insurance policy won’t cover the cost of losing customers due to the bad reputation it picks up as a result of a cyberattack.
Cyber liability and crime insurance face several overlaps, and the offenses often unfold in similar ways. Still, these distinctions draw the line between the two:
Understanding the details of what coverage your company needs can be a confusing process.
In today’s business climate, it’s hard to find a business that doesn’t need cyber liability insurance. If you run a business that stores sensitive client, customer, and partner data, you need it. If your business supports electronic transactions, you definitely need it.
One of the greatest myths related to cybersecurity is that cybercriminals only target large corporations because that’s where they can steal the most money and do the most damage. That really couldn’t be farther from the truth.
The rate of attacks on small businesses is constantly increasing and this trend is expected to continue in 2020 and beyond. In fact, the COVID-19 pandemic is adding fuel to the fire. With more businesses asking their employees to work from home and many brick-and-mortar businesses starting to offer online services, social engineering attacks and data breach attempts will almost certainly be on the rise for businesses of all sizes and industries.
So in a majority of cases, the answer is “yes,” your business probably has a realistic need for cyber insurance. But what type and how much cyber insurance do you need?
The type of cyber liability insurance your business decides on purchasing should always be based on the needs of your company and which entities need protection. When it comes to cyberattacks, the business that is being attacked is not the only party that can potentially suffer losses. That’s why there are two types of cyber insurance policies that exist, first-party and third-party.
First-party cyber liability insurance protects your company. It will cover all of the costs related to a cyberattack, including but not limited to the following:
Any business that deals with electronic data should have first-party coverage to cover the many expenses that can arise from a cybercriminal hacking into their network and compromising the company’s data and the data of its clients, partners, and customers.
Third-party cyber liability insurance is tailored towards providing protection for businesses that offer professional services to other businesses that can be compromised by cyberthreats.
This coverage can be compared to professional liability insurance, in the sense that third-party cyber liability insurance can provide protection if you are being sued by another company for errors that you have made which have led to losses or damages to that company.
For example, if your law firm’s data security is compromised, and your law firm is accused of failing to prevent the data breach, third-party cyber liability insurance can pay legal fees, government penalties and fines, and settlements and judgments related to such claims.
No matter what type of insurance policy you’re purchasing, there are certain characteristics of your business that are considered the main drivers behind coverage cost. This means that your cyber insurance cost will depend on the type of business you run and the level of cyber risks you are exposed to.
A recent study performed by AdvisorSmith Solution Inc. found that the average cost of a cyber liability policy in 2019 was $1,500 per year for $1 million in coverage, with a $10,000 deductible.
Of course, businesses can pay much less or much more for their coverage depending on several key factors.
Let’s take a look at some of the key business characteristics insurers will need to investigate and identify before being able to calculate your business’s cyber liability insurance premium.
Size and Industry
The size of your company is important because the more employees you have, the greater the risk of phishing and social engineering attacks you face. However, your industry is probably the single most important characteristic of your business when it comes to determining the needs and cost of your cyber insurance.
Your business’s industry will place you into one of three tiers (low, medium, and high) of risk related to the type and amount of data your business stores.
Amount and Sensitivity of Data
Low-risk companies, such as local businesses with a limited customer base, will pay less for their cyber insurance than, for example, a retail store that receives and stores customer credit card numbers in their store and through their website or ecommerce shop.
A high-risk company would be something like a hospital or healthcare facility that stores a large amount of very sensitive personal data, such as Social Security numbers, dates of birth, and other highly personal information.
The more money your business makes, in the eyes of the insurer, the greater chances are that a cybercriminal will want to target your company. Therefore, the more revenue your business generates, the more you’ll have to pay for cyber liability insurance.
Strength of Security Measures
Insurers will reward businesses that dedicate significant resources and efforts towards preventing cybercrime with lower premiums. High-risk companies should educate their workers about these risks and employ experts to install security protocols, monitor hardware and software security, and put together proper procedures and plans for what needs to be done if a cyberattack does occur.
Your coverage limits and deductible will also greatly influence your premium. The greater your coverage limit is, the more you’re going to pay. Cyber liability coverage limits typically range between $500,000 and $5 million per occurrence.
The deductible is the amount of loss that your business is responsible for in the event of a cyberattack that is covered by your policy. Businesses should consult their brokers to determine which options are best for them. For example, if you’re going to pay a lower deductible, you’ll pay less in the event of a cybercrime, however, you’ll end up paying a greater premium.
Managing your cyber liability risks starts with educating your employees. Employees that have a good idea of what cyberattacks look like and what suspicious communications they need to steer clear of will be less likely to do anything that puts your business at risk. Making sure that your staff understands what phishing and social engineering look like gives them the awareness needed to avoid falling for these types of schemes.
As previously mentioned, having an in-house security team that is dedicated to protecting your business from cyber threats is a smart investment, especially in high-risk industries. Another important aspect of cybercrime risk mitigation is making sure that your business partners and any third parties that have access to your networks are also well protected and don’t pose a security threat.
Cyber insurance is a new threat to your business and it requires a sophisticated and detailed assessment, let compareaquote.com work with you to get you the best possible coverage
Additional discounts and savings for bundling your home and auto. I can not promise a number.
Additional discounts and savings for bundling you home and auto. I can not promise a number.