Let’s talk about cyber liability insurance and how to keep your business secure while investing in the proper coverage. Last year we saw an exponential growth of organizations going through digital transformation and adopting a remote workforce. This created an abundance of opportunities for cyber criminals to successfully execute cyberattacks.
With billions of cyber threats happening around the clock, it is key we have a plan to detect and respond at all times. No business wants to be in the news being exposed for a cyber breach. Many organizations have tools and protocols in place to mitigate cyber risk. Cyber insurance comes into play when a bad actor can find a vulnerability in an organization’s infrastructure and exploits it.
What is Cyber Liability Insurance?
This type of coverage assists organizations with the costs of a data breach or malicious software attack. Depending on your plan, expenses covered may include ransomware extortion payments, negotiators, forensic consultation, customer notification, credit monitoring, legal fees, and fines.
You may be wondering if you ‘really’ need to pay for cyber liability insurance. The right answer is likely ‘Yes!’ but it depends on your risk appetite. Typically organizations who undergo an attack will outspend what they would have if they actually had coverage. Also with cyber breaches becoming increasingly common, small to medium businesses can face costs that can often take them out of business.
There are two types of cyber liability coverage:
- First-Party: covers anything pertaining to your organization
- Third-Party: protect businesses that offer professional services to other companies that can be compromised by cyber attacks
Let’s talk about how much of an investment this would be and where you can save on costs without putting your business at risk. Here is a list of main factors that are often considered when calculating cyber liability insurance premiums:
- Annual Revenue & Employee Count
- Organization Size and Industry
- Amount of Sensitive Data Being Housed such as PII
- Strength of Security Measures
- Required Regulatory Compliance Measures
- Previous history of breaches or insurance claims
- Coverage limits
How to Bring Coverage Costs Down
Standard & Poor’s Corp. reported that “Cyber insurance premiums, which now total about $5 billion annually, will increase 20% to 30% per year on average in the near future.” This likely due to the industrialization and automation of cyberattacks.
Here are some factors that can be considered when lowering the cost of coverage.
- Follow best practices & implement frameworks such as NIST or ISO.
- Proper prevention and management of cyber threats
- Perform regular risk and security assessment
- Proper and documented governance within the organization
- Having an 24/7 security operations team reviewing your events and alerts
Typically the more risk mitigation and security you implement, the more you are able to save on your premium for cyber insurance. On average, cyber insurance can cost an organization between $1,100 -$1,600 a year for $1 Million in liability coverage, with a $10,000 deductible (Business Insurance, 2019). Paying for cyber insurance is a relatively small investment to pay in return for the professional assistance and financial stability in the case of a breach.
Top 4 Loopholes Baked into Cyber Insurance Policies
There are some loopholes that cyber insurance companies will use within their policies that are good to be aware of as you acquire or review your policy:
- Phishing Maybe Considered Negligence – If your organization is compromised and it is discovered to be due to a successful phishing email, some insurance policies will not cover this. Insurance providers can claim that the organization allowed it to happen due to improper internal risk management and negligence, better known as human error. We recommend implementing phishing exercises and security awareness training.
- Lack of Routine Patching & Maintenance – Your cyber insurance policy may not protect you if your systems are not routinely updated and patched. We recommend performing external and internal security assessments to ensure your most critical issues are addressed in a timely manner.
- Incident Only Coverage – Some insurance provider policies may only cover you for the losses incurred during the actual breach, and not cover any financial loss that occurred after the cyber attack.
- Incomplete Coverage Due to Changes – Particularly with all of the digital transformation that occurred during the pandemic, many organizations made major changes to their infrastructure such as moving to the cloud. If policies are not reviewed in parallel with those changes, there is a chance that coverage may not apply to those environments.
Overreliance on Cyber Liability Insurance
Obtaining cyber insurance is highly recommended but will not protect your organization’s data from being breached. Your organization must have the proper cyber security measures in place as your reputation is still on the line.