It may surprise you that your general commercial property and casualty insurance doesn’t cover cyber-attacks. You may not know such a thing as “cyber insurance” even exists or why a business would need cyber insurance.
Cyber insurance financially helps policyholders to mitigate the cost of recovering from a cyber-related security breach. In my opinion, all companies need cyber insurance, which is also known as cyber risk insurance or cyber liability insurance coverage (CLIC). This need is especially prudent for companies with valuable data, such as Protected Health Information (PHI), financial data and stored credit cards, and proprietary information.
In the case of a breach, a good cyber insurance policy may cover:
- Investigating the root of the breach
- Notifying the impacted parties (required by HIPAA)
- Offering credit monitoring to those affected (also required by HIPAA)
- Paying regulatory and compliance fines
- Fixing the security infrastructure
- Covering legal costs
- Paying for public relations costs
- Negotiating with the hackers if ransomware
- Reimbursing you for direct financial losses
Cyber insurance comes in two general policies,
- Coverage for Direct Loss covers any lost revenue due to an interruption of your own computer system including a data breach, and some policies, also cover failed technology outside of a cyber-attack.
- Contingent Business Interruption (CBI) covers interruptions out of your control, those that are due to a vendor’s failure. Furthermore, service interruption policies cover a utility or internet service provider outage.
Potential Causes to Use Cyber Insurance Policy
Regardless of the business’ size, you are susceptible to numerous cyber threats, including:
- Ransomware – The most common attack these days is a virus that encrypts your data and requires you to pay a ransom to get a keycode to unlock your data. Hence why most insurance policies cover negotiating with hackers. Most ransomware attacks are random and spread via spam emails that entice recipients to either open a dangerous email attachment or click on a link that downloads the virus.
- Targeted Attack – Hackers can also specifically target a business and penetrate your network to access data or coordinate a DDoS attack that uses thousands of devices to access your network. The flood of inquiries (think website hits) slows down or crashes your network preventing employees, clients, and potential customers from accessing your data and from communicating with your company.
- Mobile Devices – Most people forget that today’s phones are portable computers that are capable of being infected by a computer virus. A hacker can also use a mobile device to access your company’s network via your public Wi-Fi connection.
- Human Error – Many data breaches come via a lost or stolen laptop, tablet, or phone that is unlocked and not encrypted. Simply adding a password to all devices prevents a large percentage of potential data exposures. Even if unintentional, it is considered a data breach if I find your unsecured laptop and open it to try to find out the owner to return the device to you.
- Disgruntled Employees – Employees have inside access to your network and most businesses do not treat their data as important as they do physical financial records, so they do not limit access to it. Furthermore, many companies do not promptly change passwords for terminated employees and an irate ex-employee can do a lot of damage to a former employer.
Do I Need Cyber Insurance?
As I previously state, I believe every company should have a cyber insurance policy, and after reviewing the five potential exposures I think it is a no brainer.
At this point, you’re probably wondering how much cyber insurance costs to weigh that cost against the risk. Per DataBreachInsuranceQuote.com, most small businesses can get a $1 million cyber risk insurance policy for just $1,200 a year. Obviously, the cost increases with the size of the company and the value of the policy; the above source gives numerous scenarios from doctor offices to SaaS providers.
You need to weigh that cost against these stats from HowMuch.com:
- 62% of cyber-breach victims are small to mid-size businesses
- $20,752 is the average cost for a small-business data breach
- Although a 2014 IBM study of 314 enterprise-level companies found a breach costs $5.85 million on average [Security magazine]
Let’s do the math on it to determine the ROI of cyber insurance.
$20,752 average cost of a breach / $1,200 average cost of insurance annually = 17.29
It will take you 17 years of insurance premiums to equal the cost of a typical data breach! Do you think your company will have a data breach in the next 18 years? If so, get cyber insurance.
What’s Required to Get Cyber Insurance?
Usually, cyber insurance is not hard to get. It may be a rider to your current business insurance policy. However, if your current insurance company does not provide cyber insurance coverage, you will need to consult with an insurance agent that specializes in this sector.
An added benefit to getting cyber insurance coverage, is most cyber insurance brokers will provide (or require) an initial assessment of your network security. This review is similar to getting your vehicle inspected when switching auto insurance companies, so the new insurance company knows what they’re insuring and will point out any concerns. “Simply put, it does no good to insure a boat with holes in it. The boat will sink and it is unlikely that any competent insurer is going to pay out on a policy in which the owner was being negligent.” – Robert E. Stewart, Sr. in a Security magazine article
A good IT firm can help you prepare for this assessment and future audits to remain compliant with the insurance company’s requirements and other compliances such as HIPAA, FDIC, and PCI.
When considering whether to invest in cybersecurity protection and obtaining cyber insurance, remember that hope is not a strategy.