Any organization that aims to build robust cybersecurity understands that cyber insurance or cyber liability insurance is an essential component of any information security program. But recently, insurance claims have become increasingly complex and a policy is not a guarantee that when calamity strikes, the insurance companies will pay.
An adequate understanding of cyber insurance and efficient IT compliance software will help ensure your claims aren’t denied.
What is cyber insurance?
Cyber insurance is a special kind of insurance for businesses and individuals to protect against financial losses due to cyberattacks or other internet-based risks. Cyber liability insurance typically includes restitution from lawsuits related to data breaches, losses from network security breaches and loss of privacy.
Why is cyber insurance important?
According to a 2022 report, cyberattacks are now viewed as the biggest risk to business — outranking COVID-19, skills shortages, market volatility and a plethora of other issues. The report further stated that the median cost of a cyberattack has increased — from $10,000 in 2021 to $18,000 in 2022.
Cyberattacks can potentially shut down a business. Hackers can wreak havoc after stealing sensitive customer information (e.g., credit card numbers, Social Security numbers and home addresses). They can siphon off a business’s capital and even ruin the owner’s credit.
What are the benefits of cyber insurance?
Cybersecurity insurance policies are designed to meet your company’s specific needs and offer numerous benefits, including:
- Data breach coverage: The cost of data breaches, including the cost of litigation, recovery and identity theft are covered under cyber liability insurance.
- Business loss reimbursement: Companies incur heavy revenue losses due to the interruption caused by cyberattacks. A good cyber insurance policy will insulate your company from these losses and provide reimbursement for any loss of income due to the data breach.
- Insulation against cyber extortion: Ransomware attacks are designed to steal or prevent organizations from accessing crucial data until a hefty payout is offered. Cyber liability insurance can insulate businesses from the revenue loss associated with this type of cyber extortion.
- Forensic support: Organizations must investigate the vulnerabilities to identify the cause of a cyberattack and the extent of the damage. Some cyber insurance policies cover the cost of forensic investigation and expert fees.
Who needs cyber insurance?
The effects of a cyberattack on technology companies, financial institutions, healthcare, manufacturing and e-commerce businesses can be devastating considering the volume of sensitive customer information they handle. While it is imperative such organizations must have cyber insurance, it is equally important that small or medium businesses also have cyber security insurance in place.
If your organization handles any of the following information, you should really consider cyber liability insurance:
- Social Security numbers
- Credit and debit cards details
- Banking details of customers
- Taxpayer Identification Numbers
- Home addresses
- Full names
Is cyber insurance required?
While there is no law or regulation requiring organizations to have a cyber insurance policy, businesses that understand cyberattacks are inevitable and how data breach costs could have a devasting impact on their business, invariably get one.
Businesses that are required to follow security and privacy regulations such as Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA) and the California Consumer Privacy Act (CCPA) should also seriously consider purchasing cybersecurity insurance to stay compliant.
How does cyber insurance work?
The main goal of cybersecurity insurance is to assist an organization to recover from the impact of a security breach by covering the costs that arise due to the data breach. Cyber insurance is provided primarily by the same providers that offer other related business insurance, such as errors and omissions insurance (E&O), business liability insurance and commercial property insurance.
The costs associated with remediation, including payment for legal assistance, investigators, crisis communicators and customer credits or refunds are also covered in the cyber liability insurance.
First-party vs. third-party cyber insurance
While cyber policies once provided only basic third-party breach coverage, today they provide comprehensive coverage that includes several claims. The need for cyber insurance has increased to such an extent that the cyber insurance market is predicted to turn into a $20.432 billion industry by 2027.
There are two main types of cyber insurance — first-party and third-party insurance. First-party cyber liability insurance aims to help an organization respond to data breaches on its network or systems while third-party cyber liability insurance assists a company to pay for lawsuits due to a data breach on a client’s network or system.
First-party cyber coverage
Hackers target businesses that store information. Following a data breach, a first-party cyber liability insurance policy helps cover the:
- Cost of IT forensics
- Cost of notifying customers and all parties concerned
- Credit protection costs
- Crisis management costs
- Business interruption costs
- Ransom paid to a cyber extortionist
Third-party cyber coverage
Third-party cyber insurance offers a potential payout for claims brought against the policyholder by third parties affected by the data breach. It helps cover lawyer fees, court costs and damages related to the following types of claims:
Personally Identifiable Information (PII) related
- Social security numbers
- Credit card numbers
- Personal health information
- Bank account information
- Sensitive corporate information
Third-party claim also covers
- Denial of service attacks
- Breach of contract
- Failure to protect data
- Network security breaches
- Transmission of software viruses
What does cyber insurance actually cover?
A good cyber liability policy covers three main categories of financial risk:
- First-party expenses: Includes costs to organizations for forensics services, crisis management, revenue loss, notification to affected parties and other related expenses trigged by the cyberattack.
- Third-party expenses: Liability claims, fines and penalties are treated as third-party expenses.
- Financial loss due to cybercrime: Revenue losses resulting directly from the attack such as hackers stealing funds.
What is not covered by cyber insurance?
Your cyber liability insurance, depending on your plan, offers comprehensive coverage for your business to protect and mitigate against financial losses due to data breaches. However, there are situations where it might not cover certain expenses.
- Act of war: If a cyberattack is considered an act of war by the government, the insurance companies may not cover the damages.
- Intellectual property: A revenue loss because of intellectual property theft through cybercrime may not be considered.
- Technology upgrades: The cost of upgrading and improving your security system following a data breach may not be considered.
- Social engineering: If sensitive information has been obtained by social engineering, the damages may not be covered.
What are the different types of cyber insurance?
The classification of cyber insurance packages can take on many different forms and categorizations based on a range of criteria. However, broadly speaking, there are four key types that you should look for while shopping for cyber insurance coverage. They are:
Network security coverage
A breach in network security can have a devastating effect on a business. However, many cyber insurance policies do not cover these losses. That is why it is important you look for first-party network security coverage as it mitigates the risk of loss from activities such as:
- Security breaches
- Data theft
- Losses due to denial of service
- Cyberterrorism attacks
- Computer viruses
- Data restoration losses
- DDoS attack
Network business interruption coverage
A network business interruption coverage will cover business income loss and extra expenses incurred during a computer network outage. Business income losses that occur directly as a result of total, partial or intermittent interruption are covered under this first-party coverage. This cyber liability insurance provides coverage for:
- Privacy breach
- Security breach
- Administrative error
- Power failure
Privacy liability coverage
You need a privacy liability insurance to cover losses when you fail to protect sensitive personal information such as customer credit card, social security number and other confidential data. This first-party cyber insurance coverage provides liability coverage for:
- Forensic investigation
- Cost of notifying customers and other concerned parties
- Regulatory defense coverage
- Legal expenses
- Credit protection costs
- Expenses to comply with government privacy regulations
Errors and omissions coverage
Errors and omissions are a third-party insurance bundle that protects you when a client sues your business for professional negligence. The coverage will help pay for your legal defense, including penalties and fines. The following instances are covered under E&O coverage:
- Errors or oversights
- Contract breach
- Failure to deliver professional services
- Failure to meet deadlines
- Budget overrun
- Poor advice
Is cyber insurance worth the cost?
Yes, it is. As per current market trends, small businesses pay around $1,500 per year for cyber liability insurance while others pay between $1,500 and $3,000 per year. However, compared to the high cost of a cyberattack, having cyber insurance is good for your business.
Consider this — if your organization experiences a cyberattack, you will have to bear the ransom cost, revenue loss third-party notification expenses, and even legal fees and penalties — all out of your own pocket. All of this makes cyber insurance a smart bet.
What is the average cyber claim?
While data breaches are the most expensive of all cyber claims, business disruption and ransomware were found to be second, according to a cyber claims analysis report. It also found that social engineering fraud is now being used to divert salary payments and fraudulently obtain tax data on employees.
The Insurance Journal states that the average “cyber claim ranges between $15,000 to $25,000 in recovery costs, plus costs associated with the restoration process, reputational damage and potential legal fallout.”
What are the requirements for cyber insurance?
While applying for cyber liability insurance, it is imperative that your organization has implemented crucial policy-readiness procedures. A cyber insurance professional will analyze the current cyber hygiene management of your business to ensure they meet a set of minimum requirements. Here are a few best practices that will ensure you’re ready:
- Implement endpoint detection and response on all network endpoints such as desktops, laptops, mobile phones, tablets and virtual environments.
- Make multifactor authentication mandatory since it effectively prevents threat actors from accessing and exploiting a business network.
- Introduce backup and recovery standards as they significantly reduce business interruption and extortion demands in the event of an attack.
- Have Identity and access management procedures in place to track and control user activity.
- Keep all software up to date.
Why are cyber insurance claims denied?
Insurance companies are becoming less likely to fulfill claims and will look for any loophole to reject your insurance claim. Here are some of the most common reasons cyber insurance claims get rejected:
- Many organizations find it difficult to convince cyber insurance agencies since they lack the expertise to show documented proof.
- Companies simply lack protective cybersecurity measures.
- Not installing proper endpoint detection and response tools is a fast way for a company to get denied.
- Some organizations fail to implement strong security practices within the supply chain.
- Insurance companies may reject a claim if an organization cannot demonstrate they have implemented the necessary safeguards and provided their employees comprehensive training on how to prevent attacks.
Manage cyber insurance policy compliance with Compliance Manager GRC
Compliance Manager GRC helps you manage your cyber liability insurance policy and other IT security requirements all in one place. Whether showing proof of compliance or demonstrating you have given your employees adequate cybersecurity training, Compliance Manager GRC does it all. Request a demo today.