Part of the responsibility of being a leader in risk management or cybersecurity isn’t just to prevent an attack, it’s to minimize damage and mitigate the extent of an attack if a compromise ends up happening. And that mentality should be adopted by all.
Data breaches are an inevitability, and if you’re solely focused on prevention, you may be in for a rude surprise. In 2021, nearly 50% of all companies suffered a data breach, which was actually a reduction from 2019, where 65% of companies suffered a data breach. With those odds, you’re better off having a plan when a data breach happens.
One way organizations have been able to reduce financial damage is through cyber insurance.
In this article, we’re going to go through what cyber insurance is, whether you need it, and what you can expect from having it.
Cyber Insurance coverage details
Cyber Insurance generally covers liability that stems from data breaches and related attacks and can also cover costs associated with forensic analysis, investigations, and other expenses that result from the data breach. While all cyber insurance policies differ, what they cover (and don’t cover) are generally consistent.
What does cyber insurance cover?
Some cyber insurance coverage can also provide financial assistance if you’re providing a service, such as ID theft protection to victims. Cyber insurance is also designed to cover financial losses that can result from specific types of attacks such as Business Email Compromise (BEC) or ransomware attacks. This, alongside coverage for investigation and other related expenses is referred to as first party coverage.
Liability coverage refers to costs associated with any damages levied on a company for failure to properly secure their data or organization. This can come into play if the affected company is sued for leaking customer data, for example.
When shopping for policies, make sure you’re noting what first party and liability coverage you have — ideally you’d have both.
What doesn’t cyber insurance cover
Cyber insurance doesn’t cover any financial damage or losses incurred due to reputational damage. So, for example, if a company’s data breach leads to a material impact on a company’s revenue (or sales), cyber insurance won’t cover it. Cyber insurance also won’t cover any IP loss, so if a company succumbs to an APT attack where trade secrets are stolen, they’re on the hook for all recovery.
State-sponsored or nation-state attacks may be covered, especially if the attack falls within the covered cases listed above. However, there was one instance where a cyber insurance provider did not pay out after a NotPetya ransomware attack. Because NotPetya is a Russian-sponsored hacker group, the insurance company considered the attack an act of war and refused to pay out.
What to know before you purchase cyber insurance
Here are a couple of starting points to consider if you think your organization should consider cyber insurance.
How do you know if you need cyber insurance?
Most companies can benefit from cyber insurance but the decision to get coverage depends on budget and how you’re willing to spend the budget to ready your organization against attacks. Businesses that don’t have many resources to build a security department or devote their resources to bring on helpful vendors or tools may be best served by cyber insurance.
However, companies who have identified a priority to maintain uptime even in the face of an attack may want to leverage their resources to build up their security posture so they can react quickly and swiftly. In this case, while cyber insurance may be able to offset some costs, it won’t help in the actual recovery process, which can be an issue if business interruption is a critical risk.
For most organizations, they’ll likely find themselves somewhere in the middle of the two cases outlined above, making it a cost-benefit decision that requires considering an organization’s needs.
Is cyber insurance worth it?
According to AdvisorSmith, the average cost of cyber insurance is around $1,500 a year for a $1M policy (with a 10,000 deductible), which sounds worth it. However, because this is an average figure and the US has way more small businesses than large ones, it skews towards small businesses.
For larger enterprises and corporations, you’ll likely see an increased cost for the following reasons
- Annual recurring revenue - This figure is taken into consideration when pricing cyber insurance policies. The higher the figure, the higher the cost.
- Number of employees - Because phishing, social engineering, insider attacks, and other attacks commonly involve a company’s employees, a large employee base also means a larger risk.
- Industry - Some industries are much more at risk for cyber attacks than others. If your company is in a high-risk industry, expect that cyber insurance price to jump.
- Data and assets - The more data you’re responsible for, the more you may have to pay in order to cover the data. And if you’re housing particularly sensitive data, such as PII or health data, your insurance may go up because of the sensitive nature of that data.
- Security posture - A cyber insurance policy provider will look at what you’ve done to protect your organization against attacks. If your only investment in security is cyber insurance, your cost of coverage will be higher compared to a similar organization who has detection and response tools, has employed security professionals, and has made other efforts to keep their organization secure.
- Type of coverage - Lastly, the cost of coverage will change based on the type (and length) of that coverage. As you’re shopping around, make sure you know how the other factors affect the price of the coverage you’d ideally want to have.
Cyber Insurance should be part of an overall cybersecurity strategy
Unfortunately, because of the huge spike in cyber attacks (particularly ransomware attacks) since COVID, cyber insurance costs and premiums have increased dramatically, around 30%. This makes it even more difficult to ensure that cyber insurance is the right move for most organizations.
We think cyber insurance is best suited for small businesses who don’t have much of an option to invest heavily in their cybersecurity and who can withstand the time it takes to recover from an attack.
For larger organizations who need to be up and running even if they’re hit with an attack, cyber insurance should be considered as part of an overall cybersecurity strategy. If an enterprise just opts for cyber insurance, they’re not properly protecting their organization and we argue that the high cost may be best used in other ways, especially if other actions will bring down the cost of cyber insurance.
The financial support cyber insurance provides can be extremely helpful and should be taken into account as organizations consider the types of tools and vendors they’d like to work with.
To learn how an extended endpoint detection and response tool can provide comprehensive protection and proactive defense for an organization, check out Bitdefender’s XEDR tool.