When it comes to cyber security, we all live on a digital flood plain. Every organization is under threat of digital hurricanes and cyber tornadoes. So, it makes sense to consider insurance—cyber insurance.
What does cyber insurance do? For small and medium-sized business, it can be the difference between life and death. Here’s how CoAdvantage describes it: “To put it bluntly, cyber liability insurance helps you not lose your business in the event of a security breach. According to the National Cyber Security Alliance, one in five small businesses falls victim to cybercrime each year, and of those businesses 60 percent will fold within six months of an attack.”
Do I Really Need It? (Yes)
Do you need cyber insurance? Basically, if you use a computer to run your business, the answer is likely yes. It does no good to think “I’m too small. Who would be interested in me?” This is because hackers and other bad actors use automated tools to search networks looking for unpatched software and other vulnerabilities. Attacks can be launched automatically, which makes even the smallest of businesses potential targets.
Organizations from the smallest to the largest are susceptible to the full spectrum of cyber attacks, with the most common being ransomware, fraudulent transfer of funds, and theft of data and intellectual property. The cost of cyber breaches is astounding, with The CPA Journal predicting cybercrime damages will reach $6 trillion this year which “will represent approximately 7% of worldwide GDP and will be the third largest component of the world economy, just behind the GDPs of the United States and China.”
Depending upon the policy you purchase, cyber insurance can help cover direct costs such as stolen funds, lost business income, and remediation expenses. Policies can also cover third-party costs, regulatory defense expenses, as well as liability for damages suffered by clients. Some policies will also cover the cost of hiring a PR agency and taking other measures to try to recover from the reputational damage caused by data breaches.
Cyber Insurance Pricing
Policy pricing is based on a number of factors, including annual revenue, number of employees, number of locations, amount of data and type of data, especially when considering personally identifiable information. But for a ballpark look, for a small business, AdvisorSmith conducted a study using quote estimates and rate filings from over 43 insurance companies nationwide and found premiums ranging from $650 to $2,357 for cyber insurance, based upon companies with moderate risks. These premiums were based upon liability limits of $1,000,000 with a $10,000 deductible, and $1,000,000 in company revenue. The average cost of cyber insurance was estimated at $1,485 per year in the U.S.
“Insurance companies will take into account the nature of your business, the number of sensitive employee and customer records you store, whether your business stores credit card and banking information on your customers, and the types of security defenses your company has undertaken,” the AdvisorSmith study noted. “Additionally, if your company has a history of cyber insurance claims or if it has been attacked or hacked in the past, your premiums may be higher.”
What Might Not Be Covered
Limitations will vary from one insurer and one policy to another, but generally speaking most will not cover what could be one of the greatest—though most difficult to quantify—loses, which is theft of intellectual property. Typically, policies also won’t cover future losses from reputational damage.
Perhaps the most interesting—and potentially most controversial—limitation come with clauses excepting coverage for “acts of cyber warfare.” Since many cyber attacks against government agencies, and the private sector, can be traced to state actors, there may be nuanced definitions to deal with as far as what is and what isn’t considered cyber warfare.
To protect yourself, and to ensure that the small print doesn’t take away what the large print promises, Help Net Security suggests you carefully vet an insurer before signing on with them, and provides this list of questions as a guide:
- Is the insurer well established in cyber insurance?
- Do they have global reach?
- Do they have internal cyber claims capabilities or is everything outsourced to a third party or law firm to triage?
- Is cryptocurrency kept on hand to ensure a timely ransom can be paid if the insured makes that decision?
- What process does the firm have for checking sanctions to determine whether the attacker is a sanctioned entity?
Responsibility Remains with You
Cyber insurance—like car insurance or life insurance—is something best left unused, unneeded. The best pragmatic insurance is to have a solid security practice protecting your digital resources around the clock. In fact, your rates may very well depend upon the security profile you can document for prospective insurers.
“Many insurers will request certain practices are implemented to ensure cyber risks are decreased for both your business and the insurer,” writes EINSURANCE . “Insurers may ask your business to implement the following: Designate a Chief Security Officer, implement a cybersecurity policy, apply a firewall, install anti-virus on all of your firm’s machines, and use intrusion detection software to prevent unauthorized access.”
Add to that a robust backup system, including offsite storage immune to ransomware and other attacks, and 24×7 security management. The good news is that if you don’t have such talent on staff, you can find such industry-leading defenses with a solid Security Management Provider.
Clinton A. Pownall is the President & CEO of Computer Business Consultants and has been in the IT field since 1990. Pownall served in the U.S. Navy for six years as a Weapons Systems Technician and has a Bachelors of Science in Computer Engineering. Through Computer Business, he was one of the first to pioneer VoIP technology using satellite communications. Pownall serves on several boards and committees and has a strong affiliation with various education groups, local school districts, and served in regional efforts of the Bill & Melinda Gates NextGen Foundation. He serves as a Vice President of the Board of Directors for the Orlando Shakes Theater and is heavily involved in the South Lake Chamber of Commerce, West Orange Chamber of Commerce and the Orlando Economic Partnership.