Buying cyber insurance can be daunting. And, renewing it at higher rates each year is no picnic either. Not only is there a lot of industry terminology, but understanding your coverages and how your company’s cybersecurity practices factor into the underwriting of your policy can be overwhelming. Here are some of the things that you should keep in mind.
Every company should assume that they are being actively targeted by bad actors. No business by size or industry is being spared from attacks from bad actors. The time where one could "roll the dice" with the hope of not getting hit has long since passed. If you are not employing a proactive strategy that includes proper coverage for cybersecurity incidents, you are not practicing proper business hygiene.
Understanding the size of the threat is essential. Just as essential is understanding the scope and scale of the consequences if you do fall victim to a ransomware or data breach. Estimating damage done to your bottom line, to the stability of your business operations, and to your public reputation are all important. Those estimates help you later determine what coverage levels you need to pursue.
Below are the startling costs associated with an average ransomware attack.
$732,520 Average Ransomware Cost Includes:
- System Repairs
- Legal Services
- Security Firm
- Lost Revenue
- Fines and Client Losses
- Public Relations and Communication
Last but not least, consider that a cyber event can result from an outright attack or from an unexpected accident. Imagine the damage if your office was flooded, exposed to a fire, or simply facing a power outage. You may find yourself in the midst of a digital emergency but be without assistance because your policy only covers attacks.
Why You Need Cyber Insurance
You mainly buy cyber insurance for two reasons: to meet contractual and compliance requirements and to have a safety net in place in case of a data breach and/or productivity interruption.
If you are trying to meet a contractual and/or compliance requirement, you are probably just looking for a policy that meets your potential client or partner requirements and comparing prices. Cyber insurance can also play a role in regulatory compliance. One thing to consider in this case is if your partner requires you to list them as an additional insured on your policy and if they request a waiver of subrogation, as these options may impact your premiums.
If you are trying to protect your business from the potential financial ruin of a data breach, you are probably focusing more on the coverages to make sure that they are comprehensive. You will also want to evaluate optional coverages to see if they are applicable to your specific business risks.
Evaluate Your Risk
Insurance premiums are typically priced based on your risk. It is important to evaluate your cyber risk profile ahead of time to understand where your gaps lie. That way you can implement stronger cybersecurity measures to reduce your risk and lower your insurance costs. These are some of the questions you should be asking yourself as you evaluate the risks your company faces:
- Does your company collect or handle sensitive information like payment card information (PCI), personally identifiable information (PII), or protected health information (PHI)?
The more sensitive and regulated data that you collect, the more at risk your company is. It is important to have strong, holistic risk management in place. And of course, depending on your industry, you may have certain compliance requirements that require a discussion your broker on coverage.
- Is your client/customer information safe and secure?
Make sure that you follow best practices in regard to encryption, data storage, backup, and retention, as well as the least necessary, secure privilege access.
- Does your business rely heavily on confidentiality?
Law offices and healthcare organizations rely heavily on confidentiality and collect and store a significant amount of sensitive data, making them prime targets for cyber-attacks.
- Do you have a website or a web application that interacts with clients and customers and stores login or other sensitive data?
Web-based attacks are extremely common. Regularly scan your website and web applications for weaknesses that hackers exploit. You can do this with an automated web vulnerability scanner.
- What third-party vendors do you use, and how much access do they have to your IT infrastructure and customer data?
You should hold your third parties to the same cybersecurity standards as your own organization as you are exposed to the threats that they are exposed to. You might want to find coverage for mistakes made by third parties as well as contractually require them to have their own cyber insurance.
- Do you allow your employees to bring their own devices?
If you do, you should have a BYOD policy in place and use a mobile device management solution. You should also train your employees on best practices when using personal devices for company purposes.
What is Your Budget?
How much can you spend on your premium? But even beyond that, do you have a rainy-day fund that can help you cover the cost of a security incident? The average cost of a data breach is over $150 per stolen record. Will your coverage limit be able to cover enough of the costs so that your financial burden is lessened?
If your coverage limit is appropriate, what can you or are you willing to pay for your deductible? This is similar to how you would evaluate an auto insurance policy. If you get into a car accident, are you comfortable paying the $1000 deductible before your insurance policy kicks in or would you rather pay more on your premium for a $250 deductible?
How Does Your Policy Activate and When?
Read through the terms, conditions, and exclusions of your policy carefully before you purchase. For example, what kind of triggers are there for coverage? A policy could focus on specific types of attacks or accidents rather than offering blanket coverage. This means that you would not qualify for coverage unless you met those triggers.
Are there any exclusions to your coverage that pertains to your business practices? For example, some policies may exclude coverage for incidents that occur due to BYODs. If you allow employees to bring their own devices, then a policy with a BYOD exclusion will not be appropriate for your organization.
Make Sure Your Policy Includes the Coverages You Need
You should seek insurance coverages based on your specific business needs. For example, if you must comply with the Payment Card Industry Data Security Standard (PCI DSS), you should find a policy that helps cover PCI fines and penalties.
Examples of cyber insurance coverages include, but are not limited to:
- Business Interruption and Extortion: Cybercrimes and attacks could impact the day-to-day operations of your business, resulting in lost revenue. With this coverage, your policy covers loss of business, crisis management, and cyber extortion.
- Client and Employee Data Loss: Coverage areas include identity recovery, data compromise liability, and data compromise response expenses like fines and penalties.
- Third-Party Lawsuits: If your network is negatively affected by a security incident and it impacts a third party, then your policy will cover potential lawsuits.
- Payment Fraud: If you or your employees get deceived and end up transferring or diverting money to a fraudulent destination, then this covers funds lost in those scenarios.
Key Elements of Cyber Insurance Coverage
There are several key elements of cyber insurance coverage that most businesses need. These essential coverages include:
- Forensic Expenses: Forensic expenses include costs incurred for investigating, isolating, and eliminating a threat. This coverage covers the costs associated with hiring an IT professional to review your systems and backups and determine the size and scope of a data breach. Forensic expenses can also include the cost of hiring a forensic accountant to determine the expenses that occurred and the cost of business interruptions.
- Legal Expenses: Legal expenses may include defense and settlement costs for defending against a lawsuit brought by your customers as a result of a data breach.
- Notification Expenses: Some regulations, such as PCI DSS, require companies to notify consumers affected by a data breach. Notification expenses include the costs associated with notifying consumers that their data may have been compromised in a data breach.
- Regulatory Fines and Penalties: If your business is subject to regulations such as PCI DSS, cyber insurance can cover the cost of regulatory fines if regulators determine that your business failed to adequately protect sensitive consumer data.
- Credit Monitoring and ID Theft Repair: Credit monitoring and ID theft repair includes costs associated with recovering from identity theft and can also include costs such as lost wages and child and elder care incurred while dealing with identity theft. If your company suffers a data breach and offers credit monitoring services to affected consumers, cyber insurance can cover the costs of credit monitoring services, as well.
- Public Relations Expenses: A data breach can result in serious reputation damage for your business. Consumers may be less likely to want to do business with you if you have suffered a high-profile data breach or had to notify consumers that their data may have been compromised in a cyberattack. Cyber insurance covers the costs associated with hiring a public relations firm to protect your company’s reputation following a data breach as well as the costs associated with implementing any of the PR firm’s recommendations.
- Liability and Defense Costs: Liability and defense costs include coverage for losses and the cost of defense for lawsuits related to network security liability, such as negligent security failures or weaknesses that enable malware to spread, denial of service attacks, and unintended disclosure, release, or loss of third-party data. It also includes electronic media liability, such as copyright or trademark infringement, privacy rights violations, unintended defamation, and the interference of an entity’s right to publicity.
Other Areas of Coverage Need
In addition to the key elements of cyber insurance coverage listed above, businesses in the market for cyber insurance should consider whether they require coverage in other areas such as:
- Network Security: Coverage for network security costs, including hardware and software, as well as network security liability and network security defense.
- Incident Response: Coverage for the costs incurred for incident response in the wake of a data breach.
- Insurance for Lost or Stolen Laptops and Mobile Devices: Coverage for the cost of replacing lost or stolen laptops or mobile devices.
- Business Interruption: Coverage for costs incurred due to business interruption as a result of a cyber event, such as an inability to provide services for a period of time when you are unable to access your systems or data due to a ransomware attack.
- Cyber Extortion: Coverage for types of cyber extortion like ransomware. This can include the cost of hiring a negotiator and investigators and even the ransom payment.
Questions to Ask Your Potential Provider
- What types of incidents are covered? For instance, does your provider cover unintentional and non-malicious attacks?
- What are the deductibles? In this area, cyber insurance works similarly to health, vehicle, or home insurance.
- Exactly how does coverage and limits apply to first and third parties? For instance, do legal costs cover your business liabilities only, or are your customers covered, too?
- What are the timeframes within which you are covered? Some cyber-attacks are not discovered for years. Are you covered for a specific number of years down the line?
- Are any third-party vendors, suppliers, and business associates you do business with covered?
- What is excluded from the policy, e.g., BYODs?
- Does the policy cover you globally? For instance, it may exclude data theft or loss that occurs outside national borders.
- What kind of response time can you expect in the event of a data breach?
- Will your cyber insurance provider increase your premiums or even cancel your policy if you ever have to make a claim?
- Will you get a discount if you employ a program like R-Security with endpoint and e-mail protection as well as 24/7 monitoring with AI tools and a live Security Operations Center (SOC)?
- What are your responsibilities in this relationship, e.g., auditing or compliance obligations?
- While insurers themselves will not help you safeguard your data, abiding by the terms of your policy can help you minimize security risks.
Cyber insurance is the best safety net for organizations should they experience a data breach. It transfers some of your risks to your insurance provider. However, cyber insurance is still a passive defense. It should complement a strong cybersecurity posture and program. River Run’s R-Security employs the proper tools and experts that proactively keep watch over your network and data 24/7/365.
In the end, you will want to choose an insurance provider that grows with you and allows you to update your limits based on your needs. They should act as a partner in protecting you, your employees, and those you serve.
Share this article