In our tech-savvy world, data breaches, viruses and cybercrimes can cripple a business. While proper cybersecurity software is a crucial first line of defense, even the best programs don't guarantee protection from complex attacks. For extra protection, you may consider taking out a cyber insurance policy for your business. Here's what you need to know about cyber insurance to protect your online assets.
What is cyber insurance?
Data breaches and other cybercrimes can damage a business's reputation and put both customers' and employees' personal information at risk. Breaches can also result in significant fines and legal fees for companies of all sizes. Cyber insurance can help protect against these negative outcomes by covering a business's liability for any data breaches involving sensitive customer information, including credit card data, bank account numbers, health records, driver's license numbers and Social Security numbers.
Cyber insurance can help companies notify customers about data breaches involving their personal information. (This process is mandatory in most states and can quickly become expensive.) Cyber insurance policies also protect businesses against cyberattack damages and help cover the cost of restoring and re-creating any lost or compromised data. Finally, cyber insurance can offer free credit monitoring and public relation services following a data breach and help restore the personal identities and credit history of any affected customers.
Types of cyber insurance
Generally speaking, cyber insurance packages cover one of three major issues: risks to the business, liability for claims and any consequences of those claims. As such, there are three primary categories of cyber insurance, each covering one of these categories: first-party liability, third-party liability and general benefits.
First-party liability cyber insurance
A first-party cyber insurance package protects all people directly involved in the data breach or incident. It typically offers coverage to the victim for various issues, including data destruction, extortion, online theft, hacking, and deliberate or accidental denial of service. The package is designed to cover the policyholder's costs for the fees, damages and inconvenience resulting from the incident. These are some common insurance configurations:
- Fraud and theft. You can use a fraud and theft cyber insurance policy to pay for any costs associated with data loss due to theft, fraud or other criminal matters. It can also cover any risks related to funds transfer or crimes of dishonesty.
- Forensic work. This policy can pay for the technical or legal services required for a forensic investigation. In addition, forensic work cyber insurance can cover prospective, concurrent or even retrospective costs.
- Business interruptions. If you can't conduct business as usual because of a cyberattack, business interruption cyber insurance can cover many of the costs, including loss of income.
- Cover for extortion and blackmail. Some cybercriminals extort a business owner under the threat of blackmail, requiring them to pay out the ransom to save their company from further damage. Cyber insurance for extortion and blackmail can help cover these costs and gather evidence about the perpetrators.
- Loss of data and restorative work. This type of policy covers the possibility of data loss and any necessary restoration following that loss. This may include repairing or replacing a damaged computer, hardware, software, or lost data and information.
Third-party liability cyber insurance
Third-party liability cyber insurance protects policyholders who offer professional services to other businesses, specifically if those services are susceptible to digital threats. These may include errors of commission, errors of omission, data breaches, data theft or business secrets, and defamation and related negative publicity. These are some common options in liability insurance:
- Litigation coverage. A litigation package covers the costs of any obligations associated with a data breach, including court judgments, lawsuits, penalties and fines.
- Regulatory coverage. This type of coverage is for the costs of forensic and technical services (and any associated fines) mandated by a government agency.
- Communications and notifications. This type of policy covers the full costs associated with notifying employees and clients of a cyberattack.
- Crisis measures and emergencies. In case of an emergency or unexpected event, this type of cyber insurance policy will cover all the necessary costs of overcoming the crisis.
- Credit monitoring and review. This package covers the costs of credit-monitoring services and anti-fraud measures in response to an incident.
- Liability for media issues. In the event of copyright infringement or media issues following an incident, this cyber insurance package covers the associated costs.
- Liability for breach of privacy and confidence. This covers a business's liability for threats to customers' confidentiality, such as hackers gaining access to clients' bank accounts or publishing their account information online.
General benefits cyber insurance
A general benefits package covers various other benefits associated with cyber insurance. These may include structured and planned security audits, post-incident management, public relations initiatives and support, criminal reward funds, and major investigations and reports.
Who needs cyber insurance?
Any company that handles or uses digital information can benefit from extra protection. However, certain business types or activities increase the need for a cyber insurance policy. Organizations that use any online or offline computer system to handle sensitive customer data (such as names, addresses, health information, credit card data and Social Security numbers) should strongly consider purchasing cyber insurance. Businesses in industries with specific standards for customer confidentiality – such as healthcare, education and finance – would also be wise to look into cyber insurance.
The size of a business is also a factor in which type of cyber insurance to purchase. For example, large businesses should opt for a cyber liability insurance package, which broadly covers financial losses due to cyberattacks or other tech risks, as well as any subsequent privacy investigations or lawsuits. This level of protection may not be necessary for small businesses dealing with lower volumes of customer data. Instead, they may consider purchasing data breach insurance, a type of cyber insurance that helps companies respond to the breach in the event of lost or stolen personal information.
However, it is still possible for small businesses to fall victim to a major cyberattack, especially as more and more people work remotely, so a comprehensive cyber insurance package covering both data breaches and attacks is the safest option for most businesses.
On top of investing in cyber insurance, businesses must also take proactive steps to prevent issues from occurring in the first place.
"By taking proactive steps to combat cyberattacks, organizations avoid not only massive breaches but also the consequences of the breach's aftermath," said Grant Burst, product engineer at Wallix. "Spending money and time to invest in proactive cybersecurity solutions has countless benefits for organizations. While most companies don't think their information will ever be compromised, with the increase of breaches in the last few years, it's not a matter of if your company will face a breach, but when."
Burst added that businesses could suffer financial loss, loss of trust and operational downtime if they don't take cybersecurity seriously.
What does cyber insurance cover?
While the exact coverage will depend on the specific policy or type of coverage you seek, cyber insurance can generally protect businesses against the ramifications of a cyberattack or data breach.
In the event of a data breach, cyber insurance can help pay to notify any affected clients or employees and hire a PR firm to mitigate reputational damages. It can also offer credit-monitoring services to victims of the breach, a typically voluntary act that can go a long way in fostering goodwill with your customers.
For businesses that fall victim to a cyberattack, cyber insurance can help cover a variety of fees. These include regulatory fines from state or federal agencies (as well as fees for legal services to help you meet their requirements), lawsuits related to customer or employee privacy and security, the expenses of notifying affected customers, and lost income or paid extortion.
What does cyber insurance not cover?
It's important to understand that cyber insurance does not cover every type of claim. You may need to purchase other types of insurance to ensure appropriate protection for every facet of your business. These are some types of insurance policies that cyber insurance doesn't generally include:
- General liability insurance. Sometimes called business liability insurance or commercial general liability insurance, this type of insurance protects your company against claims of bodily injury and property damage.
- Commercial property insurance. Commercial property insurance is necessary to protect your business's rented or owned facilities and equipment.
- Employment practices liability insurance. Employee claims of harassment, discrimination or wrongful termination are all covered under this type of insurance.
- Professional liability insurance. This helps cover claims of negligence, misrepresentation or inaccurate advice in your professional services.
How much does cyber insurance cost?
As of April 2021, the average cost of cyber insurance in the U.S. is $1,485 per year ($124 per month). However, several factors impact how much your business will pay for coverage. Generally speaking, larger companies pay more than smaller companies because of their increased risk of phishing and social engineering attacks. Organizations in high-risk industries, such as healthcare and higher education, also face higher fees.
The amount and sensitivity of data will also impact the cost of cyber insurance. For example, local businesses with a small customer base will pay less than hospitals with large amounts of sensitive personal and health data. Additionally, companies with higher revenue are seen as higher risks, so they have to pay more for cyber insurance. Businesses can lower these premiums by dedicating resources and efforts to preventing cybercrime, which cyber insurers often reward.
Finally, your coverage limits and deductible will influence the cost of your cyber insurance. Coverage limits typically range from $500,000 to $5 million per occurrence; the higher your coverage limit, the more your business will pay. However, higher deductibles lead to lower premiums (and vice versa).
What should you look for in a cyber insurance company?
In conjunction with other types of insurance, cyber insurance can protect your business when something goes wrong. Buying the proper coverage is well worth the peace of mind that your business has the support to make it through potential cyber disasters.
If you're looking for the best insurance for your business in general, consider one of our insurance best picks.
"Cyber insurance companies should have cybersecurity analysis reports that they send out to their clients," said David Vranicar, managing partner and founder of FBS Fortified & Ballistic Security. "Ask to see past reports. See what the cyber insurance company's responses have been to [past] situations, or at least make sure they've been on top of them … if they're not transparent about that information, they're not for you."
Before signing with any insurance company, carefully look over the contract for situations that allow the insurer not to pay the policy. One particular item to watch out for is "war clauses."
"'War clauses' have caused problems in the past," said Mark Stamford, founder and CEO of OccamSec. "Cyberattacks which are believed to have originated with a nation-state, such as WannaCry, enable insurers to not pay out on policies, since it's considered an act of war. So reading any 'war clause' fine print is crucial, especially given how difficult attribution is for an attack."
Finally, make sure you know how much the policy will pay out, and weigh that against the cost of the insurance.
"There is an old security formula which states the cost you spend to address something should be less than the cost you will incur if the event happens," Stamford said. "So, if your cyber insurance policy is going to cost you $50,000, but your maximum loss is (you believe) $25,000, then don't do it."
However, Stamford warns that estimating the maximum loss from a cyber breach is difficult. The potential loss in time, money and consumer trust may be so great that your business will never be the same again.