In our tech-savvy world, data breaches, viruses and cybercrimes can cripple a business. While proper cybersecurity software is a crucial first line of defense, even the best programs don’t guarantee protection from complex attacks. For extra protection, you may consider taking out a cyber insurance policy for your business. Here’s what you need to know about cyber insurance to protect your online assets.
Data breaches and other cybercrimes can damage a business’s reputation and put both customers’ and employees’ personal information at risk. Breaches can also result in significant fines and legal fees for companies of all sizes. Cyber insurance can help protect against these negative outcomes by covering a business’s liability for any data breaches involving sensitive customer information, including credit card data, bank account numbers, health records, driver’s license numbers and Social Security numbers.
Cyber insurance can help companies notify customers about data breaches involving their personal information. (This process is mandatory in most states and can quickly become expensive.) Cyber insurance policies also protect businesses against cyberattack damages and help cover the cost of restoring and re-creating any lost or compromised data. Finally, cyber insurance can offer free credit monitoring and public relation services following a data breach and help restore the personal identities and credit history of any affected customers.
Becoming the victim of a cyberattack can be expensive. Cyber insurance helps businesses recover after being targeted by hackers or other malicious actors.
Generally speaking, cyber insurance packages cover one of three major issues: risks to the business, liability for claims and any consequences of those claims. As such, there are three primary categories of cyber insurance, each covering one of these categories: first-party liability, third-party liability and general benefits.
A first-party cyber insurance package protects all people directly involved in the data breach or incident. It typically offers coverage to the victim for various issues, including data destruction, extortion, online theft, hacking, and deliberate or accidental denial of service. The package is designed to cover the policyholder’s costs for the fees, damages and inconvenience resulting from the incident. These are some common insurance configurations:
Third-party liability cyber insurance protects policyholders who offer professional services to other businesses, specifically if those services are susceptible to digital threats. These may include errors of commission, errors of omission, data breaches, data theft or business secrets, and defamation and related negative publicity. These are some common options in liability insurance:
Cyber insurance should match the needs of your business, so consider which circumstances are most likely to affect you before choosing a particular type of cyber insurance policy.
A general benefits package covers various other benefits associated with cyber insurance. These may include structured and planned security audits, post-incident management, public relations initiatives and support, criminal reward funds, and major investigations and reports.
Any company that handles or uses digital information can benefit from extra protection. However, certain business types or activities increase the need for a cyber insurance policy. Organizations that use any online or offline computer system to handle sensitive customer data (such as names, addresses, health information, credit card data and Social Security numbers) should strongly consider purchasing cyber insurance. Businesses in industries with specific standards for customer confidentiality – such as healthcare, education and finance – would also be wise to look into cyber insurance.
The size of a business is also a factor in which type of cyber insurance to purchase. For example, large businesses should opt for a cyber liability insurance package, which broadly covers financial losses due to cyberattacks or other tech risks, as well as any subsequent privacy investigations or lawsuits. This level of protection may not be necessary for small businesses dealing with lower volumes of customer data. Instead, they may consider purchasing data breach insurance, a type of cyber insurance that helps companies respond to the breach in the event of lost or stolen personal information.
However, it is still possible for small businesses to fall victim to a major cyberattack, especially as more and more people work remotely, so a comprehensive cyber insurance package covering both data breaches and attacks is the safest option for most businesses.
On top of investing in cyber insurance, businesses must also take proactive steps to prevent issues from occurring in the first place.
“By taking proactive steps to combat cyberattacks, organizations avoid not only massive breaches but also the consequences of the breach’s aftermath,” said Grant Burst, product engineer at Wallix. “Spending money and time to invest in proactive cybersecurity solutions has countless benefits for organizations. While most companies don’t think their information will ever be compromised, with the increase of breaches in the last few years, it’s not a matter of if your company will face a breach, but when.”
Burst added that businesses could suffer financial loss, loss of trust and operational downtime if they don’t take cybersecurity seriously.
Small businesses are not immune to cyberattacks just because of their size. In fact, cyberattackers know small businesses tend to have less sophisticated cybersecurity measures in place, making them attractive targets.
While the exact coverage will depend on the specific policy or type of coverage you seek, cyber insurance can generally protect businesses against the ramifications of a cyberattack or data breach.
In the event of a data breach, cyber insurance can help pay to notify any affected clients or employees and hire a PR firm to mitigate reputational damages. It can also offer credit-monitoring services to victims of the breach, a typically voluntary act that can go a long way in fostering goodwill with your customers.
For businesses that fall victim to a cyberattack, cyber insurance can help cover a variety of fees. These include regulatory fines from state or federal agencies (as well as fees for legal services to help you meet their requirements), lawsuits related to customer or employee privacy and security, the expenses of notifying affected customers, and lost income or paid extortion.
It’s important to understand that cyber insurance does not cover every type of claim. You may need to purchase other types of insurance to ensure appropriate protection for every facet of your business. These are some types of insurance policies that cyber insurance doesn’t generally include:
As of April 2021, the average cost of cyber insurance in the U.S. is $1,485 per year ($124 per month). However, several factors impact how much your business will pay for coverage. Generally speaking, larger companies pay more than smaller companies because of their increased risk of phishing and social engineering attacks. Organizations in high-risk industries, such as healthcare and higher education, also face higher fees.
The amount and sensitivity of data will also impact the cost of cyber insurance. For example, local businesses with a small customer base will pay less than hospitals with large amounts of sensitive personal and health data. Additionally, companies with higher revenue are seen as higher risks, so they have to pay more for cyber insurance. Businesses can lower these premiums by dedicating resources and efforts to preventing cybercrime, which cyber insurers often reward.
Finally, your coverage limits and deductible will influence the cost of your cyber insurance. Coverage limits typically range from $500,000 to $5 million per occurrence; the higher your coverage limit, the more your business will pay. However, higher deductibles lead to lower premiums (and vice versa).
In conjunction with other types of insurance, cyber insurance can protect your business when something goes wrong. Buying the proper coverage is well worth the peace of mind that your business has the support to make it through potential cyber disasters.
If you’re looking for the best insurance for your business in general, consider one of our insurance best picks.
“Cyber insurance companies should have cybersecurity analysis reports that they send out to their clients,” said David Vranicar, managing partner and founder of FBS Fortified & Ballistic Security. “Ask to see past reports. See what the cyber insurance company’s responses have been to [past] situations, or at least make sure they’ve been on top of them … if they’re not transparent about that information, they’re not for you.”
Before signing with any insurance company, carefully look over the contract for situations that allow the insurer not to pay the policy. One particular item to watch out for is “war clauses.”
“‘War clauses’ have caused problems in the past,” said Mark Stamford, founder and CEO of OccamSec. “Cyberattacks which are believed to have originated with a nation-state, such as WannaCry, enable insurers to not pay out on policies, since it’s considered an act of war. So reading any ‘war clause’ fine print is crucial, especially given how difficult attribution is for an attack.”
Finally, make sure you know how much the policy will pay out, and weigh that against the cost of the insurance.
“There is an old security formula which states the cost you spend to address something should be less than the cost you will incur if the event happens,” Stamford said. “So, if your cyber insurance policy is going to cost you $50,000, but your maximum loss is (you believe) $25,000, then don’t do it.”
However, Stamford warns that estimating the maximum loss from a cyber breach is difficult. The potential loss in time, money and consumer trust may be so great that your business will never be the same again.