Comprehensive Guide to Cyber Insurance
Updated May 2023
“We’ve had a cyberattack.” The thought of hearing that sentence keeps technology leaders up at night. And for a good reason. Cyberattacks are costly and can harm your company’s network and your reputation as well. If you think your company is too small to fall victim to a cyber- or ransomware attack, you’re wrong. Companies of every size and industry that store, or transfer data are at risk – it’s not just the big guys like Accenture and Apple.
According to estimates, an average of 30,000 websites are hacked every day. In fact, a company falls victim to a cyberattack every 39 seconds, and more than 64% of organizations globally have experienced at least one form of cyberattack. To protect yourself against cybersecurity threats, you need to have various tools and a skilled and knowledgeable team in place. You never want to rely on a cyber insurance policy, but it’s something most of us have to have (along with the hope that you never need to use it).
What is cyber insurance, and why does it matter?
Cyber insurance is a separate business policy protecting companies from web-based incidents like data breaches, ransomware, and phishing. If you have a few cybersecurity-related clauses in a standard commercial liability policy, that’s not enough. You need a standalone cyber insurance policy with coverage amounts high enough to protect your company against any potential cyber threat fully. Here’s why:
The average cost of a data breach rose from $4.24 million in 2021 to $4.35 million in 2022, according to IBM’s 2022 Cost of Data Breach Report. Costs are even higher for companies with compliance failures when you factor in fines, penalties, and litigation costs or awards. Cost is a relative concept, though, and a data breach to a small- or mid-sized company can be much harder to absorb.
In 2022, It took 207 days to identify a breach and an average of 70 days to contain a breach, for a total lifecycle of 277 days. As IBM explains in its 2022 Cost of Data Breach Report, if you have a breach in January and take the entire lifecycle to resolve, your risk wouldn’t be contained until mid-October.
Even if your timeline is shorter than this, you’d still need to focus on data breach resolution (rather than running your business) for a significant period of time.
What’s covered under a cyber insurance policy?
Cyber insurance policies protect you against two costs. The first is the direct expenses you incur to recover from a cyberattack (first-party coverage). The second is protection against the potential cost of lawsuits or settlements (third-party coverage).
Our partners at Christensen Group Insurance explain the difference in this way:
- First-Party Coverage: This covers any costs directly incurred by the insured, such as data destruction, extortion, and business interruptions caused by the attack.
- Third-Party Coverage: This protects companies from lawsuits and helps compensate the victims of breached data, defamation, and other cyber security cases.
How to decide if you need cyber insurance
Many small-to-medium-sized businesses don’t have IT experts on staff, let alone experts in data security. Yet these same companies store or transfer what’s called personal identifying information (PII). This is the type of cyber data thieves are after. So, if you’re using PII of any kind, you need cyber insurance. Period.
If you don’t have the on-staff expertise to address this challenge, working with an outside partner that’s knowledgeable and experienced in this space can mean the difference between succeeding or failing to defend yourself against potential attacks.
What’s required of companies that carry cyber insurance?
Most insurance brokers say it’s better to prevent a data breach than to rely on a cyber insurance policy. As such, many insurance companies now require companies to have specific data security protocols in place to qualify for cyber insurance.
The exact requirements will vary by the insurance company, but these measures are standard:
- Firewalls that keep your network from being exposed
- Multi-factor or two-factor authentication that prevents automated attacks
- Anti-virus or malware detection that identifies malicious code
- Endpoint detection and response (EDR) tools that help you quickly detect unusual network activity
- Established backup protocols that ensure you have data access
- Recovery plan that helps you quickly respond to any network disruption
Related reading: How to layer your cybersecurity
Strategies to strengthen your data security (so you’ll never need your cyber insurance)
Even with a cyber insurance policy in place, you still want to adhere to best practices and strong cyber security protocols, including:
- Testing your backups and creating an Air Gap (keeping your computers or networks separated from one another)
- Encrypting your data and backing it up to a cloud service
- Auto-saving your data to an encrypted hard drive that is not connected to a network. Hackers typically try to delete your online backup efforts, but it’s much more difficult for them to access your offline hard drive.
- Adopting a zero-trust security architecture
- Educating your employees about cyber-related risks and testing them continually to reinforce best practices. (E.g., verifying new fund transfer requests by phone using contact information not sent by email)
- Creating an Incident Response Plan and keeping a printed copy available for a worst-case scenario. (Be sure to include the cyber insurance company’s hotline number.)
- Using the Risk Management Services offered by your cyber insurance carrier and your broker
- Following a security framework that evolves and keeps pace with emerging threats and technologies like CIS and NIST.
How to purchase cyber insurance
Feeling a little unsure of how to proceed? We understand. Your first and most crucial step is to find a cyber insurance broker to learn how much coverage you need.
One word of caution: Some companies claim to provide the one solution that will do it all. It’s best to check with your agent to understand how much coverage you need and what all is covered.
We have a partnership with Christensen Group Insurance and are happy to make an introduction to their team.
Related reading: Investing in prevention: Is your cybersecurity insurance up to the task?
Ready to get serious about data security?
Since 2020, ransomware attacks have increased by 85%; that’s why we’re so passionate about cybersecurity and are huge advocates for cyber insurance.
If there’s anything we’ve learned in our 30 years as industry leaders, it’s that cybersecurity is a journey without a finish line. Security needs and strategies are constantly evolving, and your managed service provider or IT team needs to evolve, too.
Our experience places us ahead of the curve regarding cybersecurity services. When you partner with a qualified managed security services provider like us, you can rest easy knowing that our proactive focus on security will protect your network and reduce the risk for your business.