While organizational compliance and security programs are becoming increasingly robust and sophisticated, cybersecurity incidents are unavoidable in today’s digital landscape. In our 2022 IT Compliance Benchmark Report, 63% of respondents reported that they experienced a data breach that led to the disclosure of regulated data — such as protected health information or other sensitive data — in the last 24 months. These incidents proved costly for most organizations, as 44% of companies that reported a data breach claimed a loss between $1M and 5M.
Controls-focused cyber governance and a deep understanding of your company’s security posture are helpful when it comes to mitigating cybersecurity incidents. Still for some, this hasn’t been enough — this is where cyber insurance enters the discussion.
Cyber insurance isn’t new (the first policies were developed in the 1990s), but the continued rise in security attacks has made this type of coverage even more relevant. Additionally, many businesses now require that any vendor they consider working with has an active cyber insurance policy. Increased demand for cyber insurance policies and the rise in claims have prompted providers to reevaluate their practices, making it more complicated and expensive for organizations to get coverage.
Whether your company acquires a cyber insurance policy is a decision that requires careful consideration. Because of this, it’s essential to understand what cyber insurance covers, what it doesn’t cover, how much it might cost, and what you can preemptively do to improve your chances of obtaining a policy.
What is Cyber Insurance?
Cyber insurance, also called cyber liability insurance, is the coverage an organization can acquire to protect against losses incurred by a data breach or other malicious security incidents. Losses due to such an event can include personal customer data, compromised company hardware or software, financial losses, and others.
What is the Difference Between First-Party and Third-Party Coverage?
Most companies that need cyber insurance will opt for first-party coverage. However, in some cases, third-party coverage will be a better fit or could even be used in addition to a first-party policy.
This refers to a policy that will cover the expenses an organization could incur due to a security incident. Meaning, this type of coverage protects the company directly affected by an attack.
On the other hand, third-party coverage is mainly targeted at organizations that offer professional services to other companies. If a third-party services provider that has access to a client’s data or network suffers a security incident, it puts their client at risk. Third-party cyber insurance protects companies who offer professional services against potential legal action from client organizations due to a data breach or another form of attack.
In this article, we will primarily discuss first-party cyber insurance.
What Does Cyber Insurance Cover?
Cyber insurance coverage is subjective and will differ from policy to policy. This said, these policies typically cover the following organizational liabilities when a data breach occurs:
- Customer outreach — When an incident happens, you need to notify any customers that may have been affected by the breach in a timely manner. Depending on the scale of the attack and the number of customers involved, this outreach could require a massive amount of company time and financial resources.
- Data recovery services cost — If data is stolen or lost, hire a data recovery professional or team to recover lost customer or employee data, such as social security numbers, driver’s license numbers, credit card information, and/or personal records (health, legal, etc.).
- Damage to company software or hardware — Computers (and other hardware) are no longer the sole target of security attacks. Now, companies also need to consider what software platforms could be compromised and the costs of fixing that software.
- Financial loss due to business interruption — Should a security incident lead to a halt in company operations, cyber insurance will cover money lost due to lost business. This can include lost wages resulting from employees being unable to work while systems are down.
- Ransomware demands — When an organization suffers a ransomware attack and subsequently has to pay ransom demands, their insurance policy might reimburse the ransom payment. To secure ransomware attack coverage, you may need to acquire a dedicated policy or ensure it is specifically written into your cyber insurance policy.
What is Not Covered by Cyber Liability Insurance?
As with what is covered by cyber insurance, what is not covered can differ depending on your policy. However, the following items are typically not covered by cyber insurance:
- System upgrades — this refers to any additional security protections an organization chooses to purchase to mitigate or prevent potential future attacks.
- Future financial losses — this refers to the potential revenue an organization may lose in the future due to reputational damage that resulted from an attack.
- Decreased valuation — this refers to a drop in an organization’s valuation (in the eyes of financial analysts) that happens after a data breach. For instance, if an investigator finds that an attack occurred due to the company’s negligence or a poor response to an attack, the company’s valuation could fall.
How Much Does Cyber Insurance Cost?
According to insurance provider Progressive, the annual cost of cyber insurance can range from $500 to more than $5,000. The following factors are considered when determining cyber insurance rates:
- Company size
- Company revenue
- Company industry
- Level of coverage required
- Who has access to what data
- Level of network security
- Previous claims made
Cyber Liability Insurance Deductibles
A deductible refers to the amount an organization will have to pay out of pocket when a cybersecurity incident occurs before the cyber insurance policy will cover the costs. The deductible amount should be taken into consideration when evaluating cyber insurance costs. Similar to other types of insurance, the deductible tied to a cyber insurance policy is variable and will depend on company needs. For example, a higher deductible equals lower monthly premiums, and vice versa.
The following table created by AdvisorSmith is a good representation of how cyber insurance premiums and deductibles can vary based on the level of coverage required:
*From AdvisorSmith: This table was created based on quotes and rate filings from major insurance companies in Connecticut. Actual premium prices would vary depending upon the type of business, location, and claims history.
Tips for Obtaining a Cyber Insurance Policy
As organizations face an increasing number of cyber attacks, filed claims have also gone up dramatically. In response, insurance companies have implemented more stringent eligibility criteria and increased rates dramatically. Organizations in particularly high-risk industries — those that store large amounts of sensitive data and those that process payment — have been hit especially hard by stricter requirements and increased pricing.
With this in mind, there are a few steps an organization can take to raise its chances of qualifying for a reasonable cyber insurance policy:
- Invest in a high level of network security: As mentioned before, insurance companies will consider a client organization’s level of network security when determining the rates. Considering this, companies ought to invest in network security by taking measures such as: implementing company-wide multi-factor authentication (MFA), purchasing a robust firewall, and hosting frequent security training sessions around phishing and ransomware.
- Adhere to compliance frameworks: Depending on the industry you’re in, some compliance frameworks are required by certain governing bodies — for instance, in the healthcare space, HIPAA is required, or, if your company deals with credit card information, PCI DSS is needed. With the continued rise in security threats, some insurance companies have made select compliance frameworks a baseline requirement for cyber insurance coverage. To get ahead of this trend, meet all regulatory requirements for your industry and consider pursuing an industry-agnostic information security framework like ISO 27001 or NIST Cybersecurity Framework (CSF).
- Understand vendor security: Vet the security and compliance protocols of potential or current vendors to best protect your company from third-party threats. You should show insurance providers that you’ve done thorough research and have addressed third-party security issues.
- Have an incident response plan in place: Because experiencing a security incident is more about “when” than “if,” your organization must have a detailed incident response plan in place before such an event occurs. Your incident response plan will help prove to insurance companies that you are prepared for when an incident happens.
Want support in optimizing and organizing your team’s compliance management and security efforts? Hyperproof is here to help. Book a demo with us today!