Today, almost all businesses have an online presence. Even physical business establishments, such as brick-and-mortar shops, store and maintain some data online. Conducting business online has several advantages, including speed, efficiency and convenience. However, it can also open the doors to sophisticated cyberattacks.
With the explosion of cybercrime, such as ransomware in the last two years, and the average total cost of a ransomware breach reaching a staggering $4.62 million, organizations are more often looking at cyber liability insurance to help manage cyber risks.
What is cyber insurance?
Cyber insurance or cyber liability insurance is a policy designed to protect organizations against the fallout of a cyberattack, including covering the financial costs of dealing with cyber incidents.
Cyber liability insurance policies offer a combination of coverage options to help protect a company against data breaches and other cybersecurity issues. These policies may also provide the tools and resources to manage and mitigate cyber risk both pre- and post-breach. Cyber insurance policies may cover general liability for a data breach involving sensitive customer information such as Social Security numbers (SSNs), credit card numbers, account numbers, driver’s license numbers and health records.
Why do businesses need cyber insurance?
Doing business online comes with its own risks. Data loss or theft can have a devastating impact on an organization, including financial losses. When an organization purchases cyber insurance, a portion of the risk is transferred to the insurer. For instance, a company suffers a breach and incurs $100 million in costs related to the security incident. In such circumstances, depending on the insurance plan, the insurer could cover a portion of the cost. A cyber insurance policy acts as an additional layer of protection and reduces financial risks arising from cyber incidents.
Cyber liability insurance helps cover costs associated with mitigating data breaches or cyberattacks. Some of these costs may include:
- Forensic investigations
- Litigation expenses
- Regulatory defense expenses (fines)
- Crisis management expenses (i.e., the cost of notifying affected customers, restoring personal identities of affected customers)
- Business interruptions (costs of recovering compromised data, costs to repair damaged information systems)
- Cyber extortion
How long has cyber insurance been around?
Cyber insurance has been around since the 1990s. Early cyber insurance policies provided coverage for online media or errors in data processing. During this period, the policies excluded first-party coverage, rogue employees, regulatory claims, and fines and penalties. As cyber risks began to evolve in the 2000s, so did these policies, and they started to cover unauthorized access, network security, data loss and malware-related claims.
How big is the cyber insurance market?
According to MarketsandMarkets, the global cybersecurity insurance market is projected to grow from $7.8 billion in 2020 to $20.4 billion by 2025, at a CAGR of 21.2%. The two main factors driving the growth of the market include the surge in cyberattacks and the need to comply with stringent regulations.
What is the average cost of cyber insurance?
The cost of cyber insurance can vary depending on the nature, size and location of a business. In the U.S., the average cost of cyber insurance is $1,485 per year or $124 per month.
What does cyber insurance cover?
Cyber liability insurance policies may vary based on industry or coverage type. For example:
- Public entities: Protects public entities against damages paid because of economic loss caused by an illegal act. The insuring agreements may include liability coverage (privacy and security), breach response coverage (cyber extortion, data restoration), cybercrime coverage (funds transfer fraud, social engineering fraud) and business loss coverage (business interruption, system failure).
- Small businesses: Coverage to help SMBs minimize the impact of a cyberattack or data breach. Insuring agreements may include breach notification to customers, credit card monitoring services, retention of a public relations consultant, forensic fees and defense costs.
- Technology companies: Protects organizations such as information technology application and service providers, integrators, telecommunications providers, medical technology providers and electronics manufacturers. Insuring agreements may include liability coverage (technology errors and omissions), breach response coverage (privacy breach notification, cyber extortion, data restoration), cybercrime coverage (computer fraud, social engineering fraud) and business interruption.
- Data compromise protection: Provides credit monitoring and public relations services.
- Identity recovery protection: Helps individuals whose personal information has been stolen and misused by restoring their credit history.
- Cyber protection: Protects businesses against damages caused by computer viruses or cyberattacks, as well as helping cover the costs of recovering and recreating data.
What is not covered by cyber insurance?
While cyber insurance policies or coverage provided can vary drastically from one insurer to another, here are some common exclusions that companies should carefully review in their policies.
- Security standard exclusions: Some cyber insurance policies do not cover claims if the insured fails to comply with industry standards or fails to maintain minimum security standards.
- Bodily injury and property damage: Most cyber policies do not include bodily injury or property damage arising from a cyber incident. To ensure such claims are not rejected, organizations should ensure their insurance policies contain the appropriate coverages.
- War, terrorism or invasion: Almost all insurance companies exclude coverage for loss resulting from war, terrorism (cyberterrorism) or invasion.
- Payment Card Industry (PCI) fines: The Payment Card Industry can impose fines and penalties on companies following a credit card breach. Many cyber insurance policies do not cover PCI fines and assessments. Therefore, companies should check their policies to ensure their cyber insurance provides coverage for PCI fines and assessments.
What are the types of cyber insurance?
There are two types of cyber liability insurance, namely first-party insurance and third-party insurance.
This type of cyber insurance helps cover expenses and damages when systems or networks are breached, or data is stolen. It covers costs that directly impact a business. It also covers expenses when a company’s network is hacked.
First-party insurance may also be referred to as “data breach insurance” and may be added to general liability insurance. This type of cyber insurance is recommended for retailers and other professionals who collect and store credit card or other payment information. It may cover cyber extortion payments, forensic investigation, notifying affected customers, customer credit and fraud monitoring services, crisis management and public relations, business interruption expenses (hiring additional staff, renting equipment, third-party services, etc.).
Third-party insurance offers protection when a client sues an organization for failing to prevent a breach at their business. This type of cyber liability insurance helps protect against claims made against a business by injured parties. It provides liability coverage against claims a business failed to prevent, such as a data breach or a cyberattack.
Third-party insurance may cover legal defense costs or settlements an organization is legally obligated to pay after a breach as well as other related court costs. This type of cyber insurance is recommended for technology professionals such as service providers, integrators and consultants. It may be bundled with errors and omissions policies.
Who should carry cyber insurance?
Cyber insurance isn’t just for the Fortune 500. With cyberattacks and data breaches becoming increasingly expensive and more common, organizations of all sizes are considering cyber insurance.
A cyberattack isn’t only an inconvenience – it can also pose serious threats to the solvency of a business. An alarming 60% of SMBs go out of business following a cyberattack. Cyber liability insurance helps cover the costs in the aftermath of a cyberattack by paying for things like customers’ credit monitoring, attorney’s fees, fines and other expenses.
The cost of a data breach reached its highest total in 17 years, costing a staggering $4.24 million in 2021. Any organization that handles sensitive information should have a cyber liability policy.
How to meet cyber insurance requirements
With more and more organizations looking to add cyber liability insurance as the threat landscape grows, high levels of volatility and risk have many insurance companies restricting payouts by creating more claim exceptions and exclusions.
Whether an organization is considering cyber insurance for the first time or is up for policy renewal, it’s important to understand the latest requirements. Knowing what to expect will help to better understand the steps to be taken to gain maximum coverage while minimizing costs.
Businesses will have to fill out a questionnaire about existing cyber security controls, tools and processes. Thorough documentation will help brokers accurately evaluate an organization’s overall security posture and determine the level of risk.
While each evaluation process differs, some security controls are near-unanimous across the industry, including:
- Data encryption for data in flight and at rest
- Identify and Access Management (IAM) controls and best practices
- Privileged Access Management (PAM) to restrict privileged access
- Multifactor Authentication (MFA)
- Immutable data backups
Each cyber insurance policy has different requirements. Companies should discuss their policies thoroughly with their insurance providers to ensure they understand exactly what is expected of and needed from their organization to remain in compliance with the policy.
How Unitrends helps businesses comply with cyber liability requirements
Cyber insurance helps organizations recover financially, but it can’t help them recover lost or stolen data. Unitrends Unified BCDR enables organizations with a complete platform with the agility to protect all workloads, whether on-premises, in clouds and SaaS applications or on remote endpoints. Native capabilities, such as AES 256-bit encryption, immutable cloud storage, application-level recovery testing and a hardened Linux OS kernel, are just some of the ways Unitrends helps organizations protect their digital assets and comply with cyber liability requirements. To learn more about how Unitrends helps eliminate ransomware and downtime, check out our 5 pillars of ransomware defense.