Globally, cyberattacks are rated as the number one risk businesses may face, and as a result many organisations are turning to cyber insurance to provide protection against financial losses due to a cyber event.
What is cyber insurance?
Cyber insurance (also known as cyber liability insurance) policies assist in covering financial losses in the event of a cyberattack, including malware/ransomware attacks, extortion, and social engineering attacks. Having cyber insurance can potentially help in minimising business disruption in the aftermath of a cyber incident, as well as recovering the costs of dealing with an attack, such as remediation, investigations, and legal fees.
Just like many other insurance policies you may already have in place for your business, cyber liability insurance is a contract between your company and your insurer to protect against losses related to computer, network, or information security incidents.
However, it’s important to note that cyber insurance is still in its early days, and thus there may be policies or incidents that your chosen insurer does not (or will not) cover.
While your insurance may provide financial or remedial assistance, it can’t absolve you of your cyber security responsibilities. Having a cyber insurance policy is not an excuse to become lax with your cyber and information security controls and methods, so it is vitally important you maintain a cyber security posture appropriate for your organisation.
Furthermore, many cyber insurers will determine your premium costs and excess based on your cyber security posture. If you do not have minimum information security controls in place, you may find that your cyber insurance essentially becomes useless in the event of a debilitating cyber incident.
Who needs cyber insurance?
Cyber incidents can impact any company of any size, regardless of industry.
Every business could benefit from having a cyber insurance policy, but this is especially true for enterprises dealing with sensitive information (such as bank details, medical records, or personally identifiable information), as these details are highly sought after by cyber criminals. If an adversary gets access to these details, your company could potentially incur expenses associated with forensic investigations, extortion negotiations, ransom payments, credit and identity monitoring, restoration services, fines, and legal counsel fees. The estimated costs involved for a relatively minor cyber incident averages between $200,000 to $6000,000 – for SMBs, these financial losses could be crippling.
What does cyber insurance cover/include?
The coverage for your cyber insurance policy depends on your chosen insurer. Always read the fine print to ensure you’re getting appropriate coverage for your business.
You can expect most policies to include coverage for:
- Meeting extortion demands for ransomware attacks
- Notifying customers when a breach has occurred
- Paying legal fees as result of privacy violations
- Hiring computer or cyber security forensic experts to investigate and recover data
- Restoring and monitoring the identity of compromised customers
- Recovering data that has been altered or stolen
- Repairing or replacing damaged or compromised computer systems
As mentioned previously, it is vital you maintain a cyber security posture applicable to your organisation. This is because many cyber security policies exclude preventable security issues, such as poor configuration or mismanagement of digital assets and information. Other excluded issues can include:
- Cyber events caused or initiated by employees/insiders
- Incidents that occurred before the policy was purchased
- Infrastructure failures not caused by purposeful cyber attacks
- Failure to correct known vulnerabilities (e.g., a vulnerability the company is aware of, fails to address, and becomes compromised due to the vulnerability)
- The cost to improve cyber security posture, such as security hardening in systems and applications
How much does cyber insurance cost?
Usually, cyber insurance costs are based on a company’s annual revenue, industry, and size. To qualify for a policy, most insurers require businesses to submit to a security audit conducted by the insurance company. The results of the audit factors into the types of coverage, the extent of the coverage, and the cost of premiums an enterprise qualifies for.
What to do next
Before you purchase a cyber insurance policy, you should consider partnering with a Managed Security Services Provider. Your MSSP will be able to evaluate your cyber security posture, provide suggestions for improvement, and implement the relevant security controls to strengthen your cyber and information security.
Not only is this beneficial overall for the ongoing protection of your information, data, and digital assets, but it will also aide your business in getting the best insurance coverage, premium costs, and excess available.
