We all know it, cyberattacks are growing in frequency and complexity. Cyber insurance is becoming more widely adopted as the last line of defense for mitigating the damage of a cyber attack. This week we will discuss the good, bad and ugly of cyber insurance.
A Brief Horror Story
Earlier this year a small Rhode Island Law firm got hit with ransomware rendering their attorneys unproductive for three months. This resulted in a $700,000 loss of business while attempting to regain access to their data. They ended up paying over $25,000 in Bitcoin to get back on track. In this case, they had insurance. The kicker… Their policy maxed out at $20,000. That is less than the ransomware payment alone! Then after taking the monstrous loss in business income into account, the insurance basically withers away into thin air. The law firm is now suing the insurer.
Moral of the story in this context; take the time to properly understand cyber insurance policies. From a security expert standpoint… implement endpoint security and properly train employees. For more on Ransomware check out our Ransomware 101 post.
The Costs Benefit Analysis of Cyber Insurance
The average security breach costs a company $3.6 million, according to data compiled by IBM. However, the total business impact can be many times higher. A single settlement covering the aftermath of a cybersecurity incident may cost as much as $115 million. It’s not just large multinationals. Recent research has indicated small and mid-sized businesses are increasingly targeted by hackers. Nearly half of all small businesses in the U.S. were breached between mid-2016 and mid-2017.
What’s behind the shift in targeting?
Small businesses often have lucrative financial data, just not in the volume larger enterprises do. It is difficult for most small businesses to afford the sophisticated protections of larger market entrants. And, of course, small businesses are very likely to pay ransoms. About 70% of businesses comply with ransomware demands, making it big business. Click here to calculate what a breach would cost you. Even data breaches suffered by the smallest businesses cost an average of more than $20,000.
By comparison, a cyber insurance policy can be obtained for a premium as low as $750. That’s a tiny increase in operational overhead that makes a big difference. That being said, the average premium varies greatly by industry. Check out this page for a cyber insurance estimate relevant to you.
The Current State of Cyber Insurance
About 50% of all U.S. companies lack cybersecurity insurance. Only about 16% of respondents in a recent survey believed their current insurance coverage was substantial enough to protect them across all likely cybersecurity contingencies. Some industries, such as healthcare, face even greater liabilities than the norm. Why do so many companies remain uninsured despite the clear threat – and clear solution? The reasons are many and varied:
- Decision-makers feel mistrust about the price and value of cybersecurity insurance;
- They believe that available insurance prices do not match their authentic risk profiles;
- They consider the process of setting insurance premiums is ambiguous and unclear;
- They feel the lack of an industry standard benchmarking process disadvantages them.
While these concerns are understandable, they also place enterprises at significant risk. While the cybersecurity insurance industry continues to grow and develop, what should senior executives do? The answer: Carefully choose the insurance that is right for your situation.
Properly Choosing Cybersecurity Insurance May Be Easier Than You Think
Understanding the fundamentals of cybersecurity insurance clarifies the picture immensely. There are two main types of policy:
First-Party Coverage covers direct costs of a data breach, such as loss, theft, or destruction of data, forensic investigations, legal costs, business interruptions, notification of customers and the public, post-event monitoring, and crisis management.
Third-Party Coverage protects enterprises against the legal and regulatory liabilities arising from such an event, including privacy, data breach, and electronic media content liability. It also covers response to regulatory entities.
When comparing policies, ask the following:
- Does the policy contain any exclusions that may be pertinent to your business?
- Under what circumstances does the policy trigger – and are they broad enough?
- What are the deductibles and limits that apply to the policy?
- Does the policy grant the right to select your defense counsel?
- Are you covered against acts and omissions of third parties?
- Does the coverage territory match your business footprint?
Preventing a data breach is the most cost-effective solution, but most companies don’t invest enough to ensure that. In today’s fast-moving, threat-heavy environment, cybersecurity insurance simply makes sense for businesses of all industries and size categories. That being said, cyber insurance does not in any way take the place of proper network security practices and measures. For companies who do not have the means to properly implement and manage security in-house, an MSSP should seriously be considered.
Contact Sedara if you are considering an MSSP.