Cybersecurity insurance, sometimes known as cyber insurance, is a policy that an organization may buy to assist reduce financial exposure associated with internet business.
Cybersecurity insurance is a relatively new and developing sector. Unfortunately, data breaches and other cybercrimes are becoming increasingly prevalent.
Data breaches have resulted in substantial fines and legal costs – not to mention aggravation – for a discount retail chain, one of the country’s biggest banks, a well-known health insurance company, an entertainment network, and the federal government in recent years.
In exchange for a monthly or yearly charge, the policy transfers part of the risk to the insurer.
Companies that embrace cybersecurity insurance are among the first to do so. Given the ever-changing and unpredictable nature of cyber-risks, cybersecurity policies might vary from one month to the next.
Underwriters of cybersecurity insurance policies have a limited amount of data to develop risk models in order to evaluate insurance coverage, rates, and premiums.
Cyber insurance was created through errors and omissions (E&O) insurance, a distinct sort of coverage that protects against service failures and faults.
E&O insurance is similar to product liability insurance available to firms that manufacture physical or digital items.
Although some cybersecurity insurance policies contain E&O exclusions, the vast majority of providers sell these as two distinct and unique coverages.
E&O insurance is not meant to protect you against the loss of data from a third party, such as credit card numbers, and customers in need of this protection may buy cyber insurance.
Table of Contents
Why do we need Cybersecurity insurance?
There is a lot of discussion around the need for cybersecurity insurance in the media, but why do we need it? The reasons can be split into three broad categories: legal protection, financial losses and reputation damage.
Cybercrime has no boundaries and impacts organizations across all regions, sectors and sizes; there is not one company that will not at some point face this growing threat.
Mirroring an increase in reports of breaches – 2015 was a record year with over 1 billion data records breached (Source: Identity Theft Resource Center) – we have seen an increase in demand for specialist insurers offering cyber risk solutions to businesses of all types.
For many businesses, having effective policies in places such as firewalls and encryption technology may protect the business from financial loss.
However, without adequate levels of cyber insurance in place, a data breach could cost the company far more than they have insured for – leaving them seriously under-resourced following an attack.
In fact, research by Deloitte found that the US’s biggest data breaches cost on average $364,500 per financial services firm and $123,400 for companies outside this sector.
Cybercriminals are not only targeting organizations with big budgets to spend on security technology; anyone can be targeted.
This year we saw the NHS hit hard. ‘WannaCry’ ransomware affected many NHS Trusts across the US, causing disruptions to patient care (including operations being canceled), and affecting many thousands of hospitals, GP surgeries & pharmacies.
Affected Trusts reported that it had a knock-on effect for weeks. Estimates are that the attack may have cost the NHS as much as $92 million – this was not insured.
A big area of concern is reputational damage. Most companies will never admit to being breached, as it could be seen as damaging to their brand if the news was made public.
Think back to Talk Talk’s announcement that they had been breached putting over 150,000 customers at risk; the share price plummeted 15% immediately after the announcement (source: The Guardian).
All of this has led to an increase in demand not only for cybersecurity insurance but incident response services. Following a breach, there is often no time to waste.
A company’s IT team needs to be on the scene rapidly to assess the threat, contain the incident and begin recovery.
Specialist response teams are trained to gather evidence that will assist in not only the recovery of your business but also minimize any damage caused by the breach.
Privacy risk, security risk, operational risk, and service risk are the most common cyber risks. In addition, network security and privacy liability can include both first-party and third-party costs. Let’s look at each component in detail to see what kind of cyber risk it covers.
Network Security
The need for a network security coverage grant is essential for most firms, especially those exposed to information risk and privacy concerns.
This component of cyber insurance protects your company in the event of a network security outage, including data breaches, malware infections, cyber extortion demands, ransomware encryptions, and business email compromises.
Privacy Liability
Most organizations, particularly those with information or privacy liability concerns, require privacy liability coverage.
Customer and employee data may be sensitive, and breaches or infractions that expose such information not only jeopardize the security of those who have been hacked, but also put your company at risk of legal liability.
Your business is protected from cyber-related or privacy law violations by cyber liability coverage. Third-party expenses may include fines, costs for regulatory investigations by governments and law enforcement, as well as settlements or judgments.
Here are two examples of what qualified insurance coverage may cover:
- Defending your company against consumer class action lawsuits and raising money for a possible settlement in the event of a cyber incident or data breach are essential tasks.
- Accrued expenses, fines, and/or penalties as a result of a government or legal enforcement investigation. Both domestic and foreign governments have the authority to investigate firms for potential compliance breaches.
- Consider how your company would fare if a foreign government investigated and imposed a penalty on it for a privacy breach or violation, particularly with new rules like GDPR and CCPA that give customers more control over their personal information.
- FTC privacy consent decrees and their associated fines or penalties are other examples of cyber risk.
Network Business Interruption
What percentage of your firm’s success does technology play a role? If your company is susceptible to cyberattacks, you should look into business interruption coverage.
You can recoup lost earnings, set expenditures, and other expenses incurred during the time your company was harmed when your network or the network of a supplier you rely on goes down owing to an occurrence.
Damages caused by:
- Obsolete or incorrect passwords, malware infections, and security breaches are some of the causes.
- Software vulnerabilities, hardware failures, and human error are just a few examples of system failure.
Errors and Omissions Liabilities
A cyber incident might prevent you from performing your obligations under a contract and providing services to consumers. E&O insurance protects you against claims resulting from errors in the execution of, or failure to execute, your services.
In this type of business, you may offer a wide range of services as well as consulting or technology solutions. You can also provide more traditional professional services like attorneys, doctors, architects, and engineers.
If someone files a claim alleging negligence or breach of contract, E&O coverage pays for the legal defense and/or indemnification needed to defend yourself from a lawsuit or conflict with your consumers.
Cyber insurance coverage is identical to other general insurance plans in that it includes an outline, which details the policy’s features, advantages, coverages, and exclusions.
What’s not included in Cyber Liability Insurance coverage?
The penetration of cyber insurance for individuals is also improving as the number of internet users grows. It is suggested that you get this insurance policy not just for the coverages, but also for the eventualities that will not be covered by the policy.
The following circumstances are not covered by your insurance policy in the event of a loss:
- If you have engaged in any unlawful or unethical behavior during the purchase of your policy, your claim will not be made by the insurance provider. If the losses are not due to natural causes, they will not be covered by your insurance.
- The cybersecurity insurance policy does not cover personal injury, property damage, or anything else that causes bodily harm or property damage.
- This insurance won’t cover any damage to your belongings, and the devastation of any property will not be compensated for.
- Unsolicited communication – The Cyber Safe Insurance policy covers you from the danger of any kind of unasked-for communication in any form, such as audio recording, videotaping, or phone marketing.
- Unauthorized data collection – If you are engaged in any sort of unlawful gathering of personal or client-related information, your cyber insurance won’t cover the loss.
- Abusive or illegal services – If it is discovered that your losses were caused by any connection with racist, extremist, pornographic, or any other immoral/obscene services during the investigation, your cybersecurity insurance will not cover you.
Some other exclusions in the Cyber Liability Insurance policy are:
- Cyber terrorism
- Natural perils
- Trading in virtual currencies
- Contractual liability
- Losses in connection with any religious or political activities
Is Cyber liability insurance worth it?
We get this question every day as more and more companies consider whether or not to buy coverage.
Understanding the expenses of a data breach is critical for comprehending the significance of coverage, as data breaches occur on a regular basis.
The average cost of a data breach across the world is $3.86 million, although the harm to a firm is significantly higher depending on its size and the breach.
Small and medium-sized organizations are equally vulnerable to cyber attacks, although businesses of all sizes may be potential targets. Understanding the cost of a data breach to small and medium-sized companies.
Because SMB networks (SMBs) are frequently chosen as preferred targets by cybercriminals, they’re especially vulnerable.
This is due to the fact that cybercriminals consider small and medium-sized businesses (SMBs) as less prepared and more susceptible to cyber assault.
In reality, the National Cyber Security Alliance discovered that 70% of all cyber assaults target small and medium-sized businesses (SMBs).
So, is it worth it? Absolutely yes; the immediate expenditures of a data breach are considerable, while the latent costs may be catastrophic.
A cyber liability insurance policy will provide several mitigation techniques and huge coverage for the expenses of a breach.
Who needs cybersecurity insurance?
Cybersecurity, privacy, and media liability insurance, often known as cyber liability insurance or simply cyber liability insurance, covers your company’s response to a computer security breach or data exposure.
A virus may be the cause of considerable damage to your network or computer systems. Cyber liability insurance can help you recover from these occurrences.
A general liability insurance policy or a professional liability policy will often include basic cyber liability protection.
Enhanced cyber liability insurance is not currently available for businesses that store personally identifiable information (PII) on behalf of employees or consumers.
Personal information is any data that might be used to identify a specific person, such as name, birth date, email address, social security number, credit card number, or bank account number.
A cyber attack can take many forms. Hacks may also use the same method to forge your business’s email addresses and send phishing emails to customers.
Customer’s personal information is vulnerable if they click on a link in the email. Alternatively, a hacker may use a virus or ransomware to corrupt your data files.
Internal security is the most important way to protect yourself from cyberattacks. For example, small company owners should restrict access to PII to a select few of their employees.
Strong passwords are necessary for both electronic devices and access to various program utilities. You should also change your passwords and software on a regular basis.
What should I look for when buying cyber insurance?
Most firms require a number of important features of cyber insurance coverage. The following are some of the most important coverages that every business must look for:
- Costs for investigating, segregating, and removing a hazard are considered Forensic Expenses. Hiring a professional to assess your systems and backups and determine the scale and scope of a data breach are covered under this plan.
- The expenses of employing a forensic accountant to track down the costs that occurred, as well as the cost of business shutdowns, are all possible forensics expenditures.
- Defense and settlement expenses for defending against a claim brought by your clients as a result of a data breach are examples of legal costs.
- Notifications: The costs of notifying customers about a data breach are known as notification expenses. PCI DSS, for example, requires businesses to inform consumers if their personal information has been stolen.
- The costs of notifying consumers that their data has been compromised in a data breach are referred to as notification expenditures.
- Fines and Penalties: If your firm is subject to PCI DSS standards, cyber insurance can help cover the cost of regulatory penalties if authorities determine that your company did not sufficiently protect sensitive consumer data.
- Credit Monitoring and Identity Theft Repair: Credit monitoring and identity theft repair may include expenses such as those associated with recovering from ID theft, as well as lost wages and child and elder care incurred while dealing with ID theft.
- If your company has a data breach and offers credit monitoring services to harmed customers, cyber insurance can cover the cost of these services.
- Cyberattack Expenses: A data breach may result in significant brand damage for your company. Consumers may be less inclined to deal with you if you’ve had a high-profile data leak or have had to inform customers that their data has been stolen in a cyberattack.
- Cyber insurance covers the fees associated with engaging a public relations agency to safeguard your business’s reputation after a data breach as well as the costs associated with implementing any of the PR firm’s suggestions.
- Liability and Defense Costs: Liability and defense costs include coverage for losses as well as the cost of defending claims associated with network security liability, such as negligent security mistakes or flaws that enable malware propagation, denial of service assaults, and unwanted data leaking.
- It also covers electronic media liability, such as copyright or trademark infringement, privacy rights infringements, unintended defamation, and intrusion into an entity’s right to publicity.
Personal Cyber Insurance
Given the increase in frequency and expense of cybercrimes, if your homeowner’s insurance does not include personal cyber insurance, individuals should consider purchasing it.
In 2020, the FBI’s Internet Crime Complaint Center received nearly 800,000 cybercrime allegations, with a projected cost of $4.3 billion over the next five years. That represents an average expenditure of almost $5,400 per cyber offense.
Individual policies from State Farm are the only major insurance policy that provides cyber coverage as an option to its standard home insurance.
Several lesser firms, such as American Family and Phoenix Life, also provide it as a standalone product. The ability of some other big insurers, such as Allstate and Travelers, to provide identity theft protection
However, as the personal cyber insurance sector grows, more affordable cyber insurance alternatives may be a suitable add-on to individuals’ health coverage for this growing hazard.
For example, several insurance providers offer $15,000 in combined cyber extortion and cyber-attack damages for $25 per year as part of their personal cyber insurance endorsements.
This endorsement, known as Cyber Event, Identity Restoration and Fraud Loss Coverage, covers policyholders up to $50,000 for identity restoration costs and fraud losses.
This gives individuals greater than adequate protection at a reasonable price for the typical cybercrime cost.
A personal cyber insurance policy indemnifies you for the expenses associated with the loss of digital information and assets up to your policy’s limits.
However, there are a variety of ways that cyber assaults can result in money damage, ranging from bank account theft to payouts made after extortion through an anonymous online threat.
How to apply and get cybersecurity insurance?
A current trend in the cybersecurity industry is an increase in contracting insurers to cover losses related to a data breach, including costs associated with the notification, credit monitoring services for customers whose personal information may have been compromised, forensics investigations, and regulatory fines.
In June 2017, Verizon’s security team reported that they had nearly tripled their cybersecurity insurance coverage from 2016 to 2017.
This shows that large companies are interested in this type of protection and small businesses consider the high costs often associated with cybercrime.
Below we describe how you can get your own insurance policy explicitly tailored toward providing protection against these risks:
1) Identify your needs by defining your risk appetite: What do you consider to be your ‘red line’? What would happen if your systems were hacked or breached?
How much is it going to cost you for this risk to materialize? What are the consequences of not having insurance coverage in place? Think about these questions before getting into any contractual agreement.
2) Know what you will need: You may want to consider cyber-liability insurance, primarily if your company deals with personally identifiable information.
This type of protection will cover the costs associated with the notification, credit monitoring services for customers whose personal data may have been compromised, and regulatory fines.
You should find out which expenses are covered by your policy and how they reimburse them. Make sure there are no exclusions that could potentially leave areas uncovered, such as cases of negligence.
3) Read the fine print: It is essential to understand the terms and conditions of your policy. For instance, some insurers might exclude costs associated with regulatory fines if your company experiences data breaches due to negligence.
Ensure that the exclusions are reasonable, as well as explicit which areas are covered or excluded by your policy.
4) Get the right kind of coverage for your needs: Cyber-liability insurance can be purchased as a stand-alone plan or added to an existing business general liability policy.
A stand-alone cyber policy typically provides broader protection because it doesn’t have restrictions based on other procedures in which you may already have coverage.
Does cyber insurance cover ransomware?
In a ransomware attack, cybercriminals gain access to a computer system and encrypt all its files. They then demand payment from the victim in exchange for giving them access again.
Despite the availability of free decryption software, victims have no other choice but to pay up or lose their data. It’s a huge problem, as highlighted by a recent Institute for Critical Infrastructure Technology study.
In 2015, 1,000 individuals and businesses were affected by a ransomware attack at least once a day. Ransomware attacks have also been increasing in number and sophistication.
Back to our question: Does cyber insurance cover ransomware? The answer is yes and no.
RANSOMWARE COVERAGE IN GENERAL: Many cyber insurance policies cover the cost of restoring data due to a ransomware attack.
The coverage typically has a deductible, a set amount you’ll have to pay before your policy kicks in. Below is an example of a deductible from one of our cyber insurance carriers:
So if your business pays 0 per year for cybersecurity insurance with a $2,000 deductible, the insurance would cover costs up to $1,500. Cyber insurance won’t typically reimburse you for stolen profits or data loss.
So any ransom paid to regain access to your files wouldn’t be covered.
Should a small business have cyber insurance?
The recent string of cyber attacks targeting small businesses has many owners concerned about the growing risk they face.
But while it’s easy to understand why cyber insurance might be helpful, some business owners are wondering if it really makes financial sense to purchase this coverage.
Although the total number of confirmed breaches in 2016 is still unknown, there were at least 2,039 successful breaches in 2015 involving more than 113 million records, according to the Identity Theft Resource Center.
That means that nearly one-quarter of all U.S. companies were targeted last year alone. But with so many small businesses falling victim to hackers and data thieves, do cybersecurity insurance policies even exist for them?
Yes but…
While major corporations can afford teams of cybersecurity experts, legal representation, and even an in-house data recovery center, many small businesses just don’t have the cash flow for that kind of coverage.
In fact, most cyber insurance policies require a minimum number of employees and a minimum annual revenue in order to qualify.
For example, business owners with fewer than 50 workers may not be able to find a cyber insurance policy that meets their needs.
At the same time, many business owners on ZeusTracker have reported being denied coverage because they don’t make more than $5 million in revenue each year!
Another problem is the fact that most small businesses are self-insured. That means that they are liable for paying any damages!
How big is the cyber insurance market in the United States?
The cyber insurance market is expected to grow at a CAGR of 16.30% between 2014 and 2020, according to our latest U.S. Cyber Insurance Market Report (published February 2015).
We forecast that it will be worth $7 billion by 2020 (up from $2.5 billion in 2015) but see many challenges ahead for the industry as well as major players like AIG, ACE Ltd., Allianz SE, Axis Capital Holdings Limited, Beazley PLC, Chubb Ltd., Endurance Specialty Holdings Ltd., FM Global, Liberty Mutual Group, QBE Insurance Group Limited and XL Catlin which are already active in this space.
What is the waiting period for cybersecurity insurance?
It is a timeframe that must pass before the cybersecurity insurance policy coverage takes effect. The waiting period starts from the time when an insured event occurs and terminates when the claim is reported to the insurer.
By definition, it is a time frame during which certain events must happen before a specific party may file a claim or be eligible to receive benefits under the policy.
It may be a time frame that an insured event must occur before coverage takes effect or it can be the interval of time that elapses between two events.
Waiting periods are typically used to help control moral hazards, but they are also designed to ensure that only legitimate claims are submitted under the cyber insurance policy being offered.
When setting the waiting period, insurers are often required to weigh how much protection they are willing to provide against the potential costs of insurance fraud.
Typically, waiting periods are measured in days or months, but it may also be measured in hours depending on the cyber insurance policy being offered.
How profitable is cyber insurance?
In a recent survey of 200 senior-level cyber insurance buyers, the most cited reason for purchasing a policy was mitigating financial risk.
In fact, 70% of respondents said they purchased a cyber insurance policy because it helps them mitigate the risk associated with lost income and business disruption caused by a data breach.
An Information Systems Audit and Control Association (ISACA) white paper compiled the results of a survey and found that 42% of organizations participating in the study suffered a cyberattack in 2013.
In addition, those breaches cost those companies an average of $3.5 million each.
In another recent survey conducted by Infogroup/One Source, nearly half (45%) of all surveyed companies with 100 or more employees say that cybercrime is now a larger threat to their company than street crime.
“The growing number and intensity of data breaches have significantly elevated the importance of risk management for all types of organizations,” says Stephanie Barko, senior vice president at Marsh, a global insurance brokerage firm.
“In particular, there is a new focus on the need to effectively identify and measure cyber risk. With this heightened awareness, organizations of all types are more focused on putting the right kind of protection in place.”
With that said, “the recent high-profile breaches have increased demand for insurance coverage that can help mitigate the potential financial impact to their organization,” says Barko.
Entities targeted by cyberattacks such as financial institutions, retailers and healthcare organizations are now realizing that data breaches not only put consumers at risk but also cause a loss of revenue and eroded brand value according to the ISACA white paper. “Cyber insurance is definitely becoming a bigger deal,” says Barko.
What percentage of businesses have cyber insurance?
“For the past few years, about 50% of small businesses have had cyber insurance.”
For instance in North America, in 2015: “57 percent of midmarket firms believe they are not prepared to deal with a cyber security incident.”
Stronger regulations and enforcement, along with greater awareness of the issue at the government level, have driven demand for data breach insurance up as well.”
According to a survey conducted in 2016 by the World Economic Forum: 46 percent of US respondents and 44 percent of German ones said that they were familiar with cybercrime or cybersecurity.
Cybersecurity Insurance: The Key Takeaways
Cybersecurity insurance is a type of coverage that protects your company from the financial risk associated with cyber attacks.
If you think about it, all businesses today are at some level dependent on technology and information systems to conduct their day-to-day operations. It’s not surprising then that many companies do business online in one way or another.
The likelihood of data breaches and other cybersecurity events continues to grow as hackers become more sophisticated, and no organization can predict when or where an attack may occur.
This makes having adequate protection through cybersecurity insurance vital if your company wants to protect its bottom line and reputation against these risks.
Cyber insurance can be a powerful tool to protect your company from the dangers of cyberattacks.
Ensure you have an appropriate level of coverage for your needs and that it is in line with what other companies in similar industries are doing.
Don’t forget about backup plans, because if one fails, there should always be another! If you’re not sure how much protection you need or want, talk to a professional who will help guide you through the process.