Cybersecurity insurance was once a niche product for companies with the highest risk profiles. But recently, it has found its way into the mainstream as more and more businesses face data disasters that can cause loss of revenue, extended downtime, and compliance violations if sensitive data gets leaked.
You may have considered cybersecurity insurance (also called cyber insurance) but maybe you weren’t sure if it was right for your business. In the meantime, you prioritized reducing vulnerability to cyber incidents that threaten business continuity, like accidental or malicious data breaches, malware, phishing, and ransomware attacks.
Pat yourself on the back: By strengthening your company’s prevention, detection, and response to cyber threats, you’re also more attractive to cyber insurance providers. Being cyber resilient can save you money on cyber insurance if you decide it’s right for you.
Today, I’m breaking down the basics of cyber insurance: What is it? How much will it cost? And how do you get it?
Do I Need Cyber Insurance?
Cyber insurance has become more common as part of business continuity planning. Like many things in the cybersecurity world, it can be a bit hard to measure precise adoption numbers because most historical data is self reported. But, reports from the Government Accountability Office indicate that major insurance brokers have seen uptake nearly double from 2016 to 2020. During and following the pandemic, enterprises saw a sharp rise in cyberattacks and data breaches, and, while data collection and analysis is still ongoing, experts anticipate the cyber insurance industry to expand in response. Take a look at these three data points in cybersecurity risk:
- In the U.S., recovering from a cyberattack cost twice as much in 2019 as it did in 2016.
- According to IBM, the average cost of a data breach in the U.S. is $9.44M versus $4.35M globally.
- For small to medium-sized businesses (SMBs), recovery is more challenging—60% of SMBs fold in the six months following a cyberattack.
Whether your company is a 10 person software as a service (SaaS) startup or a global enterprise, cyber insurance could be the difference between a minor interruption of business services and closing up for good. However, providers don’t opt to provide coverage for every business that applies for cyber insurance. If you want coverage (and there are plenty of reasons why you would), it helps to prepare by making your company as attractive (meaning low-risk) as possible to cyber insurers.
What Is Cyber Insurance?
Cyber insurance protects your business from losses resulting from a digital attack. This can include business income loss, but it also includes coverage for unforeseen expenses, including:
- Forensic post-breach review expenses.
- Additional monitoring outflows.
- The expenditure for notifying parties of a breach.
- Public relations service expenses.
- Litigation fees.
- Accounting expenses.
- Court-ordered judgments.
- Claims disbursements.
Cyber insurance policies may also cover ransom payments. However, according to expert guidance, it is never advisable or prudent to pay the ransom, even if it’s covered by insurance. Ultimately, the most effective way to undermine the motivation of these criminal groups is to reduce the potential for profit. For this reason, the Administration strongly discourages the payment of ransoms.
There are a few reasons for this:
- It’s not guaranteed that cybercriminals will provide a decryption key to recover your data. They’re criminals after all.
- It’s not guaranteed that, even with a decryption key, you’ll be able to recover your data. This could be intentional, or simply poor design on the part of cybercriminals. Ransomware code is notoriously buggy.
- Paying the ransom encourages cybercriminals to keep plying their trade, and can even result in businesses that pay being hit by the same ransomware demand twice.
Types of Cyber Insurance
What plans cover and how much they cost can vary. Typically, you can choose between first-party coverage, third-party coverage, or both.
First-party coverage protects your own data and includes coverage for business expenses related to things like recovery of lost or stolen data, lost revenue due to business interruption, and legal counsel, and other types of expenses.
Third-party coverage protects your business from liability claims brought by someone outside the company. This type of policy might cover things like payments to consumers affected by a data breach, costs for litigation brought by third parties, and losses related to defamation.
Depending on how substantial a digital attack’s losses could be to your business, your best choice may be both first- and third-party coverage.
Cyber Insurance Policy Coverage Considerations
Cyber insurance protects your company’s bottom line by helping you pay for costs related to recovering lost or stolen data and cover costs incurred by affected third parties (if you have third-party coverage).
As you might imagine, cyber insurance policies vary. When reviewing cyber insurance policies, it’s important to ask these questions:
- Does this policy cover a variety of digital attacks, especially the ones we’re most susceptible to?
- Can we add services, if needed, such as active monitoring, incident response support, defense against liability lawsuits, and communication intermediaries?
- What are the policy’s exclusions? For example, unlikely circumstances like acts of war or terrorism and well-known, named viruses may not be covered in the policy.
- How much do the premiums and deductibles cost for the coverage we need?
- What are the coverage (payout) amounts or limitations?
Keep in mind that choosing the company with the lowest premiums may not be the best strategy. For further reading, the Federal Trade Commission offers a helpful checklist of additional considerations for choosing a cyber insurance policy.
Errors & Omissions (E & O) Coverage
Technology errors and omissions (E & O) coverage isn’t technically cyber insurance, but could be part of a comprehensive policy. This type of coverage protects your business from expenses that may be incurred if/when your product or service fails to deliver or doesn’t work the way it’s supposed to. This can be confused with cyber insurance coverage because it protects your business in the case your technology product or service fails. The difference is that E & O coverage comes into effect when that failure is due to the business’ own negligence.
You may want to pay the upcharge for E & O coverage to protect against harm caused if/when your product or service fails to deliver or work as intended. E & O also offers coverage for data loss stemming from employee errors or employee negligence in following data safeguards already in place. Consider whether you also need this type of protection and ask your cyber insurer if they offer E & O policies.
Premiums, Deductibles, and Coverage—Oh, My!
What are the average premium costs, deductible amounts, and liability coverage for a business like yours? The answer to that question turns out to be more complex than you’d think.
How Are Premiums Determined?
Every insurance provider is different, but here are common factors that affect cyber insurance premiums:
- Your industry (e.g., education, healthcare, and financial industries are higher risk).
- Your company size (e.g., more employees increase risk).
Amount and sensitivity of your data (e.g., school districts with student and faculty personal identifiable information are at higher risk). - Your revenue (e.g., a profitable bank will be more attractive to cybercriminals).
- Your investment in cybersecurity (e.g., lower premiums go to companies with dedicated resources and policies around cybersecurity).
- Coverage limit (e.g., the cost per incident will decrease with a lower liability limit).
- Deductible (e.g., the more you pay per incident, the less your plan’s premium).
What Does the Average Premium Cost?
These days, it’s challenging to estimate the true cost of an attack because historical data haven’t been widely shared. The U.S. Government Accountability Office reported that the rising “frequency, severity, and cost of cyberattacks” increases cyber insurance premiums.
But, generally speaking, if you are willing to cover more of the cost of a data breach, your deductible rises, and your premium falls. Data from 43 insurance companies in the U.S. reveal that cyber insurance premiums range between $650-$2,357 for businesses with $1,000,000 in revenue for policies with $1,000,000 in liability and a $10,000 deductible.
How Do I Get Cyber Insurance?
Most companies start with an online quote from a cyber insurance provider, but many will eventually need to compile more detailed and specific information in order to get the most accurate figures.
If you’re a small business owner, you may have all the information you need at hand, but for mid-market and enterprise companies, securing a cyber insurance policy should be a cross-functional effort. You’ll need information from finance, legal, and compliance departments, IT, operations, and perhaps other divisions to ensure cyber insurance coverage and policy terms meet your company’s needs.
Before the quote, an insurance company will perform a risk assessment of your business in order to determine the cost to insure you. A typical cyber insurance questionnaire might include specific, detailed questions in the areas of organizational structure, legal and compliance requirements, business policies and procedures, and questions about your technical infrastructure. Here are some questions you might encounter:
- Organizational: What kind of third-party data do you store or process on your computer systems?
- Legal & Compliance: Are you aware of any disputes over your business website address and domain name?
- Policies & Procedures: Do you have a business continuity plan in place?
- Technical: Do you utilize a cloud provider to store data or host applications?
Cyber Insurance Readiness
Now that you know the basics of cyber insurance, you can be better prepared when the time comes to get insured. As I mentioned in the beginning, shoring up your vulnerability to cyber incidents goes a long way toward helping you acquire cyber insurance and get the best premiums possible. One great way to get started is to establish a solid backup strategy with an offsite, immutable backup. And you can do all of that with Backblaze B2 Cloud Storage as the storage backbone for your backup plan. Get started today safeguarding your backups in Backblaze B2.
Stay Tuned: More to Come
I’ll be digging into more specific steps you can take to get cyber insurance ready in an upcoming post, so stay tuned for more, including a checklist to help make your cyber resilience stance more attractive to providers.