Cybercrime is no longer just a concern for large enterprises, as cyber-attacks increasingly target smaller organizations. Plus, with the cost of data breaches estimated to be an average of $7.3 million for Canadian organizations in 2022, it’s crucial to have proper cybersecurity measures in place.
But as the number and severity of cyber insurance claims continue to rise, insurers are increasing premiums, making it harder for businesses to get coverage. The Council of Insurance Agents & Brokers (CIAB), an association for commercial insurance and employee benefits intermediaries, reported a 28% increase in Cyber insurance premiums during the first quarter of 2022 compared to the fourth quarter of 2021.
Plus, with rates continuing to rise and limited coverage offered by insurers, obtaining or affording cyber insurance could become a challenge for many companies. Keep reading to gain insight into the fundamentals of cyber insurance and secure your company’s coverage.
What is Cyber Insurance?
Cyber insurance, also known as cybersecurity insurance, is a policy that can help businesses offset the financial risk exposure caused by cyber threats. Simply put, it’s like an extra layer of protection against damages and recovery costs arising from data breaches, ransomware attacks, or other cybersecurity incidents.
In the past, traditional insurance policies only covered physical asset breaches or business interruptions due to cyberattacks. But with the increasing number and severity of cyber threats today, the losses have expanded significantly.
That’s why more and more businesses are opting for stand-alone cyber policies to address their specific risk exposure needs. Let’s see why cyber insurance matters and whether you should consider it or not.
Why Is Cyber Insurance Important?
If there’s one thing we’ve learned from the digital age, cyberattacks are a serious threat to businesses of all sizes. And with the increasing risk of cyberattacks, companies risk losing valuable data and suffering significant financial losses, not to mention damage to their reputation.
That’s where cyber insurance comes in—it’s like a superhero cape for your company, protecting you against the risks of compromised data and security breaches. Cyber insurance protects against these risks by covering security incidents and acts of cyberterrorism.
Take Marriott International as an example: after experiencing a massive data breach that exposed sensitive information belonging to half a million guests in 2018, the company faced over $250 million in liabilities and penalties.
Thankfully, their cyber insurance was able to help mitigate some losses. This example shows how important investing in cyber insurance is to protect yourself and your business from potential cyber threats and their devastating consequences.
What Does Cyber Insurance Cover, and What Does It Not Cover?
Well, there are two major types of coverage: third-party liability and first-party. The former protects you when a customer, vendor, or partner sues you for allowing a data breach. Meanwhile, the latter protects your company when you incur expenses from a hack or data breach.
Cyber liability coverage may also specify the incidents and damages it will pay for, such as “ransomware insurance” or “data loss insurance.” But what exactly does cyber insurance cover? Cyber insurance protects against losses caused by damage to or data loss from IT systems and networks. It includes:
- Pre-incident support
- Post-incident support
- Security and privacy breach costs
- Cyber extortion
- Damage to digital assets
- Business interruption
- Liability costs
However, there are some things that most policies don’t cover, including:
- Lost profits
- Bodily injury and property damage
- Hardware and software damage
- Lost equipment, third-party damages
- Business reputation damage
Cyber insurance policies usually have waiting periods for business interruption coverage, and they rarely cover damage to property or new software versions. As such, businesses need to be aware of these exclusions and plan accordingly to mitigate the risks of cyber attacks.
How Does Cyber Insurance Work?
Cyber insurance works similarly to other types of insurance, with policies being sold by various suppliers that also offer other forms of business insurance. The cyber insurance ecosystem comprises brokers, insurers, and re-insurers, with businesses usually working with brokers to obtain quotes from various insurers.
Re-insurance companies play a crucial role by providing cybersecurity, underwriting knowledge, actuarial support, and risk transfer. And as the market for cyber insurance continues to evolve, all players in the ecosystem are learning as they go, trying to find their footing in this dynamic market.
Do I Need Cyber Insurance?
Because cybercrime is a real and present danger to businesses of all sizes, cybersecurity insurance should be seriously considered as follows.
The first consideration should be the cost of the policy. Insurance costs have been increasing significantly over the past year or two and for some organizations the cost may be prohibitive.
Second, insurance companies are increasingly imposing requirements on customers that could be compared to regulation or audit standards. On many occasions, these requirements demand skilled resources, time and effort and/or security systems or capabilities to be in place before the insurance company will accept an application. These requirements can be costly and for some may be cost-prohibitive.
Third, deductible amounts are usually negotiable and related to the overall cost of an insurance policy. Often, the deductible amount can make a claim in the event of a cyber breach unrealistic in terms of what may be payable. In other words, if the deductible amount is likely to be close to, or more than a loss from a breach incident, then the policy may not be an effective option. A lower deductible will usually increase the policy cost, which takes us back to the first consideration.
Overall, this is a financial and business decision that should weigh all the factors of return on investment before making a decision. It may be worth investing more in cyber security controls at your organization so that the risk is more acceptable, perhaps without insurance.
Myths about Cyber Insurance
Cyber insurance is becoming increasingly popular in the digital age, but there are a lot of myths and misconceptions about it. Let’s debunk some of these common myths and shed light on having adequate cyber insurance coverage.
Myth: It only covers technology-related incidents.
Reality: Cyber coverage is broader than that. Network and Privacy Liability coverage also includes businesses that keep records containing personal identifiable information in soft and hard copy formats. A cyber insurance policy can cover even paper records like old employment applications, customer files, and credit card receipts.
Myth: Businesses don’t need it if they have a “hold harmless” or other indemnification agreement with their service provider or site manager.
Reality: Even with such an agreement, you may still incur attorney fees and defence costs until the indemnification kicks in. Failure to respond quickly and effectively with crisis management could cause more significant losses. That’s why many Network Security and Privacy Liability insurance programs include loss mitigation/crisis response services and defence cost coverage as part of their base policies.
Myth: Small companies are not at risk because they are too small to be targeted.
Reality: This couldn’t be further from the truth. In fact, over 80% of small to medium businesses have fallen victim to cyber-attacks, and a staggering 60% of those companies go out of business within six months. No organisation is immune to the threat of cyber attacks, regardless of size or industry.
Myth: General Liability policy will protect your company from all potential losses, including those related to cyber-attacks.
Reality: Commercial General Liability insurance protects your business assets from bodily injury and property damage claims made by a third party because of negligence. It does not cover a third party’s financial losses from cyber attacks or data breaches. While it may offer some basic sub-limited coverage for an additional premium, it is often subject to a deductible and can erode CGL limits.
Myth: Cyber insurance is too expensive for small to medium-sized businesses.
Reality: However, today’s Network and Privacy Liability market is highly competitive, and coverage costs are determined by various factors such as the risk class of the insured, coverage amount, deductible/retention appetite of an insured, revenue, and number of unique PII or PHI records stored or maintained on the insured’s systems.
Many carriers offer indications with just these basic data points, but taking a full application and working through the questions can help determine potential vulnerabilities and areas of compliance that need improvement. It’s always best to work with an experienced broker who understands your business’ specific requirements to find the best coverage at an affordable price.
The increasing frequency and severity of cyber-attacks mean businesses must proactively protect themselves. Contacting insurance representatives to assess the need for cyber insurance is an essential first step, especially for businesses with an online presence and e-commerce activities.
However, it’s important to remember that cyber insurance is just one aspect of a comprehensive risk mitigation strategy. Developing cyber resilience should also be a priority for businesses. We, Softlanding, a Microsoft Solutions Partner, offer valuable managed IT security services to help businesses protect themselves against cyber risks and thrive in a constantly evolving business landscape.
Contact us to leverage the right technology solutions and expertise, so your businesses can ensure continued success and security in the face of emerging threats.