Preparing Your Business for Cybersecurity Insurance Coverage
A single click on a phishing link, bad attachment, or malicious email by an unsuspecting employee and, before you know it, your business has been breached. Malware can quickly invade your company network and systems. With the right cybersecurity in place, you may be able to stem the spread, but even under the best circumstances, bad actors can still sometimes get their hands on your valuable data and that of your clients.
Such scenarios are becoming more frequent and attacks are becoming more complex as hackers hone their craft to evade updated security measures. Cybercrime increased 600 percent due to the COVID-19 pandemic and the average cost of a data breach to a small business can range from $120,000 to $1.24 million on average, according to Purplesec. The company also reported the average cost of a malware attack is more than $2.5 million including the time needed to resolve the attack.
So what’s a business owner to do? The answer is not only in developing and implementing a strong cybersecurity plan but in finding the right cyber liability (cybersecurity) insurance coverage. Before your business signs up for cybersecurity coverage, there are a few things to know and requirements you must meet before you can even qualify.
The Development of Cyber Insurance
The insurance industry began issuing cybersecurity insurance in the 1990s, according to Colony West. The earliest versions of cyber insurance generally covered online media and data processing errors. Those initial policies didn’t always cover first-party claims and had exemptions against “rogue employees, regulatory claims, and fines and penalties.”
Cyber policies in the 2000s began to cover incidents such as unauthorized access, network security, data loss, and virus-related claims. The policies also matured to include first-party coverage, business interruptions, extortion (think ransomware), and network asset damages.
Since some policies still don’t cover every cost related to an attack, those impacted, or complete recovery, some insurance experts argue this type of insurance coverage is still in its infancy and much still needs to be done for standardizing coverage. With this in mind, having a cyber insurance policy is still better than nothing at all.
What Does Cybersecurity Insurance Cover?
You will want to get cyber liability insurance that covers both your business for first-party losses as well as third-party losses resulting from data breaches and other cybercrime. A cyber insurance policy, also known as cyber risk insurance, allows businesses to cover some or all of the costs connected with recovering from a cyberattack, breach, or similar events. Some of the issues cyber insurance covers include:
- Data Loss, Recovery, and Recreation of Data
- Business Interruption
- Loss of Revenue Due to a Breach
- Loss of Funds Transferred
- Computer Fraud and Extortion
Keep in mind that an errors and omissions insurance policy IS NOT cyber insurance and is no substitute for proper cyber liability coverage, even with a technology error rider.
In the event bad actors steal or expose personal information such as driver’s license information, addresses, and bank account information, a cyber liability policy will also cover:
- Notification costs to identify victims through an internal investigation and provide reasonable notice to those customers who may have been impacted.
- Credit monitoring for identified victims as regulatory obligations often requires credit monitoring and the cheapest may not satisfy those negatively impacted.
- Civil damages from individual and class action lawsuits that can rack up to hundreds of thousands of dollars or more, even for small companies.
- Computer forensics to determine whether a breach occurred, contain the cause, prevent further damage, and determine the scope of the hack.
- Damage to the reputation of a company resulting from a breach and public relations work to help mitigate potential negative impacts of an attack.
ORAM Cybersecurity Advisors strongly recommends our clients consider obtaining cybersecurity coverage. This is because most cyber insurance policies cover network security failures including data breaches, malware, ransomware attacks, and email compromises. You can learn more about cyber insurance in ORAM’s blog, “What to Know About Cybersecurity Insurance.”
Most cybersecurity policies also provide resources in the event of an attack to support policyholders. Such resources may include assistance in designing cost-effective security plans including data encryption protocols to further reduce liabilities as well as crisis management to restore your company’s image following a cyber incident. This may include services such as a data breach coach to help your business meet legal obligations for documenting and reporting cyberattacks.
Special Cybersecurity Insurance Considerations
There are other special considerations when seeking a cybersecurity policy. If your business has revenue connected with any European consumers or businesses, the General Data Protection Regulation (GDPR), which was recently implemented, may apply to your business. Many businesses have already made the move to become GDPR compliant and the regulation also has particular insurance requirements that should be included in your policy.
What Insurance Companies Require for Cybersecurity Coverage
When you contact an insurance company about cybersecurity insurance, know you will have a responsibility to protect your client’s personal information and prove how you’re doing so. If you store data such as customer names, addresses, social security numbers, credit card information, and other private data, you have regulatory obligations to keep that data as secure as possible.
Before a carrier can determine whether your business qualifies for cyber liability insurance, what the coverage limits will be, and what premium you’ll be charged, they typically carry out a cyber insurance risk assessment. This has become standard in the underwriting process for cyber insurance policies.
Depending on the carrier you are working with and the size of your company, this process can be as simple as a questionnaire or a complete analysis conducted by a cybersecurity firm such as ORAM Cybersecurity Advisors. Your company may be asked to conduct regularly scheduled reassessments to ensure it is keeping pace with changes to cybersecurity best practices in order to maintain policy coverage.
Insurance carriers want businesses to keep liability risks to a minimum so they are generally required to meet basic cybersecurity standards and best practices such as:
- All desktop, laptop, and mobile devices must have current antivirus software.
- A modern firewall must be employed by the company network.
- Business data must be backed up regularly using external media or a secure cloud service.
- Access rights and permissions must follow certain security provisions such as the principle of least privilege.
To reduce your cybersecurity insurance premiums, some carriers will cut you a break if you go above and beyond the minimum cybersecurity standards. Your insurance carrier or a third-party provider such as ORAM Cybersecurity Advisors can suggest measures for improving your company’s cybersecurity posture such as cyber awareness training for all employees.
Don’t forget that certain industries have stronger cybersecurity regulatory requirements and need better cyber coverage as well. Some industries in the financial, healthcare, and automotive sectors, for example, must adhere to the Sarbanes-Oxley Act (SOX compliance), the Health Insurance Portability and Accountability Act (HIPAA), and Trusted Information Security Assessment Exchange (TISAX certification) respectively. Aside from federal cybersecurity regulations, most states also have their own cybersecurity regulations as well.
What does Cyber insurance cost?
As mentioned previously, the cost will depend on your coverage, the size of your business, and the results of your cyber insurance risk assessment. The ability of your business to avoid a cyber incident, the level of its cybersecurity, and the coverage you require are the biggest factors considered when carriers determine premium costs. Insurance carriers often look at business revenue and the amount of personally identifiable information (PII) and protected health information (PHI) data being stored and maintained on a business network.
Like other types of insurance, there is a deductible with cyber liability insurance. You select your deductible at the time you sign your policy. The higher the deductible, the lower your premium. That deductible is the amount your business will pay before the insurance coverage goes into effect to cover the costs of a breach and recovery. Each time you submit a claim, your deductible must be paid again. The more claims you have, the more coverage will cost. Too many cyber incidents may leave your business unable to get cyber liability insurance so you want to avoid hacks, attacks, and the like as much as possible.
Get Cyber Secure Now for Better Insurance
When it comes to cyber liability insurance, odds are policies will continue to morph, grow, and adapt to meet the needs of businesses as they shift with the threat environment. As is the case with other types of insurance, cyber insurance policies will likely become more industry-specific as well.
ORAM Cybersecurity Advisors can assist your company in gaining cyber liability insurance coverage by performing a complete cyber insurance risk assessment. Whether you’re an insurance carrier seeking assistance in determining the liability of potentially insured customers or a business seeking such coverage, ORAM can help. Simply contact ORAM Cybersecurity Advisors now at (617) 933-5060 for a free, no-obligation initial consultation.