If it seems like all the business owners you know are getting cyber risk insurance these days, it’s because they are. Companies are buying the insurance because cyber crime is growing, and so is the damage it can do. In fact, according to the latest stats from security.org, the United States is the most expensive country in the world to have a data breach, with the average incursion costing a company $8.64 million in 2020. Is it any wonder that the Cyber Risk Insurance market is expected to grow to $20 billion by 2025?
When disaster strikes, cyber risk insurance can help you recoup losses, pay for investigations, cover legal costs, and give you the funds you need to get your business back up and running.
What can a cyber risk insurance policy do for your business? A lot. Let’s review what’s covered.
What is Generally Covered Under a Cyber Risk Insurance Policy?
Most cyber risk insurance policies cover the fallout from a breach, helping to cover the costs directly related to the incident. Depending on the policy you choose, this coverage can include:
1. Network security damages as a direct result of a cybercrime, such as:
- Payment of ransomware
- Data breach notifications
- Identity restoration and credit monitoring
- IT forensics
- Legal expenses
- Data restoration
- Public relations intercessions
2. Business Interruptions
This allows the policyholder to recover some expenses following a breach, such as fixed operational expenses and lost profits. These clauses generally cover system failures, human error, and security failures.
Some cyber risk insurance policies also cover profit losses due to reputational damages following a cyber breach.
3. Legal Fees Incurred Due to Breach of Contract
If a breach has kept you from fulfilling customer and client obligations, you can be held legally liable for damages. A good cyber risk insurance policy can help you mitigate these costs.
4. Breach of Privacy
Many verticals have stringent privacy rules and regulations. HIPAA is one that most people think of, with fees and fines for any violation they deem “negligent.” These regulations cover every employee working in the office, remotely from home, and even third-party vendors. Most cyber risk insurance policies will cover the legal costs and fees for violations resulting from a cyber breach that exposes data. It can also cover your business from class-action litigation actions and penalties awarded by the courts following a breach.
5. Replacement Hardware
Since many forms of malware can render hardware useless, a good cyber risk insurance policy will cover the replacement of damaged equipment following a cyber attack.
So, as you can see, cyber risk insurance covers the great majority of liability from an attack. But it doesn’t cover everything. Here’s where you’ll commonly find the loopholes in these policies.
What is Usually Not Covered
Again, reading the fine print will help you understand the limitations of your cyber risk insurance policy. Many small to medium-sized businesses were taken by surprise when their claims relating to COVID19 security breaches were not covered. All insurance coverages are different, but you need to double-check your policy to make sure it covers:
1. BYOD and Remote Worker Claims
Be aware for exclusions on BYOD and remote workers. Some of these exclusions can be very specific, like not covering a device that is unencrypted or refusing to cover employees who haven’t signed an acceptable use policy. In these cases, an employee’s personal device replacement costs will not be covered, even if it was destroyed as part of a malware attack. Read the fine print and make sure your coverage includes BYOD and remote worker claims.
2. “Acts of War”
This stipulation has been snuck into some cyber risk policies to disallow payment for cyber breaches occurring from state-sponsored actors and foreign hackers. Considered “an act of terrorism,” you may be unpleasantly surprised to find your coverage doesn’t protect you from larger, organized groups of hackers.
3. Potential Profit Loss in the Future
Your cyber risk insurance policy may cover profit loss to a degree, but many will not cover “future” losses and may have a limited amount of time following the breach where they will reimburse you for lost profits.
4. Upgrading Technology
Unless the devices and hardware were damaged because of a cyberattack, most cyber risk insurance policies will not cover updating or upgrading equipment even if doing so increases your overall cybersecurity.
Choosing the Best Cyber Risk Insurance Policy for Your Business
Choosing the right policy, like choosing your car insurance or health insurance, will depend on your company’s size and your industry’s threat levels. When comparing coverage, look for these key points:
Cyber risk insurance will have deductibles, just like any other insurance policy. The average deductible, per a study from AdvisorSmith Solutions Inc, is around $10k for $1 million in liability coverage. The annual cost of a policy averages $1500 per year for that same $1 million policy, based on location and industry.
Stand-Alone Policy vs Add-On
Your existing business insurance company may offer cyber risk insurance as an add-on to your coverage. Look at what they offer and compare the pricing and coverages to cyber risk insurers; most of the time, a stand-alone policy will provide more comprehensive coverage than add-on policies.
Since employees often inadvertently cause most breaches, it’s important to choose a policy that covers unintentional employee actions such as responding to a phishing attempt, clicking infected attachments, or falling for a “spoofed” website. Make sure your policy covers “social engineering,” a blanket term that includes most of these email-related attacks.
Just like getting a car insurance discount for taking a safe-driving course, your policy may include discounts for employee cyber-security awareness training.
APTs (Advanced Persistent Threats)
APT cyber risk insurance coverage is tricky. The threat is not a single targeted incident; it is a slow process taking place over weeks, months, and even longer. Check to see how the cyber risk insurance carrier covers APT’s and choose a policy with longer time frames to collect for damages caused by them.
Any policy you find will cover breaches to your own business…but what if the threat came from a third-party vendor? Your point-of-sale software, your financial institution, your MSP, and even your accountants or attorneys are all closely connected with your business. When bad actors hack third-party vendors, they are looking for the bigger prize at the end of the game…your business’ sensitive data. Your customers will still hold you responsible, even if this breach wasn’t your fault. What type of coverage does the insurance company offer for damages resulting from third-party vendor breaches?
Some breaches occur because hackers cast out a wide net hoping to catch anyone they can while other attacks target a company specifically. There may be hidden clauses in the policy stating that you are only covered in the event of a targeted attack and not a wider spread hacking scheme.
So, now that you know some things to look out for in your policy, how do you know if you qualify?
Qualifying for a Cyber Risk Insurance Policy
Getting cyber risk insurance isn’t always as simple as making a few calls and writing a few checks. But most companies do qualify, so long as they have good cybersecurity procedures in place.
Specifically, insurers want to be assured that you have proper data handling protocols, especially if you’re handling customers’ financial data, or you’re operating in an industry like healthcare, which must adhere to HIPAA data mandates. They will also want assurances that you have a product like SIEM, (Security Incident and Endpoint Management), that can provide forensic reports in the event of a breach.
You can prepare for this by having a professional network assessment performed for your organization. This assessment will show you, and the insurance carrier, how prepared you are to meet current cybersecurity trends and threats.
Iconic IT Offers a Comprehensive Network Audit at No Cost or Obligation to You
Iconic IT, a leading MSP in the industry, is offering a 100% free, no obligation network assessment to companies looking for cybersecurity risk insurance. Your audit will give you a clear picture of your overall network and strategies, showing you any gaps and vulnerabilities you may need to patch up before applying for a cyber risk insurance policy.