Cyber Insurance

Suveys of small businesses have shown that 47%-83% of small and medium sized organizations do not have cyber insurance.  Even those that do have it, often have incorrect coverage – lacking protection for their greatest risks and being over-covered for risks that are not applicable to their business.   Cyber insurance is poorly understood in the insurance industry and it is a very small portion of the insurance policies that most agents and agencies write.

 

AdvisorSmith 2021 survey and Hiscox 2024 survey

If your orgnaizaiton does business with many large organizations you my or will soon have be required to have it.  Many large organizations require their vendors and customers to have cyber insurance in place in order to do business with them. Government suppliers are routinely required to have $1M or more in cyber insurance coverage.

Your organization may also have regulatory reasons to need it.  Many businesses from home healthcare to mortgage companies have industry regulations requiring cybersecurity and cyber insurance.

Cyber insurance protects your organization if you are hit so the costs to repair and recover are taken care of but also protects other organizatons and individuals impacted by any cyber related issues you may have.

Cyber risk insurance can help mitigate the following attacks/incidents including but not limited to:

1. Data breaches: Covers costs associated with notifying affected individuals, providing credit monitoring services, and managing public relations in the aftermath of a breach.
2. Data loss or corruption: Helps recover or reconstruct lost or damaged data, as well as the expenses related to investigating the cause of the loss.
3. Cyber extortion: Provides coverage for ransom payments and expenses related to responding to extortion attempts, such as hiring forensic experts or negotiating with attackers.
4. Business interruption: Compensates for lost income and extra expenses incurred due to a cyber incident that disrupts normal business operations.
5. Legal costs: Covers expenses related to defending against lawsuits resulting from a cyber incident, as well as regulatory fines and penalties.

Integris’ clients that qualify and have the Responsible IT Architecture (RITA) products have the highest levels of security in place and qualify for EA Risk Partners’ exclusive program which provides access to reduced premiums, better coverage and an easier buying process.   Even Integris’ clients that  don’t yet qualify for the program can take advantage of Integris’ partnership with EA Risk Partners to get a streamlined quoting process, saving them time and having their coverage competitively shopped among carriers.

Cyber risk insurance policies can vary significantly in terms of coverage limits, exclusions, and additional services offered. They are typically tailored to the specific needs and risk profiles of individual policyholders, taking into account factors such as industry, size, and existing cybersecurity measures.

As cyber threats continue to evolve and become more sophisticated, cyber insurance has become an increasingly important component of overall risk management strategies for businesses of all sizes.

The requirements to obtain cyber risk insurance can vary depending on the insurance provider, the specific policy being sought, and the risk profile of the applicant. However, some common considerations and requirements typically include:

1. Risk Assessment: Insurance providers may conduct a thorough assessment of the applicant’s cybersecurity posture and risk management practices. This assessment may include evaluating the organization’s IT infrastructure, security policies and procedures, incident response capabilities, and history of past incidents.
2. Security Measures: Applicants may be required to demonstrate that they have implemented adequate cybersecurity measures to mitigate the risk of cyber incidents. This may include measures such as firewalls, antivirus software, intrusion detection systems, data encryption, employee training programs, and incident response plans.
3. Compliance: Compliance with relevant laws, regulations, and industry standards related to cybersecurity may be a requirement for obtaining cyber risk insurance. This could include compliance with data protection laws (such as GDPR or HIPAA), industry-specific regulations (such as PCI DSS for payment card industry), or other standards (such as ISO 27001).
4. Documentation: Applicants may need to provide documentation related to their cybersecurity practices, such as security policies and procedures, risk assessments, incident response plans, and records of past incidents.
5. Disclosure of Past Incidents: Applicants may be required to disclose any past cyber incidents, data breaches, or security vulnerabilities. Insurance providers may consider the applicant’s history of incidents when determining coverage and premiums.
6. Premiums and Deductibles: The cost of cyber risk insurance premiums and deductibles will vary depending on factors such as the size and industry of the organization, the level of coverage desired, the risk profile of the applicant, and the insurance provider’s underwriting criteria.

Overall, insurance providers aim to assess the level of risk posed by potential policyholders and tailor coverage accordingly. Organizations that demonstrate strong cybersecurity practices and a commitment to risk management may be more likely to qualify for cyber risk insurance and obtain favorable coverage terms and premiums.

The average cost of a cyberattack can vary widely depending on factors such as the size and industry of the targeted organization, the type of attack, the extent of the damage, and the effectiveness of the organization’s response and recovery efforts. However, according to various reports and studies, the average cost of a cyberattack has been steadily increasing in recent years.

In 2023, the average cost of a cyberattack globally was estimated to be in the range of hundreds of thousands to millions of dollars for large organizations. For small and medium-sized enterprises (SMEs), the costs of a cyberattack can also be significant, although typically lower on average compared to larger organizations.

Several factors contribute to the costs of a cyberattack, including:

1. Direct Financial Losses: These may include expenses related to data breach remediation, such as forensic investigations, notification of affected individuals, credit monitoring services, legal fees, regulatory fines, and potential lawsuits.
2. Operational Disruption: Cyberattacks can disrupt normal business operations, leading to downtime, loss of productivity, and revenue loss.
3. Reputational Damage: A cyberattack can damage an organization’s reputation and brand, resulting in long-term financial repercussions as customers and partners lose trust and confidence in the organization.
4. Data Recovery and System Restoration: Costs associated with restoring data, systems, and infrastructure affected by the cyberattack.
5. Cybersecurity Investments: Organizations may need to invest in cybersecurity enhancements and upgrades to prevent future attacks and improve resilience.

It’s essential to note that these are just averages, and the actual costs of a cyberattack can vary significantly depending on the specific circumstances of each incident. Additionally, the costs associated with cyberattacks are not limited to financial losses and can have far-reaching implications for organizations across various aspects of their operations and reputation.