It’s no exaggeration to say that we live in a cyber world.
Everything from paying our bills to driving a car involves computers and information technology—and that probably includes your business.
Even small businesses today use computers, which means they could face one or more cyber attacks. To protect themselves, many invest in cyber insurance. If you’re thinking about doing so for your business, or even if you already have cyber coverage, read on to learn more about the intricate world of cybersecurity.
What is the Meaning of Cyber Insurance?
Cyber insurance protects your business from data breaches, ransomware attacks, phishing and other security issues with your technology.
In case you're not too familiar with these terms, here's a quick primer:
- Data breach: When a hacker gets a hold of sensitive data, like Social Security and bank account numbers.
- Ransomware attack: Freezes a company’s computer system until a ransom is paid.
- Phishing: When fake emails ask for personal information or account numbers.
Cyber insurance, also called cyber liability insurance, is similar to most types of insurance in that it usually has a deductible that you pay before the coverage kicks in, as well as a maximum amount of coverage. It often includes general liability protection, as well as specific coverage for the needs of your database and network.
What Does Cyber Insurance Cover?
According to the Federal Trade Commision (FTC), there are two types of general coverage options offered by most cyber insurance policies: first-party and third-party. First-party coverage protects your business from direct costs related to a cyber security breach. Although each policy is unique and reflects the needs of a particular company, first-party coverage could include any of these elements:
- Legal assistance to help you determine what your responsibilities are regarding state and federal law and other regulatory bodies. If your company does business in Europe, this may include compliance with the General Data Protection Regulation (GDPR), which sets privacy and security laws within the EU.
- Costs involved in notifying those who have been impacted by the breach, which may include mailings, a call center, or credit monitoring.
- Fees incurred in recovering or replacing data.
- Business interruption costs, which may include lost income or revenue.
- Public relations costs if the breach is publicly known and threatens the reputation of your company, as well as crisis management fees.
- Coverage for money needed to pay cyber extortion fees.
- The costs involved in forensic tracing and identifying the breach and its perpetrators.
- State or federal penalties you may incur because of the breach, or other fines or fees assessed by regulatory agencies.
Your cyber insurance coverage may also include third-party insurance, which covers legal costs and more that might occur if a third party is involved. It’s often used by businesses that provide services to other businesses. For example, if your client is attacked because a hacker found information that you stored on the client’s business, third party coverage kicks in if that client files a lawsuit against your company. It may include the following:
- Costs for legal suits brought against you due to the cyber incident.
- Claims you are required to pay out as a result of those lawsuits.
- Any losses that you incur that are related to copyright or trademark infringement.
- Payments you make to those impacted, either voluntarily or to fulfill regulatory requirements.
- The accounting costs that will add up as you determine the damage done and the necessary repairs.
In addition to supplying coverage, many insurance providers who offer cyber insurance also provide preventative assistance to help you become better able to deal with cyber risks.
Risk management services can help you become more prepared in the event of a cyber event, and may include training for your employees so they can identify suspicious activity and understand what to do if, for example, they receive a phishing email. The services may help you develop risk reduction and incident response plans, and comply with federal, state, and industry authorities.
A good insurer will have professionals on staff who are skilled at handling cyber events, and it pays to question them well before a cyber event occurs. Your policy may not specifically speak to before-breach help, but as a service to policyholders, many insurers do offer materials and/or training to clients.
Having experts available to help you deal with cyber breaches has another benefit. You’re less likely to face liability cases or regulatory fines if you can show that you’ve done due diligence in training and equipping your staff to deal with breaches. By having the appropriate software and hardware to make it difficult for someone to hack into your system, you show that you’ve done everything possible to protect yourself and your technology.
If you are a small business that doesn’t have the in-house bandwidth to hire cybersecurity experts on your own, you should ask questions and be aware of the pre-breach services offered by your cyber insurance company when you request an insurance quote.
Real Life Examples of Cybercrimes
According to the National Association of Insurance Commissioners, small business losses following a cyber breach average $38,000—a figure that becomes more startling when you know that 60 percent of small businesses that suffer a cybersecurity breach are forced to close within six months of the incident.
So how can cybersecurity insurance help you and your business? To answer that question, let’s look at some examples of cybercrime that were compiled by Travelers Insurance:
- A construction company had a cyber breach that impacted the personal information of customers. The company was required to inform these clients, who lived in several states, about the breach and theft of sensitive information. An investigation was launched by the attorney general, which found the company at fault. The total costs of notification and legal defense totaled nearly $1 million.
- A clothing manufacturer saw the theft of half a million credit card numbers from its database. It hired a forensic investigator to untangle the situation who uncovered six months of wrongdoing by the hacker. The company hired a PR firm, and gave its customers a year of free credit monitoring; also paying fines and penalties to the state. The cost? More than $10 million.
- A staff member at a medical clinic received a phishing email asking for personal data. They opened it, and the malware it contained infiltrated the practice’s network, exposing the financial and health data of patients. The practice incurred costs for notification, a forensic investigator, fines and penalties, as well as HIPAA violations, and racked up more than $500,000 in costs for the breach.
All three of these vignettes could happen to businesses both large and small. The financial losses they faced were mitigated by the fact that they had cyber insurance, which paid for a good portion of the remediation and repair efforts.
What Is Not Covered Under Cyber Insurance?
What’s covered by your cyber insurance is specific to your own business. When you work with an agent, they will craft a policy that meets your needs, without adding in anything extra or making omissions that hurt your business.
Having said that, there are some typical exclusions that aren’t featured in most cyber insurance policies. Your service provider may not cover the following, unless you have a specific rider to include it:
- Any software or hardware upgrades you decide are needed after a cyber breach. If a security event makes it clear you need additional software or hardware to protect yourself, your policy will not pay for it.
- Future profits that are lost because your company’s reputation has suffered. If negative information is circulating in the public following a data breach at your company, your policy may help you to hire a PR professional to manage those perceptions, but it generally won’t pay for the decreased revenue that happens as a result.
- If the value of your company itself decreases due to a security breach, the insurer will typically not pay for its decreased valuation.
- Property damage or physical injury if a breach caused a malfunction that resulted in damage to computers or other equipment, or injuries to a person. A scenario like this could happen, for example, in a manufacturing facility, where large equipment run by computers gets damaged and then injures operators. Cyber insurance wouldn’t cover that.
- If your breach is caused by the government of a foreign country, your policy may not cover services, using an act of war exclusion.
Is Cyber Insurance Necessary?
Cyber coverage isn’t required by law in any state in the U.S., so is it really necessary? After all, business owners have their hands full paying for their regular liability, property damage, and other forms of insurance—they don’t need something else they have to write a check for.
But cybercrime is on the rise and skyrocketed during the pandemic. It’s becoming something that more and more business owners must deal with, as cyber criminals and hackers have digital tools at that allow them to infiltrate even the most secure of networks. Exploiting network vulnerabilities and breaking network security is easy for them in many cases.
And of course there are few companies that aren’t vulnerable. In fact, small and medium-sized companies make an excellent target for hackers, since they may have cyber exposures that larger corporations have protected themselves against.
If your business accepts payments online or processes credit card payments, stores any personal information (even if it’s just on an Excel spreadsheet), handles documents online, or even just uses a VOIP phone system, you are at risk of cyber threats.
Where Do I Get Cyber Insurance?
Not all insurers sell cyber policies, but a good strategy is to ask your broker how to get cyber insurance. Most likely, they’ll first check with the company that holds your business insurance policy.
More insurers are offering cyber insurance as the insurance market expands to meet the needs of a changing and increasingly technological world. A good policy will cover everything from your employees’ PCs to your social media presence as a whole. It will protect the customer information you store and the other technology you rely on to do business.
If your own trusted insurer does not offer cyber insurance, your insurance broker may be able to recommend a place to turn to for reliable coverage. See if your broker can recommend coverage that can be customized to the needs of your business. A skilled broker will know your business and your industry well enough to understand the particular needs you might have for cyber insurance at a price that works for your bottom line.
As always, it’s a good idea to compare quotes from several companies before making a decision. With written estimates in hand, look at the coverage options that each insurer offers before determining the company that best fits your needs.
How Much Does Cyber Insurance Cost?
There are a number of factors that impact cyber insurance coverage costs. Your business’s size matters, as does the size of your network and complexity of your technology.
The strength of your existing security measures is factored in, as well as the amount you choose as a deductible and the maximum amount of your coverage. Your cost, in the end, will be unique and specific to your own individual policy.
Having said that, a 2021 study found that the average cost of cyber insurance in the U.S. was $1,485 a year or $124 a month. The same study found that the average cost of responding to a security breach was more than $35,000 for small businesses, while mid-size businesses could expect to pay an average of $86,000.
Get Cyber Insurance to Protect Your Business
If you haven’t looked into cyber insurance yet, you may be placing your business at risk of a technology crash that could cost you thousands of dollars.
As the nascent cyber insurance industry ramps up, offering more coverage options each year, it’s the perfect time to explore a policy of your own.
Talk to your insurance broker to make sure you have the cyber coverage you need.