Cyber insurance (also known as cyber liability insurance) is no longer a fringe product for business owners.
The increasing regularity–and the increasing costs–of cybersecurity breaches is causing businesses of all sizes to consider insurance protection.
Cyber insurance is still in its relative infancy (although it has been offered in some form for about two decades), but it is now emerging as a more regular insurance product. It continues to face lingering skepticism as an immature solution with sometimes high costs.
Two reports issued in 2015 highlight the tension in the market between that growth and doubt.
In 2015, the consulting firm PricewaterhouseCoopers issued a report that estimated that $2.5 billion in cyber liability premiums were paid that year and that the number would triple to $7.5 billion by 2020.
Consulting firm KPMG found that there is still significant distrust about whether insurers will pay out on cyber security policies.
Regular Cybersecurity Threats
The threats that are driving adoption of cyber insurance include ransomware attacks (like the recent one that devastated Atlanta city government) and breaches that leak vast databases of consumer information.
Increased legal liability and penalties (including stiffer HIPAA enforcement for healthcare organizations) at both the state and federal level is also driving business to look to insurance for protection.
In the wake of some of the largest and most high-profile enterprise attacks, it’s been revealed that corporate cyber insurance policies covered significant portions of the cost.
Target, for instance, had a $100 million dollar cyber liability policy (with a ten million dollar deductible) that has covered about $90 million of its total $300 million in costs. Home Depot also had significant policies in place to help mitigate costs after its data breach.
The threat though certainly expands beyond large corporations. Small businesses are regular targets for attacks. And these attacks can be lethal for small businesses.
According to some data, 60% of small businesses are out of business within six months after an attack.
With that background in mind, lets take a look at some of the key points to understand about cyber insurance.
1. Two Types of Cyber Insurance
There are two primary types of coverage.
One covers ‘first-party’ risks. That is, loss of your firm’s own data. This includes things like accounting records, payment histories, employment records. The critical data for running your business that is today all digital.
The second covers ‘third-party’ risks. This is the data your business handles that belongs to somebody else–customers or partners. When a major corporation loses the credit card information of millions of its customers, it has damaged a third party–its customers.
2. Good Cyber Hygiene Will Reduces Premiums
Like all other insurers, cyber insurers recognize that certain behaviors by insured parties will reduce risk.
In the world of cyber insurance, this means things like having actively managed data back-ups, managed firewalls, updated anti-virus software, encryption of certain data, managing identities and access, regularly updated passwords and employee training for things like avoiding phishing emails.
For businesses under industry-based compliance regimes (like HIPAA), it means certainly meeting those required standards of compliance.
3. Lots of Exclusions
Cyber insurance is an emerging and maturing market.
You’ll find that there are typically many exclusions in typical policies today. This is, in part, a reflection of the fact that digital practices are evolving quickly as well.
Cyber insurance is focused on covering data theft or loss and network breaches generally. But the details matter.
Don’t assume that because a company is offering cyber insurance, all of your digital assets are covered. Thought the technical language of the terms and conditions can be intimidating, make sure you understand how it applies to your business’ digital set-up.
4. Brand Reputation Isn’t Covered
For significant data breaches that affect over 500 patients’ records, local healthcare providers are required to alert local media.
As you can imagine, this isn’t something that does a great deal of good for the business’ reputation.
The effect of a data breach on any business’ reputation or brand is a very real cost of the breach. Cyber insurance does not cover this cost.
5. Becoming a Requirement for Contractors
Many companies are now requiring the companies they do business with to carry cyber insurance.
The Target data breach happened after hackers first gained access to Target’s air conditioning contractor. The idea behind requiring the contractor to carry insurance is two-fold:
1) the contracting company wants to know there are funds available to cover the significant damage that can occur
2) they want to know the contractor is taking appropriate cybersecurity measures, which insurance coverage generally requires.
6. General Liability Generally Doesn’t Suffice
Commercial general liability policies generally don’t cover cyber incidents. Review your policy and you’ll probably find an exclusion.
7. You Should Find An Experienced Provider
Cyber insurance has been available since the 1990s. It hasn’t entered the mainstream of coverage, but it is gaining traction fast now.
That means that as the opportunity in the insurance industry expands, there will be lots of new players (and innovation).
Though cyber insurance sounds like a bleeding edge innovation, you should find some body with significant experience to insure your business They’re out there.
8. How Much Do Policies Cost?
Obviously, the major policies protecting the likes of Target, Home Depot and other public companies cost millions of dollars.
For small businesses, $1 million in coverage can usually start at around $600-$900 annually. Again, you’ll also need to take into account the cost of implementing cybersecurity best practices, if you are not already.
9. Good Customer Trust Effects
Just as having an SSL certificate or a BBB logo on your website engenders confidence and trust in your business, cyber liability insurance can also make your customers (either business or consumers) more likely to do business with you.
While cyber insurance may not cover the cost to reputation of a breach, it does offer this added value at no additional cost.
If you invest in cyber insurance, strongly considering letting your customers know that in your marketing materials.
10. Premiums Can Fluctuate
Cyber insurance is still not a fully mature market. The legal and liability landscape is still developing. The costs of major breaches are still developing.
These variables affect premiums for coverage, which can be quite unsteady relative to other types of business insurance.
11. Premiums Can Be Negotiated
The good news is that since the market is not fully mature and things are somewhat in flux, premiums can sometimes be negotiated, especially if your business is growing and your coverage is expanding.
Cyber insurance, matched with reasonable best practices in cybersecurity, is probably a good idea for most small business today.
When you purchase it, go with a provider that is specifically experienced in offering it and make sure you (or somebody at your business) understands the technical language of what will be covered and what your business is required to do to protect itself.