Is cybersecurity insurance really worth it?

  1. Home
  2. Cyber Insurance FAQ
  3. Is cybersecurity insurance really worth it?

ON THIS PAGE

Every executive knows that insurance is essential for all businesses. However, that does not mean all insurance is appropriate or that carrying the very maximum level of protection is actually a good investment. It's up to each business to determine what sorts of risks they face and how much prevention and protection they must have in response. This comprehensive overview is designed to help decision-makers determine whether cybersecurity insurance is really necessary and whether it's worth the cost.

Why do businesses choose cybersecurity insurance?

Cybersecurity is one of the newest types of insurance, largely because it responds to a problem that did not exist 20-30 years ago. As businesses have come to rely on digital technologies to handle everything from the major to the minor they have opened themselves up to cyber threats from far and wide. Initially, these threats may have been annoying, but the consequence and frequency of attacks did not cause alarm.

That is no longer true now that cybercriminals have become very sophisticated and very motivated. The frequency of cybercrime is on the rise as well as the financial consequences. Said differently, more companies than ever are being attacked, and the damage runs deep. Cybersecurity insurance was created in response to this problem. If and when a business is hit by a cyber attack these policies cover costs related to resolving the issue and recovering from the damage. Businesses choose cyber insurance because it's the last line of defense against one of the most common business risks.

Is Cybersecurity a major problem?

Every few months brings news of another major cyber attack. And in-between those high-profile instances there are countless attacks and compromises happening to smaller businesses on a smaller scale. In spite of this, many organizations continue to underestimate the size of the threat or dismiss the likelihood of an attack. That is a major mistake because cybersecurity is one of the most important issues that individual, enterprises, and governments are contending with today. Just consider some illuminating statistics:

  • The average cost of a data breach is $3.6 million source
  • The average cost of a single lost file is $141. source
  • Cybercrime is expected to cost global business $6 trillion by 2021. source
  • More than 4,000 ransomware attacks have happened every day since 2015. source
  • 66 percent of large businesses have experienced a data breach in the past year. source
  • 50 percent of cyber attacks are targeted at small businesses. source

There are a few important insights revealed in these stats. First and foremost, cyber attacks have a deeply damaging impact on the bottom-line and financial consequences that are difficult or even impossible to overcome. Second, the frequency of cybercrime is on the rise, and new attacks are being added to the list of threats Finally, no business is immune, whether because they are big and well protected or small and an unlikely target. Every business is at risk, and the risk is very real.

What does cybersecurity insurance cover?

The details depend on the specifics of your policy. Like all forms of insurance, buyers can choose between basic/inexpensive plans or comprehensive/expensive plans. Some plans package many forms of coverage together while others allow insurance buyers to mix and max protections according to their needs. These are the types of coverage typically offered in cybersecurity insurance policies:

  • Financial liability for exposing information that is supposed to be secure or private. Companies are liable regardless of whether the information is exposed due to accident or negligence.
  • Costs associated with recovering from the incident. This might include notifying consumers, providing customers support, or offering credit monitoring to victims.
  • Costs associated with removing threats from a network and getting data and applications back online. The cost of updating or replacing ruined assets may also be included.
  • Costs associated with business interruption and the extra expenses needed to recover from a breach. Cyber attacks usually have a direct impact on revenue.
  • Financial liability for committing libel or slander or for exposing intellectual property. Cyber risk includes both the likelihood of an attack plus the very real potential that cyber assets are simply used improperly.
  • Costs related to cyber extortion. For instance, if it costs a company $5,000 to pay ransom to hackers some or all of that cost is covered.
  • Costs related to regulatory non-compliance. Fines and fees for mishandling regulated financial or medical information can reach into the seven figures.

Does standard insurance protect against cyber attacks?

In some specialized instances it does, but the types of insurance that most businesses carry does not provide any assistance in the wake of a cyber attack. The reason is that the nature of cybersecurity changes so regularly that insurers do not feel comfortable rolling it into standard liability policies. In fact, insurers are likely to create exclusions in standard policies denying payment for cyber losses.

What are the nuances of cybersecurity insurance policies?

Like most insurance policies, there are many. And since cybersecurity insurance represents an essential form or protection it's important to understand exactly where the gaps and cracks in coverage exist. Here are a few features to focus on to ensure you fully understand the policy protecting you:

  • Coverage limits

    The cost of a cyber attack can balloon unexpectedly, and cyber insurance does not write a blank check. Once the coverage limits are reached companies must shoulder the financial burden on their own. Understanding cyber risk in monetary terms helps to correctly calibrate coverage limits.

  • Unprotected assets

    The landscape of cyber threats is vast and varied. Plus, it's not always easy or possible to determine where, when, why, and how an attack was carried out. As a result, certain assets and types of attacks may not be covered even if a business believes it has 100 percent coverage. No insurer is able to protect against everything, which is why businesses must understand how they are most likely to be attacked and focus coverage accordingly.

  • Terms and definitions

    There is not a universal vernacular when it comes to cybersecurity. That proves to be an issue in some cybersecurity insurance policies because the insurer and the insured have different understandings of the same terms. In some cases, these mistakes are innocent and in others, the insurer is intentionally vague. In any case, companies must understand exactly what is or is not included in coverage in order to accurately assess their level of protection.

  • Third-party liability

    The interconnected nature of IT means that cybersecurity issues that affect suppliers or partners can swim up the food chain. It also means that problems within your own network may spread to others. Third-party liability is a sensitive issue in the cybersecurity insurance community because everyone is inclined to point the finger elsewhere. Understanding whether or not a policy covers you when the attack comes from the side rather than the front or back is essential.

  • Exclusions

    Most insurance policies exclude or invalidate coverage if certain terms or conditions are met. For instance, cybersecurity insurance policies typically do not cover attacks carried out by terrorists or may hold companies responsible when attacks compromise contractual obligations. Similar exclusions may apply if data is collected improperly or in the commission of a crime. Understanding exclusions is important because minor details could compromise coverage completely.

  • Security requirements

    Cybersecurity insurance policies frequently require policyholders to maintain specific levels of protection and maintain baseline levels of data security. If these thresholds are not met it could potentially invalidate a claim. Similarly, auto insurance is usually cheaper for good driver, and cyber insurance is more accessible to companies that take security seriously.

Are insurers paying claims?

Since cybersecurity insurance is relatively new the legal and logistical apparatus around it is still being developed. Thus far there have not been any high-profile fights between a company affected by an attack and an insurer refusing to pay a claim. More positively, there is evidence to suggest that insurers are routinely paying claims.

A study of insurers from 2015 showed that $75.5 million was paid out to settle a total of 160 claims. The total volume of claims that year was much higher, but the study focused on a limited sample size. The average total claim was $673,767, but the average total claim for the largest businesses was $4.8 million. This data suggests that insurers are willing to honor the terms of coverage, even when ambiguous. However, the data also reveals just how expensive an attack really is.

How does a company maximize a cybersecurity insurance claim?

Every insurance company operates a little differently, and the terms of each policy dictate when and how claims are paid out. In spite of that, there are steps that companies can take to boost the size of the claim and expedite the payment:

Consider policy details carefully

There are significant differences between policies, and every company has unique needs in terms of coverage. Taking the time to research and compare various policy options while diving deep into the specifics of coverage and limits helps prevent a claim form being unexpectedly denied.

Perform due diligence

Picking a cybersecurity insurance policy is an involved process, and so is actually signing up for one. Companies are often asked to provide a warranty letter and complete a formal insurance application. Throughout this process, it is always better to be transparent and forthcoming. Disclosing any and all relevant information limits and insurers ability to deny or reduce claims because of minor mistakes.

Offer timely notice

Companies should contact their cybersecurity insurance provider as soon as they suspect they have been victimized. This is true even if an attack falls below the deductible limit or outside the boundaries of coverage. Failing to submit a claim or delaying the process too long invalidates some policies.

Final verdict – Is cybersecurity insurance worth it?

There is no legal requirement to carry cybersecurity insurance, and for some businesses, it may be an extraneous expense. Determining if it's right for your business, however, requires some reflection. It's not enough to say that you're unlikely to be attacked or that you can't afford to carry more insurance. The goal, rather, is to understand how much risk your business is exposed and what impact it has on your future. As you consider whether or not to seek out a cybersecurity insurance policy, ask the following questions:

  • Have you been attacked before?

    If so, it reveals the limits of your current cybersecurity strategy. Consider what that attack cost your business over the long run, and keep in mind that the size of the risk is growing. Whatever you paid before, expect to pay more now.

  • Have your competitors been attacked?

    This information may be difficult to come by, but it's valuable because it reveals whether hackers are focusing on your industry/specialty. When several competitors are targeted it's likely that everyone in the industry is vulnerable.

  • Do you handle sensitive data?

    Keep in mind that this includes more than just credit card numbers and medical records. Intellectual property is also under attack, and even a basic employee files contain valuable information. Any data of any value is potentially at risk.

  • Are you dependent on IT?

    Rather than stealing data, some hackers simply hijack systems and then charge ransom to restore them. If your organization is highly dependent on IT that would mean operations grind to a halt.

  • Do you work with third parties?

    Outsourcing IT or data storage to a third party like a cloud provider does not mean the cybersecurity burden shifts to them. Companies are still held liable for an attack even when a third-party is involved.

  • Can you pay for a recovery?

    The potential cost of an attack has been cited several times throughout this piece. If your company could not suddenly spend four, five, six, or even seven figures to resolve a breach it would throw your finances into chaos.

For the vast majority of companies cybersecurity insurance is money well spent and protection that is long overdue. If there is still any doubt, just consider that by the end of 2018 more than 72 percent of all companies are expected to carry some form of cyber coverage. The majority of companies have decided that cybersecurity insurance is worth it. Explore this site to find the ideal option for your company.