What Is Cyber Insurance?
Cyber insurance provides coverage against costs. These may be associated with recovery after a data breach or cyberattack. It is somewhat of a new product to the insurance market. But, cyber insurance is rapidly growing in popularity. More and more firms are being attacked. They are forced to deal with the fallout of having their data compromised by hackers. Many companies are making their best efforts to stay abreast of new developments in the world of cyber hacking. Keeping up with the evolving methods of cyber criminals is expensive.
Furthermore, it is impossible. Because of this, an increasing number of businesses are purchasing cyber insurance. This is to protect themselves from cyber security breaches. A recent report from global professional services firm PwC estimated that annual gross written premiums for cyber insurance are likely to grow from around $2.5 billion today to $7.5 billion by the year 2020.
First-party Vs. Third-party Liability
Let's say you begin shopping for cyber insurance. You will notice that insurance providers divide coverage into two categories. These are first-party liability and third-party liability. What is the difference between first-party and third-party liability coverage? How can you know what coverage is needed for your business?
To put it simply, first-party coverage protects you from damages as a result of the actual event. These damages could include things like a loss of business income while your website or e-commerce functionality is out of commission. Loss of computers and assets, theft of data, or the price of an investigation to determine whether a cyberattack has occurred could also be covered.
Below are some common types of first-party coverage available in cyber insurance policies today.
- Business interruption insures against losses from being forced to halt regular business after company data is compromised. It also insures a website being taken down, e-commerce functionality being lost, etc.
- Data loss and restoration/e-theft: Protects against the loss and recovery of information or software that has been accessed in a cyberattack. Data loss coverage sometimes includes unauthorized funds transfers that occur in an attack.
- Damaged or lost equipment: Let's say computers, hardware, assets, or other technological equipment is stolen or harmed by cyber criminals. This coverage pays for its repair or replacement.
- Loss of communication: Communication loss occurs when a cyberattack renders employees and systems unable to correspond with each other or with clients. This coverage sometimes covers the loss of email data.
- Forensic investigation: This insures against the cost of determining whether or not a cyberattack has occurred. It also determines how it can be stopped and assesses the extent of the damage.
- Extortion: Pays for costs associated with cyber criminals threatening to access or disclose sensitive or proprietary data. Extortion coverage sometimes pays for ransom costs. These may include releasing information back to its proper owner or ceasing and desisting damaging cyber activity.
Third-party coverage protects you from the ripple effects of the event. It particularly lawsuits from other businesses that might be filed as a result of a data breach. These damages could be caused by a customer suing your business for losses resulting from sensitive information that was made public. They also could be the cost of notifying clients that their data has been compromised.
In the case of a hack, you may need to hire additional employees to liaise with customers and the general public regarding the attack and subsequent recovery. Many data hacks require governmental involvement. It can be expensive to comply with regulatory follow-up after a breach. All of those expenses would be covered by third-party cyber insurance coverage.
Below are some common types of third-party coverage available in cyber insurance policies today.
- Litigation coverage: Pays expenses associated with legal action taken against your business such as lawsuits, judgments, or settlements.
- Transmission of malicious content/transmission of damage: Covers your business against losses that might result if a virus or malware program is introduced to a customer or partner organization's network.
- Crisis management: Pays for your business to hire a public relations firm or other personnel to manage the optics of a cyberattack and communicate with customers regarding next steps.
- Media liability: Pays your expenses in managing infringement of trademarks or copyright as a result of a hack.
- Notification costs/privacy notification: This is similar to crisis management coverage. It pays the costs of alerting customers in the event of a cyberattack.
- Credit monitoring: Allows you to extend credit monitoring services to clients whose social security numbers or other personally identifying information may have been compromised.
- Regulatory coverage: Protects your business from paying costs associated with complying with required governmental inquiries. This includes forensic investigations. This may also cover fines and penalties levied against your business after a data security loss.
- Privacy liability: Pays for damages that result from a client's proprietary or personal information being accessed by an unauthorized party.
- Defamation or slander: This provides coverage against reputational risks caused by a data breach.
It's likely that many businesses will need some combination of first-party and third-party liability coverage. However, businesses whose core activity is not related to Information technology may not need third-party coverage.
How Much Does Cyber Insurance Cost?
You can likely guess that the cost of cyber insurance will depend on how much coverage you purchase. The size of your business and the types of coverage included in your policy also matter. A report from Investment News discussed Biondo, a company worth around $500 million. It purchased its first cyber insurance policy for an annual premium of $5,100 in 2014. When compared to the size of Biondo's assets, $5,100 is quite affordable. There is such large variance in the price of a cyber insurance premium. Don't ask what a cyber insurance policy would cost. Rather, ask what it would cost to recover from a data breach. Hopefully, your business can recover in the first place.
The Ponemon Institute's 2017 Cost of a Data Breach Study shows the average total cost of a data breach in 2017 is $3.62 million. It is tempting for owners of small businesses to believe that cybercrime is more likely to affect large corporations. However, small firms are particularly unlikely to protect against cyber risk. Thus, they are particularly vulnerable to attacks. The same 2017 Cost of a Data Breach Study found that the average cost per lost or stolen record in a data breach was $141. Consider the costs of cyber insurance. Ask if your business can afford to pay $141 for each record in your client database or each line in your sales ledger.
Finally, a PwC Global Economic Crime Study conducted in 2016 reported that cybercrime is the second most commonly reported economic crime. Also, 32% of organizations surveyed reported they had been affected by cybercrime. With odds like that, cyber insurance is likely worth the cost for most businesses.
How Much Insurance Is Enough?
Unfortunately, there is no simple formula to determine how much cyber insurance a business should buy. It is also hard to determine what types of coverage each business should be sure to include in their policy. However, most experts recommend starting with a risk assessment for your business to discover the gaps in your organization's IT framework.
A cybersecurity risk assessment provides an analysis of potential weaknesses. These may be found in hardware, software, firewalls, and organizational procedures. Furthermore, a risk assessment will help to rule out the particular kinds of risk that may not apply to your business. That way, you can avoid being over-insured.
Let's say an assessment of weaknesses and risks has been completed. The real difficulty lies in assigning a financial value to the potential damage caused by a cyberattack. This can be difficult to do. Several organizations have conducted research on the average financial loss per compromised record for various industries.
Finally, most insurance companies will be able to recommend reasonable amounts of coverage given the type of business being insured. They will also consider the value and amount of data at stake and the level of government compliance required given a business' industry. We recommend gathering several quotes for cyber insurance to see where recommendations overlap. Make sure you are getting smart coverage at a reasonable price.
Who Needs Cyber Insurance?
Perhaps you are wondering if purchasing cyber insurance is absolutely necessary for your business. Many businesses managers feel that they are "a small fish in a big pond." They assume hackers would not have any reason or motivation to attack a relatively insignificant small business. This is dangerously misled thinking.
First, most businesses either have been a victim of a cybersecurity breach or eventually will be. Unfortunately, in some sense, it is just a matter of time. Many businesses may have already lost or exposed crucial information without even knowing it. Second, the cost of a cyberattack is proportionately as large (and sometimes larger) for small businesses than it is for multi-million dollar companies. A 2015 Data Breach Investigations Report published by Verizon introduced a new model for assessing the cost of a cybersecurity breach.
Many costs associated with a data breach are relatively static as compared to variables based on the number of records compromised. The cost per compromised data point actually goes down as the number of stolen records goes up. Thus, small firms are just as vulnerable to attacks as large corporations. Finally, small businesses often lack the sophisticated infrastructure and large organizational assets at the disposal of bigger businesses. With limited resources to protect against cyberattacks, small businesses become an easy target for cybercriminals
In today's digital age, nearly every business has an online presence. Unless your business is keeping its records on pen and paper, it is at a risk for a data security breach. The amount of cyber insurance your business needs is a question of how likely that information is to be compromised. They also consider what the consequences would be. In terms of whether you need cyber insurance at all, an article published by Intuit Quickbooks provides a straightforward assessment. "Anyone that hosts a website that interacts with the public at large is a candidate for cyber liability insurance...If you conduct even a portion of your business online or ask customers to trust you or a third-party vendor with their information, you should seriously consider purchasing cyber insurance."
Company | Records Stolen/Users Affected | Date of Breach | Date of Breach Discovery/Announcement | Compromised Data |
Imgur | 1,700,000 | 2014 | November 23, 2017 | Email addresses and passwords |
Uber | 57,000,000 | Late 2016 | November 21, 2017 | Names, email addresses, and phone numbers |
Maine Foster Care | Not published | September 21, 2017 | November 14, 2017 | Names of foster children and legal guardians, addresses, social security numbers |
Forever 21 | Unknown | March - October 2017 | November 14, 2017 | Point-of-sale devices |
Hyatt | Not published | March - July 2017 | October 12, 2017 | Credit and debit card numbers |
Yahoo! | 3,000,000,000 | 2013 | September 2016 | User account information |
Whole Foods Market | Not published | Not published | September 28, 2017 | Customer payment information; investigation ongoing |
Sonic | Unknown | Unknown | September 26, 2017 | Credit and debit card numbers |
SVR Tracking | 540,642 | September 18, 2017 | September 21, 2017 | Email addresses, passwords, license plate numbers, VINs |
Equifax | 143,000,000 | May - July 2017 | September 7, 2017 | Full names, addresses, dates of |
birth, credit card numbers, social security numbers, driver’s license numbers | ||||
Online Spambot | 711,000,000 | March 2017 | August 30, 2017 | Email addresses, passwords |
Blue Cross Blue Shield/ Anthem | 80,000,000 | 2015 | June 27, 2017 | Names, birth dates, medical ID numbers, social security numbers, mailing addresses, email addresses, employment information and income data |
Deep Root Analytics - Republican National Committee | 198,000,000 | June 2017 | June 20, 2017 | Names, dates of birth, home addresses, phone numbers, and voter registration details |
How To Minimize Your Risk of a Cyber Breach
We stated above that most businesses either have been a victim of a cybersecurity breach or eventually will be. But, that does not mean you are powerless to avoid a cyberattack. There are several things your business can do to minimize your risk of losing important data in a cyber breach.
-
1
Conduct a risk assessment
A risk assessment provides an overview of the cybersecurity risk to your organization. This includes both tangible losses such as software and data as well as intangible losses such as reputational risk or a loss in public confidence. According to the U.S. Department of Commerce's National Institute of Standards and Technology, a risk assessment should include the following steps.
-
2
Identify relevant threat sources
Identify attacks that could be levied by those sources. - Identify vulnerabilities that could be exploited. - Determine the likelihood that the identified threats might be attempted along with the likelihood that they would be successful. - Determine the consequences to organizational operations and assets, individuals, other organizations, and the nation should an attack be successful. - Combine the likelihood of exploitation with the consequences of successful attacks to determine total security risk. Include uncertainties.
-
3
Close as many gaps as possible
Once a risk assessment has been completed, address the points of weaknesses that were identified. You will not be able to mitigate all risk this way. But, you may be able to reduce the likelihood of a cybersecurity incident.
-
4
Make a plan
Create a document of standard procedures to respond to the various risks outlined in your organization's risk assessment. This should involve responsibilities for internal individuals. It includes vendors who will help with forensic investigation, public relations, data recovery, etc. Organizations with a predetermined map for handling security breaches are able to respond both faster and more effectively when a breach occurs.
-
5
Repeat
It is important that you conduct a risk assessment not just once but annually. Doing so allows you to identify new and changing risks as both your business and the cybersecurity world develops. You should also update your organization's response plan regularly. Continue closing security gaps as they are discovered.
Conclusion
The cybersecurity risk to businesses today is likely to continue growing as technology develops. Purchasing cyber insurance can protect your business against the costs associated with recovering from a data breach.
Businesses should complete a risk assessment annually. They should also close any identified security gaps, develop a plan to manage a data breach should it occur, and update it regularly. Completing a risk assessment will allow you to assess the likelihood of a successful cyberattack on your business. You can also find out what the damages would be should one occur. Most businesses need some combination of first-party insurance coverage. This protects you from damages as a result of the actual event. Third-party coverage protects you from the ripple effects of the event.
The cost of cyber insurance for your business will depend on how much coverage you purchase, the size of your business, and the types of coverage included in your policy. However, it is almost guaranteed that the cost will be much less than the cost of a data breach in total.
Many small businesses do not think they need cyber insurance coverage. But, small firms are just as vulnerable to cybersecurity risks as big businesses. They may also experience more difficulty in recovering from an attack than a business with sizeable assets. The risks almost certainly outweigh the financial savings of not being insured. Every business should assess the cybersecurity risks associated with their systems and should consider purchasing cyber insurance.
Sources:
https://www.pwc.com/gx/en/insurance/publications/assets/reaping-dividends-cyber-resilience.pdf
http://info.resilientsystems.com/hubfs/IBM_Resilient_Branded_Content/White_Papers/2017_Global_CODB_Report_Final.pdf
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf