A Guide to Cyber Insurance for Small and Midsized Companies
Cyber Insurance is becoming increasingly important to cover the skyrocketing cost of security failures and ransomware. Get answers to some of the most frequently asked questions about cyber insurance coverage— and its gaps.
From global brands to local small and midsized businesses (SMBs), everyday brings thousands of new cyber attacks and malicious hacks to organizations of all types. The priority for many IT directors, administrators, and consultants has shifted from preventing cyber attacks completely towards preparing for a swift recovery post-incident and minimizing subsequent damage. Check out the video below for more information.
Cyber insurance is a critical part of keeping a business afloat after a cyber security incident. While some cyber insurance policies have often been criticized for their ambiguity and lack of coverage, businesses can no longer deny the need for it.
The debate around cyber security insurance is evolving when it comes to small to mid-sized companies. It's becoming clear that these businesses are not only more likely to be hit by cyber crime, but also less likely to recover when a security incident occurs. Centre's team of certified experts have put together some answers to frequently asked questions among SMBs surrounding the topic of cyber insurance.
What is Cyber Insurance?
Cyber Insurance is a range of policies businesses can purchase to manage their IT risk and cover their losses in the event of a cyber incident. These insurance policies provide funds to help businesses recover from cyber attacks, significant IT disruption, or natural disasters. With the advancement of bad actors and the rapid frequency in security breaches of all sizes, the potential of experiencing IT security failures (and cost of them) is boosting the popularity of cyber security insurance in particular.
Depending on their operations, customers, and goals, different organizations will need different types of insurance policies and coverage. First-party coverage provides financial assistance to for things like hardware and software repair, while third-party coverage helps cover costs from lawsuits and regulatory fines.
Businesses need to carefully assess what types of policies and coverage work best for them, including insurance limits, in order to choose the option that optimizes costs and liability. Additionally, organizations should consider in their financial planning and disaster recovery plan that not every cyber incident is covered by their insurance. Many insurance brokers have specific rules and conditions that must be met in order to receive insurance benefits after an incident. It's important to thoroughly vet your insurance plan and carrier, so you know exactly what to expect when a security breach occurs.
Do I need Cyber Insurance?
Smaller businesses often wonder about whether they need cyber insurance to protect their business. However, their potential to be the target of cybercrime is extremely high. Even with other types of general liability insurance, we recommend a cyber insurance policy that will ensure you get back up and running if and when a security incident occurs. Check out the video below for more info.
"We can be your 911 team or we can be your preventative measures team."
James Shuler, Director of Strategic Revenue
"My business isn't big enough"
This idea that a small to mid-sized businesses or community organization is less likely to be a target for malicious actors, is far too common. However, we recommend these entities need cyber insurance even more than large corporations with deep pockets and advanced security tools and practices. A reported 43% of cyber attacks target small businesses, with more than a 400% increase in cyber crime on SMBs. Additionally, 60% of small businesses go out of business within six months of a breach.
"My business already has insurance"
The second concern addresses an issue coined as "Silent Cyber," a phrase that represents the ambiguity of general business insurance policies around cyber incidents and cyber crime. While many of these policies don't explicitly exclude cyber incidents, there's often no guarantee that they will cover the losses after a cyber attack—leaving businesses exposed to significant risk. Organizations often need to look for policies and brokers that specifically provide providing benefits and support after falling victim to cyber crime.
"Cyber insurance isn't legitimate or helpful"
The last concern is more about the principle of cyber insurance and the nature of business technology risk. While there are some risks when it comes to IT that insurance providers are avoiding due to their speculative, non-predictable, or incalculable nature, there are many risks that cyber insurance can cover to keep businesses running and minimize their damage.
For example, cyber insurance policies can help cover businesses interruption costs and supply chain partner costs in the event that they are breached or their files are encrypted by malware. Additionally, more and more cyber insurance providers are starting to cover ransoms from ransomware so businesses can get up and running faster.
How much Cyber Insurance coverage do I need?
The second most common question about cyber insurance is how much coverage businesses need to purchase. The answer is not clear and will depend on each organization, especially their industry, budget, and size. Other considerations businesses should keep in mind include an obligation to their customers and suppliers, the cost of downtime, and perhaps even estimated ransom demands from ransomware.
Obligation to customers or suppliers
Many organizations have a legal obligation to provide a product or payment to their clients or vendors. If a business experiences a breach and are not able to provide whatever it is they promised in a service level agreement, or other binding document, they may be facing a lawsuit. Businesses with many obligations to external customers or sources may want to consider purchasing greater insurance to prevent legal escalation.
The cost of downtime
Additionally, many businesses face a loss of productivity in the face of a malicious hack. Their systems and applications may be encrypted by the attackers, or they may face a loss of data which halts productivity. Organizations will want to consider whether 24 hours of downtime means a couple thousand dollars lost in production, or a couple hundred thousand, in order to determine an appropriate coverage for when a security breach happens.
Lastly, we recommend businesses estimate to what capacity they might potentially be breached—and what attackers may do after that. For example, does your businesses carry a lot of consumer data that could be leaked or sold? How much ransom might an attacker demand from your company? These questions are incredibly difficult to answer, especially with precision, but they may help ballpark the amount of IT risk a cyber insurance policy would cover.
How much does it cost?
Cyber insurance works just like a typical insurance policy. Premiums depend on several factors, such as whether the business has been a victim before, what industry the business is in and its valuation or revenue, and the type of coverage being sought.
Additionally, the current IT security posture and hygiene is also used to assess the premiums and type of coverage organizations are eligible to receive. Businesses that have security tools and practices in place, such as employee awareness training, endpoint detection and response tools, as well as an incident response plan may be able to reduce their rates.
AdvisorSmith found that the average cost was $1,485 per year in 2021, with the average cost for Texas businesses around $1,459 per year. Cyber insurance broker Insureon notes that their median cyber insurance is about $140 per month for small businesses. However, as previously mentioned, the actual figure for businesses is highly sensitive to a number of factors.
Premiums are high, but will likely get higher
Although the actual cost varies for each organization, IT security insurance premiums are skyrocketing for businesses of almost all sizes and industries. This is no surprise given the exponential increase in attacks in almost every industry. In 2020, malware increased by over 350% and ransomware by over 400%. Additionally cyber attackers are becoming increasingly sophisticated and streamlining their process with tool-sharing platforms such as Ransomware-as-a-Service (RaaS).
Investing in insurance vs. investing in prevention
The cost of insurance should be carefully compared with the cost of minimizing incidents in the first place. While some types of cyber insurance has a place in every business, the amount of coverage purchased, the limits sought, and the premiums received are all related to the current security posture of the organization. Businesses with a better ability to discover and contain threats before they escalate are likely to spend less on insurance overall.
IT environments with SOCaaS (Security Operations Center-as-a-Service or Security-as-a-Service) and Endpoint Detection and Response (EDR) have the ability to rigorously and automatically identify and mitigate threats before they cause excessive damage. While prices can vary depending on vendor, Centre Technologies offers a competitive rate around $1,000-$2,000 per month on EDR cybersecurity for small to midsize businesses. This saves businesses money in the long run compared to the upfront cost of insurance along with anticipated damages past policy limits.
What does cyber insurance NOT cover
Often, it's easier to look at what's not covered in a policy in order to identify gaps in cyber liability coverage. Different policies and types of coverage will exclude different events or incidents. That said, there are a few cases which span universally across almost all policies.
Undervalued Assets: Like other types of insurance, cyber insurance gives quotes and coverage based on the value of assets your business is trying to protect. This is especially useful in assessing payouts for IT system damage and lost productivity. However, if a business's IT systems and productivity are undervalued during this process, the business will not recover the full value of assets and work lost due to an incident.
Intellectual Property Theft: It is no surprise that malicious actors may commit a data breach for access to, well, data. While this may be consumer data, such as names or contact information, it may very well be trade secrets or ideations for new products, services, or strategies. Most cyber insurance policies will not cover the loss of value associated with this information being leaked and used.
State-Sponsored Attacks: Many insurance brokers keep their policies and conditions ambiguous towards cyber attacks which are state sponsored, terrorist, or “war-like.” Attacks, like that on Colonial Pipeline, which are done by international groups and intelligence agencies, may be excluded from the scope of a policy.
Attacks from a Former or Current Employee: In the event of an attack from a disgruntled employee, many insurance companies may point the blame on the organization, rather than an insurable IT risk.
Revenue or Sales Lost During Downtime: While many policies may cover a loss in production, they do not directly cover any sales or revenue lost during downtime. For example, if a consumer couldn’t make a purchase on a website due to downtime, that loss in revenue would not be covered by most policies.
Easily Preventable Attacks: Many insurance providers will look for ways to withhold benefits and avoid giving a payout. Often, they will see if they can point the blame on the organization for negligence or poor security hygiene. If a cyber attack is deemed easily preventable, it may not receive coverage.
How to fill in the gaps of cyber insurance
Cyber Insurance is a necessary component of any businesses’ risk management, but it's not an end-all solution. From miscalculations of assets and the cost of predicted damage to uncovered incidents, there are many gaps that cyber insurance leaves in comprehensive business protection. Centre’s IT experts stress four major components to compliment cyber insurance for greater resiliency and minimized losses in the event of a cyber incident:
1. Clean Copy of Data
Data is an asset that is most likely to be undervalued and its loss can cause extended periods of downtime and loss of service. Therefore, organizations should therefore have a routine data backup approach to protect their data (and have easy access to it) in the event of an incident. By default, Centre's IT experts recommend the standard best practice of the 3-2-1 model, 3 copies across 2 locations with 1 offsite or locked.
2. Proactive Threat Hunting
Threat detection and remediation tools enable an organization to be less reliant on cyber insurance. When EDR is enabled, businesses may not need to pay as much in premiums and increasing recovery speed - especially if the insurance broker does not cover or undervalues coverage for the incident. Advanced and "always on" threat detection and response technology should be utilized to catch and remediate threats before they inflict damage or jeopardize technology and data beyond return.
3. Visibility into Security Gaps
Comprehensive security assessments and rigorous security scanning detects vulnerabilities in current IT security posture so businesses can build an effective and efficient plan moving forward. Organizations can reduce the cost of security failures if they proactively work towards minimizing vulnerabilities in their environment.
4. Incident Response Plan
Whether your insurance policy withholds benefits or prolongs the recovery process, organizations can minimize damages and get up and running quicker if they have a comprehensive plan for recovery outside of the estimated insurance payout. A successful incident response, or business continuity plan, has many components but includes steps for data recovery, proper IT budgeting, and customer or supplier notification.
Have questions about cyber insurance? Contact Centre Technologies to learn more about cyber insurance and how to ensure that your business is equipped to maintain productivity and efficiency after an incident, picking up where cyber insurance often fails.