A Guide to Cyber Insurance for Small and Midsized Companies

Cyber Insurance is becoming increasingly important to cover the skyrocketing cost of security failures and ransomware. Get answers to some of the most frequently asked questions about cyber insurance coverage— and its gaps. 

From global brands to local small and midsized businesses (SMBs), everyday brings thousands of new cyber attacks and malicious hacks to organizations of all types. The priority for many IT directors, administrators, and consultants has shifted from preventing cyber attacks completely towards preparing for a swift recovery post-incident and minimizing subsequent damage. Check out the video below for more information.

Cyber insurance is a critical part of keeping a business afloat after a cyber security incident.  While some cyber insurance policies have often been criticized for their ambiguity and lack of coverage, businesses can no longer deny the need for it. 

The debate around cyber security insurance is evolving when it comes to small to mid-sized companies. It's becoming clear that these businesses are not only more likely to be hit by cyber crime, but also less likely to recover when a security incident occurs. Centre's team of certified experts have put together some answers to frequently asked questions among SMBs surrounding the topic of cyber insurance. 

What is Cyber Insurance? 

Cyber Insurance is a range of policies businesses can purchase to manage their IT risk and cover their losses in the event of a cyber incident. These insurance policies provide funds to help businesses recover from cyber attacks, significant IT disruption, or natural disasters. With the advancement of bad actors and the rapid frequency in security breaches of all sizes, the potential of experiencing IT security failures (and cost of them) is boosting the popularity of cyber security insurance in particular. 

Depending on their operations, customers, and goals, different organizations will need different types of insurance policies and coverage. First-party coverage provides financial assistance to for things like hardware and software repair, while third-party coverage helps cover costs from lawsuits and regulatory fines. 

Businesses need to carefully assess what types of policies and coverage work best for them, including insurance limits, in order to choose the option that optimizes costs and liability. Additionally, organizations should consider in their financial planning and disaster recovery plan that not every cyber incident is covered by their insurance. Many insurance brokers have specific rules and conditions that must be met in order to receive insurance benefits after an incident.  It's important to thoroughly vet your insurance plan and carrier, so you know exactly what to expect when a security breach occurs.

Do I need Cyber Insurance? 

Smaller businesses often wonder about whether they need cyber insurance to protect their business. However, their potential to be the target of cybercrime is extremely high. Even with other types of general liability insurance, we recommend a cyber insurance policy that will ensure you get back up and running if and when a security incident occurs.  Check out the video below for more info.

"We can be your 911 team or we can be your preventative measures team."

James Shuler, Director of Strategic Revenue

"My business isn't big enough" 

This idea that a small to mid-sized businesses or community organization is less likely to be a target for malicious actors, is far too common. However, we recommend these entities need cyber insurance even more than large corporations with deep pockets and advanced security tools and practices. A reported 43% of cyber attacks target small businesses, with more than a 400% increase in cyber crime on SMBs. Additionally, 60% of small businesses go out of business within six months of a breach. 

"My business already has insurance" 

The second concern addresses an issue coined as "Silent Cyber," a phrase that represents the ambiguity of general business insurance policies around cyber incidents and cyber crime. While many of these policies don't explicitly exclude cyber incidents, there's often no guarantee that they will cover the losses after a cyber attack—leaving businesses exposed to significant risk. Organizations often need to look for policies and brokers that specifically provide providing benefits and support after falling victim to cyber crime.  

"Cyber insurance isn't legitimate or helpful" 

The last concern is more about the principle of cyber insurance and the nature of business technology risk. While there are some risks when it comes to IT that insurance providers are avoiding due to their speculative, non-predictable, or incalculable nature, there are many risks that cyber insurance can cover to keep businesses running and minimize their damage.

For example, cyber insurance policies can help cover businesses interruption costs and supply chain partner costs in the event that they are breached or their files are encrypted by malware. Additionally, more and more cyber insurance providers are starting to cover ransoms from ransomware so businesses can get up and running faster. 

Why Having Cybersecurity Insurance Provides the Best IT Services for Startups

Startup companies are often much easier to hack than major corporations because of their little experience with cybersecurity. They typically allocate their available cash toward business growth, as opposed to data protection. With that in mind, waiting until an attack occurs could cost a startup its entire livelihood. After all, it is more of a challenge to repair consumer confidence when you don’t have the same level of consumer currency as a corporation. Designed to mitigate losses from cyber incidents, cybersecurity insurance covers breaches and restoration costs. Follow along as we think about what IT services for startups should include in order to provide genuine protection.

What should be in my business risk analysis?

Your startup will quickly learn that running a business puts you in line with many types of risks. Upon conducting a business risk analysis, you will be able to better understand what damages you could endure. This includes loss of earnings and productivity. Considering this, you will also be equipped to know what security software and services you need to invest in to protect your startup from these damages.

By outsourcing IT services specifically meant for startups, IT experts can thoroughly examine your issues, launch a response plan quickly, and inform those affected. Here are some of the biggest things that startups need to consider.

• Data breaches:
  Often a result of employee negligence, data breaches that steal your business information are expensive to deal with. You would have to pay for the costs of data recovery, regulatory fines, and lawsuits. Plus, you risk never gaining back customer trust.
• DDoS attacks:
  This type of attack utilizes multiple compromised computer systems to push a traffic jam. They can be identified through the use of analytics tools. These locate suspicious traffic patterns that are originating from a single IP address.
• Compliance regulations:
  Not following legal frameworks for data storage and transmission will cause many issues for your startup. Make sure that you are implementing the measures required by the PCI Security Standards Council.
• Insider threats:
  If your employees don’t know the necessary protection practices, they are likely to be a weak link in your cybersecurity strategy. Your startup needs to implement awareness training. That way, employees know how to recognize social engineering attacks and how to respond to them.

Does my startup need cybersecurity insurance?

According to a press release in 2017 by the Committee on Small Business, 60% of all targeted cyber attacks were experienced by small and medium businesses. This resulted in costly implications, with 60% of them losing their businesses in the following six months. By not having the proper cybersecurity measures in place, you may end up as part of that statistic.

With cybersecurity insurance, your startup receives the coverage it needs in the case of an incident. The policy is typically split into first-party and third-party coverage. As a risk-transference tool, you have protection for your business related to breaches, as well as losses that your clients suffer. Cybersecurity insurance comes in handy when you maintain a digital database of personal information and rely heavily on technology for your operations. When deciding on your provider, keep in mind the IT services your startuprequires on a daily basis.

How much Cyber Insurance coverage do I need?  

The second most common question about cyber insurance is how much coverage businesses need to purchase. The answer is not clear and will depend on each organization, especially their industry, budget, and size. Other considerations businesses should keep in mind include an obligation to their customers and suppliers, the cost of downtime, and perhaps even estimated ransom demands from ransomware.  

Obligation to customers or suppliers 

Many organizations have a legal obligation to provide a product or payment to their clients or vendors. If a business experiences a breach and are not able to provide whatever it is they promised in a service level agreement, or other binding document, they may be facing a lawsuit. Businesses with many obligations to external customers or sources may want to consider purchasing greater insurance to prevent legal escalation.  

The cost of downtime

Additionally, many businesses face a loss of productivity in the face of a malicious hack. Their systems and applications may be encrypted by the attackers, or they may face a loss of data which halts productivity. Organizations will want to consider whether 24 hours of downtime means a couple thousand dollars lost in production, or a couple hundred thousand, in order to determine an appropriate coverage for when a security breach happens.  

Predicted damages

Lastly, we recommend businesses estimate to what capacity they might potentially be breached—and what attackers may do after that. For example, does your businesses carry a lot of consumer data that could be leaked or sold? How much ransom might an attacker demand from your company? These questions are incredibly difficult to answer, especially with precision, but they may help ballpark the amount of IT risk a cyber insurance policy would cover. 

How much does it cost?  

Cyber insurance works just like a typical insurance policy. Premiums depend on several factors, such as whether the business has been a victim before, what industry the business is in and its valuation or revenue, and the type of coverage being sought.

Additionally, the current IT security posture and hygiene is also used to assess the premiums and type of coverage organizations are eligible to receive. Businesses that have security tools and practices in place, such as employee awareness training, endpoint detection and response tools, as well as an incident response plan may be able to reduce their rates.  

AdvisorSmith found that the average cost was $1,485 per year in 2021, with the average cost for Texas businesses around $1,459 per year. Cyber insurance broker Insureon notes that their median cyber insurance is about $140 per month for small businesses. However, as previously mentioned, the actual figure for businesses is highly sensitive to a number of factors. 

Premiums are high, but will likely get higher

Although the actual cost varies for each organization, IT security insurance premiums are skyrocketing for businesses of almost all sizes and industries. This is no surprise given the exponential increase in attacks in almost every industry. In 2020, malware increased by over 350% and ransomware by over 400%. Additionally cyber attackers are becoming increasingly sophisticated and streamlining their process with tool-sharing platforms such as Ransomware-as-a-Service (RaaS). 

Investing in insurance vs. investing in prevention

The cost of insurance should be carefully compared with the cost of minimizing incidents in the first place. While some types of cyber insurance has a place in every business, the amount of coverage purchased, the limits sought, and the premiums received are all related to the current security posture of the organization. Businesses with a better ability to discover and contain threats before they escalate are likely to spend less on insurance overall.

IT environments with SOCaaS (Security Operations Center-as-a-Service or Security-as-a-Service) and Endpoint Detection and Response (EDR) have the ability to rigorously and automatically identify and mitigate threats before they cause excessive damage. While prices can vary depending on vendor, Centre Technologies offers a competitive rate around $1,000-$2,000 per month on EDR cybersecurity for small to midsize businesses. This saves businesses money in the long run compared to the upfront cost of insurance along with anticipated damages past policy limits.

Why does cybersecurity insurance pay for PR and legal services?

You have reported a data breach. Now, you have to figure out what to tell the individuals who were affected. In a study by AdvisorSmith, it was found that the United States is the most frequent target for cyberattacks, costing small businesses approximately $36,000 to recover. Cybersecurity insurance covers your startup when it comes to managing the situation, from the investigatory costs to the regulatory fines. You may even face third-party class action lawsuits, which could mean huge payouts, regardless of how small your startup is.

Knowing that your IT services are doing everything that they should be doing from the get-go is important for your reputation. With credit monitoring and computer forensics, for instance, your IT team is capable of protecting potential victims. However, cybersecurity insurance directs your attention toward the legal requirements involved in a data breach experience. If the breach involves Electronic Health Records (EHRs) and you are covered by the Health Breach Notification Rule, your legal team must notify the Federal Trade Commission. Should Social Security numbers have been stolen, the team will need to contact the major credit bureaus.

What does cyber insurance NOT cover  

Often, it's easier to look at what's not covered in a policy in order to identify gaps in cyber liability coverage. Different policies and types of coverage will exclude different events or incidents. That said, there are a few cases which span universally across almost all policies.  

Undervalued Assets:  Like other types of insurance, cyber insurance gives quotes and coverage based on the value of assets your business is trying to protect. This is especially useful in assessing payouts for IT system damage and lost productivity. However, if a business's IT systems and productivity are undervalued during this process, the business will not recover the full value of assets and work lost due to an incident. 

Intellectual Property Theft: It is no surprise that malicious actors may commit a data breach for access to, well, data. While this may be consumer data, such as names or contact information, it may very well be trade secrets or ideations for new products, services, or strategies. Most cyber insurance policies will not cover the loss of value associated with this information being leaked and used.  

State-Sponsored Attacks: Many insurance brokers keep their policies and conditions ambiguous towards cyber attacks which are state sponsored, terrorist, or “war-like.” Attacks, like that on Colonial Pipeline, which are done by international groups and intelligence agencies, may be excluded from the scope of a policy.  

Attacks from a Former or Current Employee: In the event of an attack from a disgruntled employee, many insurance companies may point the blame on the organization, rather than an insurable IT risk.   

Revenue or Sales Lost During Downtime: While many policies may cover a loss in production, they do not directly cover any sales or revenue lost during downtime. For example, if a consumer couldn’t make a purchase on a website due to downtime, that loss in revenue would not be covered by most policies.  

Easily Preventable Attacks: Many insurance providers will look for ways to withhold benefits and avoid giving a payout. Often, they will see if they can point the blame on the organization for negligence or poor security hygiene. If a cyber attack is deemed easily preventable, it may not receive coverage. 

How to fill in the gaps of cyber insurance

Cyber Insurance is a necessary component of any businesses’ risk management, but it's not an end-all solution. From miscalculations of assets and the cost of predicted damage to uncovered incidents, there are many gaps that cyber insurance leaves in comprehensive business protection. Centre’s IT experts stress four major components to compliment cyber insurance for greater resiliency and minimized losses in the event of a cyber incident:  

1. Clean Copy of Data  

Data is an asset that is most likely to be undervalued and its loss can cause extended periods of downtime and loss of service. Therefore, organizations should therefore have a routine data backup approach to protect their data (and have easy access to it) in the event of an incident. By default, Centre's IT experts recommend the standard best practice of the 3-2-1 model, 3 copies across 2 locations with 1 offsite or locked. 

2. Proactive Threat Hunting  

Threat detection and remediation tools enable an organization to be less reliant on cyber insurance. When EDR is enabled, businesses may not need to pay as much in premiums and increasing recovery speed - especially if the insurance broker does not cover or undervalues coverage for the incident. Advanced and "always on" threat detection and response technology should be utilized to catch and remediate threats before they inflict damage or jeopardize technology and data beyond return. 

3. Visibility into Security Gaps  

Comprehensive security assessments and rigorous security scanning detects vulnerabilities in current IT security posture so businesses can build an effective and efficient plan moving forward. Organizations can reduce the cost of security failures if they proactively work towards minimizing vulnerabilities in their environment. 

4. Incident Response Plan   

Whether your insurance policy withholds benefits or prolongs the recovery process, organizations can minimize damages and get up and running quicker if they have a comprehensive plan for recovery outside of the estimated insurance payout. A successful incident response, or business continuity plan, has many components but includes steps for data recovery, proper IT budgeting, and customer or supplier notification. 

What does a computer security incident response team handle?

Computer security incident response team (CSIRT) goals are to regain control and minimize damage caused by cyber incidents. These IT professionals will be able to deliver you an effective security management strategy. In the framework laid out by the National Institute of Standards and Technology, there are five phases. They consist of identification, protection, detection, response, and recovery.

CSIRTs carry out their mission by delivering IT services for startups. This includes both on-site and off-site support. They take on the responsibilities of updating incident response plans, communicating and coordinating information, and recommending changes to prevent future attacks. In regard to their technical skills, they must know intruder techniques, how to encrypt data, and how to maintain incident records and reports. For their non-technical skills, with their work being service-based, they should be comfortable collaborating and providing analytical reasoning.

How do IT services for Local Businesses create a culture of security?

Working with IT professionals who are knowledgeable about the special experiences of startups gives you a leg up on your competition. Your team is able to be proactive with both cybersecurity and physical security, thanks to having the right tools. Employees should know how to take caution with their devices. On the alternate side, leaders should know how to effectively guide them to that point.

IT services for startups provide insight into hacking trends, system updates, and data access restrictions. Instead of attempting to build in-house skillsets surrounding security, teach what is necessary and use experts for full protection. While nothing is foolproof when it comes to cyberattacks, your startup will only succeed if you are consistently testing and examining security policies. Know how you will react to a data breach and utilize cybersecurity insurance by refining those policies as your business expands, keeping your employees up to date with any changes.

Have questions about cyber insurance? Contact Centre Technologies to learn more about cyber insurance and how to ensure that your business is equipped to maintain productivity and efficiency after an incident, picking up where cyber insurance often fails.