Key Takeaways:
Cyber insurance helps cover costs incurred from a range of cyber incidents and is typically not included in general liability insurance but as a stand alone line of coverage.
Cyber insurance is for companies of all sizes and especially for businesses that store personal information or support electronic payments.
The average cost of cyber insurance is $1,485 per year for $1 million in coverage, with a $10,000 deductible, but premiums are rising with the increase of attacks.
What is cyber insurance?
Cybersecurity insurance is a financial product that helps businesses mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage. The coverage from cyber insurance provides protection against a wide range of cyber incident losses that businesses may suffer directly or cause to others. These include costs from data destruction and/or theft, extortion demands, network damage, denial of service attacks, crisis management activity related to data breaches, and legal claims for defamation, fraud, and privacy violations.
Cyber insurance is becoming increasingly important as companies rely more on digital systems and as cyberattacks, ransomware attacks, and data breaches become more prevalent. Many companies manage sensitive data, including credit card information, customer names and addresses, Social Security numbers, or other confidential information. If your company is affected by a cyberattack, you could find yourself dealing with costly lawsuits, data restoration expenses, and regulatory fines.
General liability insurance covers bodily injuries and property damage resulting from your products, services or operations.Traditional commercial general liability and property insurance policies typically exclude cyber risks from their terms, leading to the emergence of cybersecurity insurance as a “stand alone” line of coverage.
Here are a few examples of what can be covered in a cyber insurance plan:
Breach cost: Covers costs associated with responding to a breach, such as forensic costs to confirm and identify the breach, costs to notify affected individuals, and credit protection services.
Cyber Extortion: Covers costs and financial payments associated with network-based ransom demands.
Cyber Crime: Covers financial losses associated with social engineering, reverse social engineering, and funds transfer fraud.
Business Interruption: Covers lost business income when a company has its network-dependent revenue interrupted.
Data Recovery: Covers costs to replace, restore, or repair damaged or destroyed data and software. In a digital world, property is no longer exclusively tangible, so cyber coverage is needed to pay for intangible data recovery costs.
Privacy Protection: Covers costs to defend and resolve claims regarding the handling of personally identifiable or confidential corporate information. Covers violation of privacy or consumer protection law, breach of contract and regulatory investigations.
Most states require companies to notify customers of a data breach involving personally identifiable information– a process that can be very expensive. And even though most states don’t require companies to offer free credit monitoring following a breach, such a gesture goes a long way with public relations.
Who needs cyber liability insurance?
If your business stores customers’ personal information, then there is a regulatory obligation to keep that data secure, and therefore, a higher price tag for a breach. If your business supports electronic transactions, there are even more regulations and you should definitely consider cyber insurance. Since many businesses fall into these categories and almost all businesses rely on some sort of digital infrastructure for their operations, it’s hard to find a business that doesn’t need cyber insurance.
It's not just large organizations that are susceptible to being hacked or another cyber incident. More than 70 percent of attacks target small businesses. The average cost of a data breach for a small business is $36,000 to $50,000.
How much does cyber insurance cost?
The average cost of cyber insurance in the U.S. in 2020 was $1,485 per year for $1 million in coverage, with a $10,000 deductible; however, premiums have been increasing in 2021 due to a rise in cyberattacks.
Besides the location of your business, a number of other factors can greatly affect the premiums that you pay for cyber insurance. Insurance companies will take into account the nature of your business, the number of sensitive employee and customer records you store, whether your business stores credit card and banking information on your customers, and the types of security defenses your company has undertaken. Additionally, if your company has a history of cyber insurance claims, or if it has been attacked or hacked in the past, your premiums may be higher.
First vs Third Party Insurance
First-party cyber risk insurance covers you against losses that stem directly from a cyber attack. The “first party” is you, the insured.
“Third party” refers to your clients, business partners, vendors, or any other entity affected by a cyber attack on your company. If a customer sues your company due to a loss caused by a data breach, third-party cyber risk insurance could cover legal costs like court fees, lawyer fees, and settlements. If you are a tech or IT company, it's important to understand third party insurance and make sure you are covered.
Top Cyber Insurance Providers
The industry is responding to the increasing threat businesses face as the number of insurance companies in this market grew 35% from 2016-2019. However, the U.S. market continues to see a high level of concentration, with just 10 insurance companies accounting for 70% of cyber policies written.
The top cyber insurance providers are:
Conclusion
A robust cybersecurity insurance market could help reduce the number of successful cyber attacks by: (1) promoting the adoption of preventative measures in return for more coverage; and (2) encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection.
Many companies forgo available policies, however, citing as rationales the perceived high cost of those policies, confusion about what they cover, and uncertainty that their organizations will suffer a cyber attack. Data shows cyber threats are increasing in frequency and severity, and every CISO should take a harder look at the cost-benefit analysis of cyber insurance.