What Businesses Need to Know About Cybersecurity Insurance
As ransomware attacks become more prevalent, a growing number of companies consider cybersecurity insurance to stay protected.
With ransomware attacks growing both in frequency and sophistication, more businesses — from food trucks to Fortune 500 companies — are purchasing insurance plans to help mitigate potential losses in the event of a breach.
A recent global study shows 60 percent of businesses were victims of a ransomware attack last year, as bad actors appeared to take advantage of lax security controls in the remote work era. Downtime before recovery also doubled over the previous year.
Enter cybersecurity insurance, also known as cyber liability insurance or cyber insurance. The market has grown substantially over the past decade, and more companies are buying in than ever before, research shows.
A decade ago, cybersecurity insurance was more of a luxury. Early adopters tended to be concentrated in the retail, finance and healthcare industries, which harbor a lot of personally identifiable information and were susceptible to data breaches.
But now, cybersecurity threats have become more frequent. Malicious actors not only demand ransom in exchange for decryption but threaten to sell or leak the data if the ransom is not paid, according to the Cybersecurity and Infrastructure Security Agency (CISA).
Companies of all sizes across industries can be targets. Meghan Hannes, cyber and technology errors and omissions product head at Hiscox USA, a company specializing in insurance for small businesses, says she was once asked if a taco stand needed cybersecurity insurance.
“I said, ‘Well, does your business operate on a solely cash basis? The answer is probably not. If you have any reliance at all on some sort of electronic system, then you are exposed to the harms that ransomware can cause your business.’”
Outside of extortion events, there are other data breaches, such as employee errors or accidental data disclosures, that can expose customers’ data. While they may not be at the hands of bad actors, these are still events that businesses need to protect themselves against.
Specific insurance plans vary by carrier. Companies can choose to get cybersecurity insurance as a stand-alone policy or have it included in a package with other types of insurance coverage.
Hannes says that generally, cyber insurers will cover third-party liability in the event of a lawsuit, as well as the costs to recover from a cybersecurity incident. The financial impact of a hack or data breach could be “crippling,” especially for small and midsized businesses, says Tim Francis, enterprise cyber lead at Travelers, which has one of the largest market shares in this space.
“It may essentially cause the company to close its doors. It doesn’t usually get that severe, but it certainly could,” he says. Francis adds that this can especially be the case when ransomware is involved, with even small companies receiving multimillion-dollar demands.
If companies are forced to pay the ransom, cybersecurity insurance can help with reimbursement. But that’s often only a fraction of the total cost of losses, Francis says. There are also income losses incurred during downtime and costs for repairs to systems.
“The forensics costs, the notification costs, the data restoration to try to bring back what was compromised — all of that adds up pretty quick,” he says.
Cybersecurity insurers can also help connect companies to experts in the field to help them through an attack or breach, including incident response teams that can help get systems back online. Insurance companies may also send in breach coaches that provide legal counsel to the customer and other services many companies don’t have in-house.
Francis says that this is where cyber insurance is different from other types of insurance.
“We’re involved immediately,” he says. “If we’re talking about property insurance and a building is on fire, the first call is not the insurance company. Call the fire department, right? Put the fire out. In the context of cyber, the insurer — the carrier — can, in essence, be the equivalent of the fire department.”
Cyber insurers also have a role to play in educating businesses on cybersecurity best practices.
At Hiscox, Hannes says, the “community” that consumers get when they purchase a cybersecurity insurance policy includes not only post-breach response services, such as incident response and breach coach teams, but also an array of educational materials and employee training on how to spot potential cybercrime activities.
When cybersecurity insurance first came on the scene, companies saw it as an opportunity to cross-sell products, offering expanded coverage at decreased rates as they tried to gain market share. However, they often did so without a lot of expertise in the area, says Mario Paez, national cyber leader at Marsh McLennan Agency, a risk management firm and insurance broker.
“If you simply had your name, office location and your web address, you could get a quote,” he says. Now — and especially over the past 18 months as the market is hardening — insurers will require supplemental forms to help get a clearer picture of a company’s security posture, and policies come with prerequisites.
“One example is multifactor authentication. If you do not have that implemented within your IT environment, it could preclude you from getting coverage,” Paez says.
His agency recently put out a list of 10 minimum security control requirements that insurers often look for. These include a current and tested incident response plan, an updated patch management program, air-gapped and encrypted backups, and employee awareness and phishing simulations, among others.
By instituting these requirements and promoting these self-protection measures for companies, cybersecurity insurers can reduce the overall number of successful cyberattacks, CISA contends.
When it comes to shopping for a cybersecurity insurance company and policy, many businesses hire a broker to aid in the process.
If businesses go that route, Francis says it’s important to hire a broker or agency that’s knowledgeable in cybersecurity insurance that can also help businesses understand their exposures and risk tolerance. Key things to look for are longevity in the field, expertise and customer satisfaction ratings, and industry ratings, such as AM Best’s, experts say.
It’s also important to know what’s included in a policy. “The financial stuff that insurance provides is critically important, but it’s got to be interconnected with the access to deep, knowledgeable claims expertise so you can bring in the forensic providers, the breach coaches, the data restoration specialists, etc.,” Francis says. “And it ought to have a healthy amount of risk management services available to customers so that it can avoid these events in the first place.”
Evropis 17, Pilea PO 55535, Thessaloniki
Τ. (+30)2310 277 077
M. (+30) 6945 587 887
Zalokosta 44, Chalandri
Τ. (+30) 2316 019 734
M. (+30) 6948 053 377
Member of HIBA - Hellenic Insurance Brokers's AssociationΠολιτική ασφάλειας πληροφοριών