What is cyber insurance?
A cyber insurance policy is an insurance product designed to protect an organization from the risks associated with using the Internet, as well as storing and electronically processing data. Cyber insurance may also be referred to as cybersecurity insurance, or cyber liability insurance.
The cyber insurance market is rapidly evolving in the wake of accelerated digital transformation and increasingly damaging cyberattacks, such as ransomware. This blog will provide you with a baseline to understand today’s typical cyber insurance offerings, how to qualify for a policy, and the factors driving the cybersecurity insurance market.
Why is cyber insurance needed?
Cyber insurance is part of an overall enterprise risk management policy and covers the risks and liability of an organization caused by cyber incidents.
A significant increase in the number of cybercrimes has accompanied the rapid development of digital technologies and the complication of IT infrastructures. Cyberattacks can lead to server shutdowns, loss of trust in the company, and loss of profits, to name just a few ramifications. Data breaches can also lead to significant fines.
Protection against the risks of cyberattacks and cybercriminals is vital for digital enterprises. Cyber insurance can be a prudent way to manage risk, understanding that not every security risk can be mitigated with technology.
What types of cyber insurance coverage are available?
Insurers may offer standard cyber insurance coverage packages, or allow customers to create an individual one, accounting for the specifics of their business processes. For instance, Data Breach Insurance may only cover costs of leakage of confidential information. Another example is a Ransomware Supplemental Addendum that is coverage specific to the circumstances of ransomware attacks.
Depending on the insurer, you can select all or specific risks to be covered. There may also be a mandatory and optional coverage.
Cyber risks that can be covered:
- Risk of loss and distortion of data of the company or its customers
- Risk of software or hardware damage
- Intellectual property theft
- Misuse of computing resources
- Damage to business reputation
- Loss or damage to products, raw materials
- Risk of theft of money from the company bank accounts
- Risk of theft of credit card data and funds of the customers
Cyber liability insurance can cover the following costs:
- Investigation and diagnosis of cyberattacks
- Cyberattack response activities
- Lost profits
- Restoration of affected computer systems, networks, and data.
- Notifying customers of cyberattacks
What risks does cyber insurance not cover?
Cyber liability insurance coverage will vary based on the type of insurance you need, as well as the insurance provider. Regardless, cyber insurance policies do not typically provide coverage for:
- Cyber events or security incidents that occurred prior to the purchase of the policy
- The cost of improving your organization’s security posture, including the cost of new hardware and apps
- Any losses due to unpatched vulnerabilities
- Infrastructure failures caused by external factors other than deliberate cyber events/attacks.
- Damage caused by malicious insiders
Comprehensive cyber insurance packages and additional services
As part of the policy contract, some cyber insurers provide clients with free access to the services of firms that specialize in cybersecurity, cybercrime investigations, legal advice, and PR crisis communications.
Some insurance products are based on the service-insurance model. This includes both software solution components and the insurance, which is designed to address information security issues, while also minimizing damages in the event of an incident. This way, the organization receives not just a policy, but also a solution in the field of information security backed by a financial guarantee.
The service model provides for the distribution of resource-intensive solutions between several clients, which saves money. At the same time, the insurance part will protect against unforeseen expenses in the event of a successful cyberattack.
Key steps when shopping for cyber insurance
Buying cyber insurance is not as simple as choosing a provider and negotiating payment. Buyers must not only ensure they are getting the coverage they need at a price that makes sense, but they must also have security controls in place to obtain coverage in the first place. In recent years, many cyber insurers have closed shop, burned by ransomware payments and costly cyberattacks.
Overall, the cyber insurance industry has seen its margins tighten and losses pile up, causing them to become more stringent in qualifying new customers for coverage, as well as in green-lighting renewals for existing customers. Costly cyberattacks have also driven steep cyber insurance rate increases across the industry.
In shopping for and selecting cyber insurance coverage, here are steps to follow:
- Identify your specific cyber risks.
- Research different policy options and choose an insurance company
- Choose an expert organization to conduct an infosec audit (as a rule, among organizations accredited by an insurance company)
- Audit and assess infosec risks (carried out by an expert organization)
- Define the risks and events that need to be covered
- Discuss and finalize the amount of insurance coverage and insurance premiums
When evaluating a cyber insurance policy, do not hesitate to ask your insurance broker or agent for more information. They can help you understand the terms of the coverage and answer any questions.
Pay special attention to any exclusions or limitations that might affect your ability to make a claim in the event of a cyberattack or data breach. For instance, if you claim to have a security control in place, but that control is not implemented correctly or completely, that may be grounds for not paying out your claim.
Incident resolution is based on collected diagnostic and forensic information, logs, screenshots, and other data obtained from the policyholder's systems. If necessary, an independent expert organization may be solicited to help settle insurance cases.
Cyber risks and attack vectors can change over time, so it's essential to review your cyber insurance policy regularly to validate it still meets your needs. This could involve talking to your insurance broker or agent, comparing quotes from other insurers, or updating your coverage to reflect any business changes.
How much does cyber insurance cost?
It is now more challenging to get a cyber insurance policy than before. Insurance companies charge high premiums and have a long list of requirements. This is due to the increased likelihood of cyberattacks and insured events.
In general, small businesses can expect to pay anywhere from a few hundred dollars to a few thousand dollars per year for a basic cyber insurance policy, while larger companies may pay tens of thousands of dollars or more.
The following factors will influence the price of the cyber insurance policy:
- Number and nature of cyber risks
- Sum insured
- Results of risk assessment
- The history of the company and the dossier of its clients
Qualifying for and fulfilling a cyber insurance policy contract can take a long time. For cyber insurers, the most difficult part may be reliably estimating the value of lost data.
How to reduce cyber insurance costs and get maximum coverage?
Cyber insurers consider organizations with poor security practices as an unwanted, and potentially dangerous, liability to their business model. Improving your cyber defenses will improve your chance of qualifying for cyber insurance coverage, as well as obtaining the best rates. Here are some best practices to improve your likelihood of qualifying for good cyber insurance:
- Inventory all your data assets. Make sure you can audit event and incident logs.
- Identify all devices and software that have access to critical assets.
- Implement privileged access management (PAM) to control, monitor, and audit all privileged access. Cyber insurers appreciate that PAM not only protects against external attacks, but is also one of the most effective defenses against insider threats.
- Use multi-factor authentication
- Monitor the usage of network protocols, ports, and devices.
- Configure and enforce security protocols on firewalls and routers. Block any unauthorized traffic.
- Use a vulnerability management strategy to prioritize fixing vulnerabilities.
- Regularly update applications and operating systems.
- Perform regular backups, and test that they work
- Implement sandboxing to block malicious emails.
- Implement threat intelligence systems to detect threat indicators and early signs of attacks. Use modern systems with machine learning and artificial intelligence to expand your monitoring capabilities.
- Train and test employees to keep them up-to-date with new cyber risks. Practice attack scenarios to prepare security teams to respond during an actual attack.
The cyber insurance value
The presence of a cyber insurance policy indicates that an organization recognizes that, while great cybersecurity defenses will prevent and mitigate most threats, no enterprise is invincible. Purchasing cyber insurance can be part of a judicious enterprise risk management strategy and demonstrates that an organization cares about its risks and the risks of its customers.
Cyber insurers, as well as their customers, are wary of how runaway costs can upend their business. Thus, while cyber insurance is an important instrument for managing risk, organizations must still focus on ensuring they are effectively and responsibly managing cyber risk. This entails implementing the right security controls and employee cyber awareness training.
Additional Cyber Insurance Resources
Alex Vakulov, Guest Blogger
Alex Vakulov is a cybersecurity researcher with over 20 years of experience in virus analysis. Alex has strong malware removal skills. He writes for numerous security-related publications, sharing his security experience.