From Colonial Pipeline to Equifax to Kaseya and dozens more, high-profile cyberattacks continue to make the news on a regular basis. But not all data breaches make the news, and a large percentage of cyberattacks target small and medium-sized businesses. Virtually every company of every size has some degree of cyber risk.
If your data is compromised or you lose access to your systems, even for only a few days, the financial consequences can be catastrophic. Studies show that more than half of companies victimized by cyberattacks are out of business within six months. Lost income, a damaged reputation, and even regulatory fines often prove difficult to overcome.
Obviously, the need for good cybersecurity technology and procedures is critical. But in an interconnected world, no computer system is 100% impenetrable. And if the worst happens, you want to be prepared.
Cyber insurance is one way that companies are protecting themselves from the financial risks of increasingly sophisticated cyberattacks. However, there is still a lot of confusion and many misconceptions about the topic. In this blog post, we’ll take a closer look at cyber insurance and try to answer some of those pressing questions.
What Is Cyber Insurance?
In simple terms, cyber insurance (also known as cyber liability insurance) is an insurance plan that allows businesses to cover some of the costs associated with recovering from a data breach, ransomware attack, release of private information, or similar events.
In general, a cyber insurance policy will cover some of the immediate expenses following a cyber incident, including both first-party and third-party costs. Depending on the terms of the policy, this might include things like:
- Lost income from a network outage or other business disruption
- Cost to recover or recreate lost data
- Funds transferred to a fraudster (often posing as a senior executive using a faked email address or phone number)
- Forensic costs to determine the cause and severity of breach, and contain it
- Extortion payments
- Costs to notify victims of a data breach
- Legal services
- Reputation management services
- Regulatory fines and lawsuits from customers and/or employees who had their personal information compromised
What Does Cyber Insurance Not Cover?
Cyber insurance won’t cover things that are more obviously covered under other more common types of insurance, such as general liability insurance, commercial property insurance, or commercial crime insurance.
Furthermore, while lost income from business interruptions are often covered, loss of future profits following a breach typically aren’t. A cyber insurance policy also won’t cover the cost of upgrading and improving your cybersecurity infrastructure after the attack.
Finally, remember that cyber insurance is still a very new financial product, and for this reason individual policies can vary widely in terms of what they will and won’t cover. Be sure to carefully review the policy limits and exclusions before selecting a policy to ensure it meets your organization’s needs and won’t leave you unprotected at the worst possible time.
Answering Your Cyber Insurance FAQs
Won’t Traditional Insurance Policies Cover Cyber Attacks?
Maybe. But maybe not, or at least not sufficiently.
Many traditional business insurance policies (including general liability, professional liability, crime, commercial property, etc.) do not contain any specific language regarding cybercrime—either to include it or exclude it. This is known as “silent cyber,” and at best it this leaves the matter of whether you’re actually covered unclear. You may be put in a position where you either must cover the losses yourself or try to recover them by filing a lawsuit against your insurer.
Even when these insurance plans do mention cyber risks, only certain elements may be covered, or the policy limits may be lacking. It’s also far less likely that you’ll receive the level of technical expertise needed to manage the crisis from a conventional property or crime insurer that you would from a standalone cyber insurance provider.
In short, buying cyber insurance separately can help keep you better protected from cyber risks, and better able to get the kind of rapid response you need, when you need it.
Do I Need Cyber Insurance If I Don’t Handle Sensitive Customer Data?
Cyber insurance coverage should obviously be a priority for any company that handles sensitive customer information, such as email addresses, credit card information, Social Security numbers, health records, etc.
But even if your company doesn’t have access to this type of information, that doesn’t mean you aren’t still a target for cybercriminals. You could still be victimized by ransomware, or from funds transfer fraud, as well as lost income from system downtime. A good cyber insurance policy can protect you from situations like this.
Do I Need Cyber Insurance if My Company Is Small?
After reading so many news headlines about major corporations being hacked and extorted for millions, you might be forgiven for thinking that cybercriminals only go after the largest companies. But that’s not at all the case. Small and medium-sized businesses are frequently attacked, too.
Whether they’re operating in the physical world or the virtual world, criminals are looking for easy targets. While a smaller business might not have the funds to pay a multimillion-dollar ransom, they also typically have less robust cybersecurity defenses and may be easier to take hostage.
In short, you are almost never “too small” to be the victim of a cyberattack. According to the 2021 Cyber Readiness Report from specialist insurer Hiscox, nearly one quarter of small businesses suffered at least one cyberattack within a 12-month period.
Do I Need Cyber Insurance If I’m Staying Up to Date with Cybersecurity?
Again, no cybersecurity defense is 100% impenetrable. Even if you use all the latest tools and software, criminal tactics are always evolving. And often, the way criminals ultimately get in comes down to human error (e.g., clicking on a phishing email or being duped into transferring funds to a criminal’s account) rather than vulnerabilities in technology.
If the worst happens, cyber insurance may be able to help with the fallout.
Cyber Insurance Is Not a Replacement for Good Cybersecurity
Having an insurance policy can be a smart way to protect your company against the most severe financial consequences of a cyberattack. But it should never make you complacent about having strong cybersecurity measures in place as a first line of defense.
Most obviously, good cybersecurity can prevent attacks from happening in the first place, or at least can quickly contain the threat and minimize the scale of the damage. Even if you know you’ll be reimbursed for your losses, it’s far better to not incur them in the first place.
Your cyber insurance company may also demand you make certain minimum investments in cybersecurity to be covered, and may deny your claim if it’s determined you haven’t taken adequate steps to protect yourself.
More broadly, companies that simply rely on cyber insurance to reimburse them for the damages following an attack rather than investing in cybersecurity may only encourage future criminal activity by making ransomware attacks even more lucrative.
So, don’t think that your cyber insurance policy is going to save you when you (or your IT provider) haven’t taken the proper steps to secure your network. Cybersecurity and cyber insurance can work together and complement one another, but strong cybersecurity should always be at the foundation of your strategy.
Verdant TCS Can Help You Improve Your Cybersecurity
Again, no insurance product is a good substitute for a sound prevention strategy. You wouldn’t take unnecessary personal risks just because you have health or life insurance, would you?
Verdant TCS helps businesses of all sizes defend themselves from ever evolving cyber risks, evaluating their current defenses and then designing and implementing elegant and effect security solutions to fill in the gaps. From real-time rating and tracking of your (and your third-party cloud providers’) security posture, to advanced AI-powered ransomware and malware protection, to disaster recovery plans, we work hard to protect your business from threats so you can rest easy and do your job.
Contact us today for questions or further information on how Verdant TCS can help.
Hiscox (May 13, 2021). The Average Annual Cost of Cyber Attacks for a US Small Business is $25k Reveals Hiscox Cyber Readiness Report 2021 [press release]. Retrieved from https://www.hiscox.com/articles/average-annual-cost-cyber-attacks-us-small-business-25k-reveals-hiscox
Palmer, D (June 28, 2021). Cyber insurance isn’t helping with cybersecurity, and it might be making the ransomware crisis worse, say researchers. ZDNet. Retrieved from https://www.zdnet.com/article/ransomware-has-become-an-existential-threat-that-means-cyber-insurance-is-about-to-change/