Between lost business, detection and escalation, notification, and ex-post response, a cyber incident can quickly rack up a hefty bill. In the United States, the average data breach now costs $8.64 million, according to the 2020 “Cost of a Data Breach Report” by the independent research center Ponemon Institute and recovery can take weeks with lingering business effects being felt years into the future.
Obtaining comprehensive insurance policies to cover financial expenses related to a data breach is a prudent and wise business move. Policies differ wildly so be sure to obtain one that covers any and all anticipated expenses.
Given how expensive a cyber breach has become, many insurance firms are now mandating clients demonstrate significant security controls in order to underwrite policies.
Regardless of how good a policy is, insurance only pays money and does not compensate for lost productivity, time and energy spent recovering, not to mention reputation damage. Like other types of insurance, it’s better to avoid situations that could cause you to make a claim rather than relying on your policy to protect you. Just as you take simple steps to protect your health even if your insurance would cover a hospital stay, you should implement a security program even if your cyber insurance will cover losses associated with an attack.
What Does Cyber Insurance Cover?
Policies vary in their scope, so you should read through the terms and conditions carefully to ensure that the coverage you’re considering meets your needs, goals, and expectations. Most offer a combination of first-party and third-party claims coverage. First-party claims are filed by the policyholder to their insurance provider for covered expenses, while someone other than the policyholder files the latter.
The following first-party claims are often included in cyber insurance policies:
- Data Damage, Loss, and/or Restoration: Pays expenses incurred from stolen or damaged data and/or software, including recovery
- Damaged or Destroyed Hardware: Covers costs associated with physical damage to hardware, including repair and replacement
- Business Interruption: Protects from lost income resulting from an inability to continue normal business operations due to a cyber event
- Cyber Extortion: Pays hacker’s demands in a ransomware attack or distributed denial-of-service incident
- Notification Costs: Pays expenses related to notifying customers in the event of a potential data breach
- Forensic Investigation: Pays for forensic, legal, and technical services to verify whether an attack has occurred, assess the damage, and halt the attack
- Credit Monitoring: Covers the cost of credit monitoring for customers or clients whose personal information may have been accessed
- Litigation: Pays legal expenses if a lawsuit is brought against you as a result of the cyberattack
Cyber insurance frequently covers the following types of third-party claims:
- Security & Privacy Liability: Covers claims of negligence, errors, omissions, and failure to protect private data arising from an attack, breach, or unauthorized access
- Electronic Media Liability: Protects against claims of invasion of privacy, defamation, libel, slander, copyright infringement, and/or domain name infringement resulting from a threat actor publishing sensitive information online
- Regulatory Claims: Safeguards against liability from non-compliance with regulations, statutes, and/or laws related to information privacy
Definitions of these terms may differ between policies. Refer to your documentation to understand your policy’s exact interpretation. Even after reading the fine print, it is often difficult to understand what cyber insurance will and won’t cover, and there’s always a risk of being denied. Implementing a strong security program to avert disaster is best practice so that your business’s survival isn’t at the mercy of an insurance adjuster.
Common Pitfalls of Cyber Insurance
While a cyber insurance policy can help protect your financial interests in the event of a cyberattack, it is not without drawbacks.
- False Sense of Security
With a cyber insurance policy in place, some businesses may become complacent about security, trusting their insurance to kick in should an attack occur. However, insurance providers can deny claims, coverage limits may prevent reimbursement for total losses, and the time, stress, and reputational damage associated with an attack may not be recoverable through money alone. Companies must remain vigilant and maintain a well-developed cybersecurity program regardless of whether they hold cyber insurance.
- Balancing Risk and Expense
Cyber insurance policies vary in their cost, coverage, and limits. Finding the ideal option requires carefully weighing your risks and expenditures. Any business may fall victim to a cyberattack, but many do not have the budget for an expensive policy.
- Sublimits and Deductibles
Even with a comprehensive insurance policy with a high limit, businesses will still likely shoulder significant financial burdens should an attack occur. Sublimits restrict the amount of coverage for a specific loss, so your expenses may not be fully reimbursed. Additionally, your business will be responsible for paying the deductible, which could be millions of dollars depending on your policy.
- What’s Covered
Coverage, terms, and conditions vary dramatically between policies, so the only way to know what you get for your money is by reading the language carefully. However, cyberattacks can have far-reaching ramifications, so you may incur expenses in a non-covered area even if your coverage seems thorough on the surface.
Many loopholes exist that insurance companies can exploit to limit payouts, deny coverage, or discontinue the policy.
One term to be on the lookout for is “similar quality.” If you suffer damaged equipment due to a cyberattack and your policy contains this wording, your provider may insist that it will only cover a replacement of similar quality to that which was damaged. While this is unlikely to be a problem if your equipment is up-to-date, it may be challenging and costly to find qualifying “similar quality” options for outdated technology.
Additionally, war exclusions have become increasingly common. Most policies contain clauses excluding coverage for war-related incidents. With many cyberattacks linked to state actors, an insurance company may deny a claim if there is evidence that the incident was backed by a government.
The risk of rescission may also be cause for concern. If the policyholder accidentally or purposefully omits a material risk on their application, an insurer may attempt to rescind the coverage after a claim is made. Many states have high standards when it comes to permitting rescission, but any attempt to rescind your coverage after an attack may be an additional hassle during an already stressful time.
What Puts Small Businesses at Risk?
Many small business owners mistakenly assume they’re at less risk than major corporations because of their size. However, in 2020, 28% of breaches involved small businesses, according to Verizon’s “2020 Data Breach Investigations Report.” While hacking a small business may not be as profitable as attacking a major corporation, threat actors often target them for one simple reason: ease.
The following factors make small businesses especially vulnerable:
- Less-Sophisticated Prevention and Detection: Since small businesses lack the resources of major corporations, they typically have less advanced IT equipment and cybersecurity tools. They may even lack continuous monitoring, so intrusions can go unnoticed for months, giving threat actors ample time within the environment. This can make it easier for hackers to breach the system with minimal effort.
- Lax Rules: Many small businesses lack strict protocols about the use of company technology. Using a company laptop or cell phone on an unsecured network can be an easy gateway for hackers.
- Unfettered Access for Employees: Employees in small businesses frequently pitch in wherever they’re needed, so they often have full access to all of the company’s data. This increases risks that someone inside the organization could knowingly or inadvertently contribute to a breach.
Since hackers expect small businesses to have fewer defenses in place than major corporations, a continuous security monitoring program can be the secret weapon necessary to catch hackers off guard by detecting and containing threats quickly, slashing how much time they have in the system.
Do My Existing Policies Cover Cyberattacks?
Commercial general liability (CGL) policies typically cover physical damage to hardware, so you may be able to recover some of the losses associated with your equipment. However, these expenses are usually relatively minor compared to those from third-party liability, reputational damage, government fines, and downtime resulting from an attack. Additionally, a CGL policy will not cover ransom demands, which can be substantial, but many cyber insurance policies will. If cyber coverages aren’t specified in your CGL policy, they’re unlikely to be included.
Businesses should also be aware that depending on the scale of the attack and coverage limits, even a comprehensive cyber policy might not pay for all your expenses. Many policies have $1 million limits, which is a drop in the bucket compared to the $8.64 million average cost of a breach in the United States.
While a comprehensive continuous monitoring program can prevent associated expenses by stopping attacks in their tracks, many companies choose to carry both CGL coverage and a cyber policy for additional protection. Insurers can often customize cyber insurance coverage to fill in the gaps of your existing policy and extend your coverage to cyber incidents.
Will My Outsourced IT or Cybersecurity Team Provide This Coverage?
While third-party IT and cybersecurity firms frequently carry cyber coverage to protect themselves, these policies do not cover their clients.
Outsourcing your IT or cybersecurity is not a replacement for a cyber insurance policy, but working with well-qualified experts can decrease your risks in other significant ways. A cybersecurity firm can help you implement policies and programs to prevent, detect, and contain threats before they become major breaches. The most comprehensive services provide hands-on assistance with every step in the process. While some businesses may be concerned about the expense, it is often more affordable to work with outside companies with years of experience than to hire a novice to work in-house.
Why Cyber Insurance Alone Is Not a Solution
While cyber insurance can help minimize the financial damages if an attacker sneaks through your protections, it shouldn’t be used as a substitute for a robust cybersecurity program. A well-rounded cybersecurity program requires a multi-faceted approach that includes strong prevention coupled with continuous monitoring, response, and containment. A comprehensive monitoring program can halt attacks, preventing the pain, suffering, stress, and time involved in recovering from an incident. Cyber insurance is an excellent backup, but a well-rounded program remains the most powerful weapon in your arsenal.
How Can I Reduce My Cyber Liability Risks?
- Train Your Employees on Security Policies & Procedures
- Install Updates as Soon as Possible
- Maintain & Secure Backups to Recover More Easily From an Attack
- Establish & Share Your Data Privacy Policies
- Outsource Your Cybersecurity to Experts
- Invest in Continuous Security Monitoring
Cybersafe Solutions can improve your cybersecurity posture through Security Policy Development, SOL Training, Continuous Security Monitoring, and more. The most advanced continuous monitoring service in the suite of options is Threat 360. This platform provides second-to-none attack detection and containment by scanning your network, cloud, and endpoints 24/7/365. We’ll cover all angles to minimize your liability and reduce your need to rely exclusively on your cyber insurance policy to protect your business.