Cybersecurity is one of the newest types of insurance, largely because it responds to a problem that did not exist 20-30 years ago. As businesses have come to rely on digital technologies to handle everything from the major to the minor they have opened themselves up to cyber threats from far and wide. Initially, these threats may have been annoying, but the consequence and frequency of attacks did not cause alarm.
That is no longer true now that cybercriminals have become very sophisticated and very motivated. The frequency of cybercrime is on the rise as well as the financial consequences. Said differently, more companies than ever are being attacked, and the damage runs deep. Cybersecurity insurance was created in response to this problem. If and when a business is hit by a cyber attack these policies cover costs related to resolving the issue and recovering from the damage. Businesses choose cyber insurance because it’s the last line of defense against one of the most common business risks.
Every executive knows that insurance is essential for all businesses. However, that does not mean all insurance is appropriate or that carrying the very maximum level of protection is actually a good investment. It’s up to each business to determine what sorts of risks they face and how much prevention and protection they must have in response.
This comprehensive overview is designed to help decision-makers determine whether cybersecurity insurance is really necessary and whether it’s worth the cost.
The challenge of pricing comes from the knowledge that cyber incidents can happen once or repeatedly to the same organisation, to one organisation or many, and with or without the organisation knowing about the incident.
One organisation may experience a number of cyber incidents simultaneously and clarity around what’s actually going on can be hard to find in the fog of incident response.
Accurate pricing of cyber insurance will be an issue that insurers struggle with for the foreseeable future.
It is complicated for both the insurer and business to first calculate the cost for policy and then in the event of a cyber theft, calculate the payout.
Unlicensed software, software not patched in either a timely manner or in accordance to the insured organisation’s patch policy, undocumented systems, inadequate (or missing) audit trails, and non-compliance to any external obligations (eg PCI DSS) – any of these could be sufficient grounds for an insurer to deny an obligation to cover costs. Insurers are not charities.
This raises the importance of a customer being very clear of exactly what costs it hopes to insure against and the various scenarios that could result in a loss.
While investing in cyber insurance is an important consideration for small and large businesses alike, it is essential that you understand how much coverage you actually need — and that you’re taking necessary actions to prevent breaches from happening in the first place.
Cyber security best practices, such as encrypting your information, training staff members to identify phishing attempts, installing anti-virus software and regularly auditing your network can go a long way in preventing a breach. These are also the indicators an insurance provider will look for to determine whether you qualify for coverage.
When determining what type of cyber insurance policy to buy, you should consider how much financial damage a data breach could cause so that you purchase adequate coverage. Insurance providers frequently provide cost estimates to help you determine how much coverage you actually need.
Failing to purchase enough coverage to fully cover your actual risk can lead to disastrous results. Sony Pictures already had a cyber insurance policy in place prior to its massive data breach, but the corporation’s policy limit had been set at $60 million.
At the time, most analysts agreed this was far below the level of coverage that Sony actually needed, and as a result, the company was left financially responsible for millions in damages.
Every few months brings news of another major cyber attack. And in-between those high-profile instances there are countless attacks and compromises happening to smaller businesses on a smaller scale. In spite of this, many organizations continue to underestimate the size of the threat or dismiss the likelihood of an attack. That is a major mistake because cybersecurity is one of the most important issues that individual, enterprises, and governments are contending with today. Just consider some illuminating statistics:
There are a few important insights revealed in these stats. First and foremost, cyber attacks have a deeply damaging impact on the bottom-line and financial consequences that are difficult or even impossible to overcome. Second, the frequency of cybercrime is on the rise, and new attacks are being added to the list of threats Finally, no business is immune, whether because they are big and well protected or small and an unlikely target. Every business is at risk, and the risk is very real.
So before you go too far down the cyber insurance path, how about an internal conversation about what are the basic steps your organisation should be doing to help minimise the risk of a cyber incident.
By taking the aforementioned factors into consideration, you’ll be better able to determine whether or not cyber insurance is a worthwhile investment for your unique situation.
Not every business will need millions of dollars of coverage, and for many individuals who don’t access sensitive data on their home computer, the costs can frequently outweigh the risks.
But in today’s world where even small mom-and-pop businesses are increasingly reliant on digital tools and cloud storage, this is one protective policy that is well worth your consideration.
Regardless of whether you feel cyber insurance is right for your current situation, as you start taking steps to improve your own cyber security practices, you’ll be better positioned to protect your data and financial assets from today’s digital threats.