Cyber insurance is a necessary component of any IT or cybersecurity department responsible for protecting the assets, data, reputation, and bottom line of a company in the face of cybersecurity threats. While prevention is an important aspect, there’s no tool, solution, or strategy that’s 100% guaranteed to prevent a company from succumbing to a potential attack.
Given this very real risk, an organization can choose to purchase cyber insurance, which can come in and alleviate some of the consequences stemming from a compromise. In this article, we’ll go over what cyber insurance is, how you can use it, and how to adopt the policy that’s right for your organization.
Who is Cyber Insurance For and Why You Need It
Cyber risk insurance, also known as cyber liability insurance coverage (CLIC), is designed to help organizations offset some of the costs associated with cybersecurity in the case of an incident or breach.
Nearly any organization can benefit from some kind of cyber insurance policy, especially those with a smaller cybersecurity department or budget that may struggle to find resources in face of an attack. As of 2020, The cost of an average data breach was 3.86M and organizations inevitably will suffer a data breach in their lifetime.
Having the financial costs already taken care of, or ensuring that components aren’t a major part of the recovery process can be essential. It will also let you focus on your incident response and recovery strategy, helping to get back to business as usual as soon as possible.
What to Expect with Cyber Insurance Coverage
Just like with any insurance, what’s covered depends on the policy you purchase. However, here’s what you can expect from most cyber insurance coverage.
Costs incurred due to the incident/compromise
There are several potential consequences that can result from a security incident. If an organization gets hit with a ransomware attack, it may have to pay the ransom before being able to access their files.
A DDoS attack may bring a company’s website or servers down, costing it money while it’s down or potentially failing to fulfill its contract with its customers, further affecting the bottom line. Under Errors and Omissions (E&O) coverage, these costs are covered.
Costs associated with communication
A breach, incident, or exposure often requires a company to set up a communication strategy for the media, the company’s employees, its customers, and any third parties that may be affected.
Depending on the severity of the attack, they may also have to set up call and support centers depending on the extent of the incident. Cyber insurance can cover costs associated with communication and notification resulting from a security incident.
Costs associated with legal fines, lawsuits, and settlements
Any security incident or compromise often requires a business to incur additional legal costs associated with any regulatory issues, investigations, class action lawsuits, fines, and settlements.
Even bringing in a third-party forensic investigator or working with an organization to provide identity theft monitoring and restoration requires some legal services, which may be covered.
Costs related to response and recovery
Any security incident or compromise requires incident response and recovery. Depending on your security department’s makeup, you may have to bring in a third party or partner to understand what kind of data was compromised, how to recover, and how to prevent a similar attack in the future.
The case is the same if you need to bring in a forensic investigative team or need to pay for any compliance/regulation enforced independent investigator. These costs are often covered by cyber insurance.
What Cyber Insurance Doesn’t Cover
While every policy is different, cyber insurance doesn’t cover the following.
- Costs associated with potential future lost profits whether due to an Advanced Persistent Threat (APT) or long-term effects of an incident
- Costs or loss of value associated with IP theft
- Any costs incurred by the organization to improve and upgrade your systems and organization’s security after an incident.
These are commonly not covered by cyber insurance so it’s important to know that you can’t rely on cyber insurance if any of these cases pertain to your organization.
Four Questions to Ask when Buying Cyber Insurance
The more your policy covers, the better. As you look for the right cyber insurance, consider the following:
- Does cyber insurance cover social engineering attacks?
Social engineering is one of the most common cybersecurity attacks but not every cyber insurance provider covers it. As you prioritize what’s important to you, this should be at the top of your list.
- Are costs related to reputational damage covered?
One of the side-effects of a company being breached, especially if it’s a high-profile or consequential breach, is the reputational damage. This can affect how much revenue a company collects from current and future companies but, depending on the policy, it may not be covered.
- Are third-party incidents and incidental damage covered?
In cases of data breaches resulting from third-party breaches or any damage or costs incurred from data breaches where you’re not the direct target or victim may not always be covered. However, this is important as many devastating compromises may come via third parties.
- Are Advanced Persistent Threats (APT) covered?
By definition, advanced persistent threats refer to attackers that lurk within an organization’s system or network, either exfiltrating data or waiting for the right moment to strike. Because there’s usually a long time between the actual incident and the detection of an APT, cyber insurance may not always cover costs associated with it.
What Factors Affect the Cost of Cyber Insurance?
The cost of cyber insurance varies wildly depending on a number of factors.
Industries that are most commonly targeted by hackers and criminal organizations, such as healthcare and finance, are likely to see higher prices for cyber insurance.
The larger the size of an organization, the bigger the risk that it will get compromised. This also requires a wider scope of coverage, which will likely lead to higher premiums.
This one is pretty straightforward. A $500,000 cyber insurance policy will cost less than a $1,000,000 insurance policy. But it’s up to you to weigh the risks and costs associated with each policy and understand what’s best for your department’s budget.
Type of coverage
This refers to the considerations listed above. If you want cyber insurance to cover all kinds of incidents and costs, you’re likely to pay a higher premium.
Similar to the case with industry, the regulatory or compliance requirements your company needs to account for may also lead to higher cyber insurance premiums.
This is similar to company size but also accounts for how many offices a company might have and, among other things, how many geographical regions it’s based out of. Essentially, the more attack vectors an organization has, the more cyber insurance may cost.
Why is Cyber Insurance Worth Considering?
As we mentioned before, cyber insurance can be incredibly helpful to an organization that just doesn’t have the resources to deal with all the costs associated with a security incident. No security department or leader should think that their organization won’t suffer a compromise.
Instead, think through the different scenarios of a security compromise. If you had a cyber insurance policy, how much would the coverage help? Going through scenarios will help you understand how helpful cyber insurance may be and what kind of policy you should look for.
To have a better sense of how your assets are protected and to give yourself the best chance of reducing the damage caused by security compromise, check out Varonis DatAlert and DatAdvantage solutions.