Cyber attacks continue to be on the rise. That's why organizations are turning to new safeguards to protect their business, and their wallet, from the expense of a cyber attack.
According to a report published by PurpleSec, 43% of small businesses had at least one cyber attack in the past year. What's more, 44% of those had two to four attacks.
Considering how easy it is to fall prey to a hacker, many organizations are considering cyber insurance to mitigate the cost of a hack.
Business owners are asking us about cyber insurance. Here’s what you need to know:
What Is Cyber Insurance?
Due to the increase in cyber disasters, insurance companies are now offering monthly plans that help cover the expense of a data breach. It’s called “cyber insurance” and it’s gaining popularity in the tech space.
If your organization has been hacked before, you know just how expensive a cyber disaster can be. While some cyber insurance plans are expensive, it could be worth it for some companies that can’t survive this kind of a disaster.
Many business owners are alarmed by the cost of cyber insurance. However, if you’re a low-risk client, an insurance provider may lower your premiums by a substantial amount. Being a low-risk client for an insurance agency means that you’ve got your ducks in a row when it comes to cyber security. This could include having proper cyber policies and procedures in place for cyber events, frequent cyber security training for staff, adequate security software, updated backups, or even a managed services provider for ongoing network maintenance.
What Should A Cyber Insurance Policy Include?
Cyber insurance policies vary by company, and by coverage. Target, for example, wouldn’t purchase the same level of cyber insurance as the small ice cream shop down the street. Similarly, your local ice cream shop doesn’t want to pay the same price that Target is paying. In fact, the small ice cream shop probably doesn’t need cyber insurance at all (more on that later). The price and coverage of a cyber insurance plan largely depends on your specific needs and budget.
A few basic components of a cyber insurance plan can include the following.
Event management costs: This covers expenses related to managing the effects of the cyber disaster, including forensic investigators, public relations, consumer notification, credit monitoring and more.
Electronic asset replacement: This is the cost it takes to restore data back to the point before it was compromised.
Non-physical damage/business interruption: If you lose business because of a total system outage or failure, this component of your cyber insurance plan will cover you.
Reputational risk: This is sometimes referred to as “customer churn.” This can be the loss of customers after your physical systems are restored.
PCI DSS awards: There are compliance standards that indicate that business owners have a contractual obligation to pay card networks, such as Visa or MasterCard, following an actual, or even alleged, breach/loss of card holder information. This component of your cyber insurance plan will cover those fines.
Cyber extortion and reward payments: This helps to pay the ransom in a ransomware event. In extreme cases where a business is under an extortion threat, the insurance plan can cover that as well. Although, we never recommend paying a ransomware thief if you have your backups regularly checked and operable.
Cyber crime: This coverage component protects you in the event that you fall victim to CEO/CFO fraud. This can come in handy for accounting staff members who fall victim to phishing schemes, like if someone wired $20,000 to a hacker pretending to be the head of accounting.
Security and privacy liability coverage: If a breach results in costly legal fees, security and privacy liability coverage will eat those costs for you.
Is Cyber Insurance Right For My Organization?
If your organization stores sensitive data such as credit card information, social security numbers, driver’s license numbers or bank information, you may want to investigate cyber insurance. If your customers’ data is leaked and put into the wrong hands, you could be held liable. With liability comes a slew of checks written out for lawsuits, penalties, fines and more.
Cyber insurance could help substantially reduce the costs incurred from lawsuits, penalties and fines. Cyber insurers can cover legal fees, customer notifications about the data breach, credit monitoring services for those affected, and compromised data recovery costs. Additionally, if malware or a virus caused the incident, cyber insurance may cover that as well.
Organizations that (1) have highly sensitive data, and (2) wouldn’t be able to eat the cost of a data breach and recovery, should investigate cyber insurance. It can be pricey, but at the end of the day, it’s going to be much less expensive than the cost to survive a data breach.
Many business owners have learned the hard way that general liability insurance does not usually cover cyber disasters. General liability insurance treats cyber disasters the same way homeowner’s insurance policies treat flooding – they cover the majority of issues, except for flooding.
Before you run to your local insurance provider to sign up, keep reading.
Why Wouldn’t I Invest In Cyber Insurance?
First thing’s first: you should always have a backup plan for a cyber disaster. We know it’s not a matter of if an organization will be hacked, but a matter of when. You need to prepare your business as if a potential hack could occur at any time, and a cyber insurance policy may be the best way to do that. With that said, there are things you can do outside of insurance that will protect you from major damage to your networks and client database.
Keep your backups up to date. If you are regularly maintaining your backups, you should be able to simply restore data if it falls victim to a hack.
Ensure your security software is up to date. Not only do you need to ensure that your security software has been updated with the latest patches, but also you need to ensure that the right staff members are getting critical notifications. If there’s an incoming threat to your network, it would do you no good to alert Angela from accounting who left your organization three months prior.
Set up the right user permissions. Employees should not have access to software or files that they do not need.
Train your staff on cyber security best practices. The #1 threat to your organization’s network security is you and your staff. Keep your employees up to date on the latest threats and teach them how to identify one. This is one of the easiest and most effective ways to prevent a major attack.
Remember that ice cream shop we talked about earlier? That’s an example of a business that probably doesn’t need to invest in cyber insurance. Of course, every business is different, but it’s highly unlikely that the neighborhood ice cream shop keeps sensitive data on hand. While no small business is immune to a hack, the ice cream shop can probably just follow the steps above and be protected, without putting out the money for cyber insurance,
Regardless of whether you have cyber insurance or not, performing these tasks can help prevent a hacker from crippling your network, costing you millions and compromising your reputation.
Committing to a cyber insurance provider is no easy task. Our team of experts is available to discuss what your business needs and point you in the right direction. The first step? Understand where your network vulnerabilities exist with this network scan.
If you have questions about cyber insurance, contact us here or call us at 410.685.5512.
Editor's note: this article was originally published in 2018. It was updated with new information in 2021.