Business inherently involves risks. While you may shield your company with a general and/or professional liability policy, many organizations overlook a major exposure: cybersecurity.
Between lost business, detection and escalation, notification, and ex-post response, a cyber incident can quickly rack up a hefty bill. In the United States, the average data breach now costs $8.64 million, according to the 2020 “Cost of a Data Breach Report” by the independent research center Ponemon Institute and recovery can take weeks with lingering business effects being felt years into the future.
Obtaining comprehensive insurance policies to cover financial expenses related to a data breach is a prudent and wise business move. Policies differ wildly so be sure to obtain one that covers any and all anticipated expenses.
Given how expensive a cyber breach has become, many insurance firms are now mandating clients demonstrate significant security controls in order to underwrite policies.
Regardless of how good a policy is, insurance only pays money and does not compensate for lost productivity, time and energy spent recovering, not to mention reputation damage. Like other types of insurance, it’s better to avoid situations that could cause you to make a claim rather than relying on your policy to protect you. Just as you take simple steps to protect your health even if your insurance would cover a hospital stay, you should implement a security program even if your cyber insurance will cover losses associated with an attack.
Policies vary in their scope, so you should read through the terms and conditions carefully to ensure that the coverage you’re considering meets your needs, goals, and expectations. Most offer a combination of first-party and third-party claims coverage. First-party claims are filed by the policyholder to their insurance provider for covered expenses, while someone other than the policyholder files the latter.
The following first-party claims are often included in cyber insurance policies:
Cyber insurance frequently covers the following types of third-party claims:
Definitions of these terms may differ between policies. Refer to your documentation to understand your policy’s exact interpretation. Even after reading the fine print, it is often difficult to understand what cyber insurance will and won’t cover, and there’s always a risk of being denied. Implementing a strong security program to avert disaster is best practice so that your business’s survival isn’t at the mercy of an insurance adjuster.
While a cyber insurance policy can help protect your financial interests in the event of a cyberattack, it is not without drawbacks.
One term to be on the lookout for is “similar quality.” If you suffer damaged equipment due to a cyberattack and your policy contains this wording, your provider may insist that it will only cover a replacement of similar quality to that which was damaged. While this is unlikely to be a problem if your equipment is up-to-date, it may be challenging and costly to find qualifying “similar quality” options for outdated technology.
Additionally, war exclusions have become increasingly common. Most policies contain clauses excluding coverage for war-related incidents. With many cyberattacks linked to state actors, an insurance company may deny a claim if there is evidence that the incident was backed by a government.
The risk of rescission may also be cause for concern. If the policyholder accidentally or purposefully omits a material risk on their application, an insurer may attempt to rescind the coverage after a claim is made. Many states have high standards when it comes to permitting rescission, but any attempt to rescind your coverage after an attack may be an additional hassle during an already stressful time.
Many small business owners mistakenly assume they’re at less risk than major corporations because of their size. However, in 2020, 28% of breaches involved small businesses, according to Verizon’s “2020 Data Breach Investigations Report.” While hacking a small business may not be as profitable as attacking a major corporation, threat actors often target them for one simple reason: ease.
The following factors make small businesses especially vulnerable:
Since hackers expect small businesses to have fewer defenses in place than major corporations, a continuous security monitoring program can be the secret weapon necessary to catch hackers off guard by detecting and containing threats quickly, slashing how much time they have in the system.
Commercial general liability (CGL) policies typically cover physical damage to hardware, so you may be able to recover some of the losses associated with your equipment. However, these expenses are usually relatively minor compared to those from third-party liability, reputational damage, government fines, and downtime resulting from an attack. Additionally, a CGL policy will not cover ransom demands, which can be substantial, but many cyber insurance policies will. If cyber coverages aren’t specified in your CGL policy, they’re unlikely to be included.
Businesses should also be aware that depending on the scale of the attack and coverage limits, even a comprehensive cyber policy might not pay for all your expenses. Many policies have $1 million limits, which is a drop in the bucket compared to the $8.64 million average cost of a breach in the United States.
While a comprehensive continuous monitoring program can prevent associated expenses by stopping attacks in their tracks, many companies choose to carry both CGL coverage and a cyber policy for additional protection. Insurers can often customize cyber insurance coverage to fill in the gaps of your existing policy and extend your coverage to cyber incidents.
While third-party IT and cybersecurity firms frequently carry cyber coverage to protect themselves, these policies do not cover their clients.
Outsourcing your IT or cybersecurity is not a replacement for a cyber insurance policy, but working with well-qualified experts can decrease your risks in other significant ways. A cybersecurity firm can help you implement policies and programs to prevent, detect, and contain threats before they become major breaches. The most comprehensive services provide hands-on assistance with every step in the process. While some businesses may be concerned about the expense, it is often more affordable to work with outside companies with years of experience than to hire a novice to work in-house.
While cyber insurance can help minimize the financial damages if an attacker sneaks through your protections, it shouldn’t be used as a substitute for a robust cybersecurity program. A well-rounded cybersecurity program requires a multi-faceted approach that includes strong prevention coupled with continuous monitoring, response, and containment. A comprehensive monitoring program can halt attacks, preventing the pain, suffering, stress, and time involved in recovering from an incident. Cyber insurance is an excellent backup, but a well-rounded program remains the most powerful weapon in your arsenal.
Cybersafe Solutions can improve your cybersecurity posture through Security Policy Development, SOL Training, Continuous Security Monitoring, and more. The most advanced continuous monitoring service in the suite of options is Threat 360. This platform provides second-to-none attack detection and containment by scanning your network, cloud, and endpoints 24/7/365. We’ll cover all angles to minimize your liability and reduce your need to rely exclusively on your cyber insurance policy to protect your business.