The cyber insurance industry is on the fast track. It can cover a fairly wide range of cybersecurity incidents. The National Association of Insurance Commissioners (NAIC) says that the cybersecurity insurance market hit $4.1 billion last year, up 29.1% over the previous year. Additional industry reports are predicting that the cybersecurity market will reach $11.4 billion by the end of 2022 – and is on track to double to $22.3 by 2025.
“Last year was a stark reminder that hackers are pivoting — and are succeeding — in deploying new attack strategies,” writes John Farley, managing director of Gallagher, a global insurance consultancy. “There were a wide variety of victims that ranged from global software providers, email platforms, the largest U.S. meat supplier and fuel suppliers that provides nearly half the fuel to the east coast of the U.S. Threat actors have found this vase system of interdependencies to be fertile hunting grounds.”
Organizations with even the smallest cybersecurity teams are now looking at cyber insurance to protect their businesses from cyber-attacks.
Companies should be aware that investing in cyber insurance is not as easy as simply adding a new insurance policy.
What is it?
Cyber insurance is generally known as cyber liability insurance or data breach insurance and can help mitigate the costs of cyber-attacks which as published numerous times here on TLS is a mostly unforeseen expense that is skyrocketing at an alarmingly costly rate. Cyber insurance is not mandated but is becoming a top of priority for many organizations that manage their own and client data.
We have seen that that just a single cybersecurity attack can wind up costing a business millions of dollars. Not only in cold cash via ransomware, trashed systems, stolen personal private data and fines, not to mention business reputations.
According to reports by IBM, the average cost of a data breach reached $4.35 million in 2022. The logical conclusion is that businesses that do not invest in cyber insurance are putting their entire enterprise at risk. While a cyber insurance policy does not stop a cyber-attack, it can prevent it from completely devastating a business.
What’s Covered?
Like any other insurance policy, various items may be covered or not. Much depends on the state of risk of the company seeking insurance. With cyber security threats, there is a broad market that can vary, and policies are often determined by the insurance providers.
What Does Cyber Insurance Include?
- Some network security systems policies will cover the cost of lawyers, IT forensic services, data restoration, breach notifications and communications, and even more when a data breach, malware infection or ransomware incident occurs.
- Privacy liability policies which cover any costs related to a data breach that exposes personally identifiable information (PII), such as lawsuits, compliance violations and reputational risk.
- There are additional network business interruption policies that enable a business to cover costs related to data loss or any financial losses incurred by a disruption in services.
- Errors and omissions policies that are similar to network business interruption policies, covering cyber-attacks that jeopardize a businesses’ ability to deliver services or meet contractual obligations.
- Media liability policies which cover any losses resulting from allegations of slander, libel, disparagement, or copyright infringement.
However, specific terms and conditions are up to insurance providers, and it is important to note that claims are often disputed as it can be difficult to define a cyber-attack that involves sophisticated forms of cybercrime or social engineering schemes which are difficult to identify. New techniques are hatched and proliferated on a nearly daily basis and Human Resource Departments are increasing targeted as being lax in educating and enforcing internal and external email phishing and social media attacks.
How Does Your Existing Cybersecurity Efforts Affect a Cyber Insurance Policy?
- First of all, a business must be approved for coverage. To protect their own costs, insurance providers often make cyber insurance contingent on a number of specific and requisite cybersecurity measures.
- Making sure an organization has written security policies in place.
- Using multi-factor authentication (MFA), (discussed in a previous TLS article).
- Encrypting data.
Cyber insurance providers can also dictate which cybersecurity tools a business must implement and even the security vendors that the business should use.
The rules required by the cyber insurance provider will surely affect an organization’s cybersecurity efforts. This can create internal problems between cybersecurity teams and the business leaders responsible for purchasing the cyber insurance policy. The cybersecurity team must agree with insurance company’s procedures from the start and be involved in the key decisions that impact the business’ cybersecurity strategy, to meet the insurance requirements.
Furthermore, the cybersecurity technical team managers need to understand whether the requisite cyber insurance policies weakens or strengthens the business’ existing cybersecurity protection and communicate that to the upper management who will actually be purchasing the insurance.