Part of the responsibility of being a leader in risk management or cybersecurity isn’t just to prevent an attack, it’s to minimize damage and mitigate the extent of an attack if a compromise ends up happening. And that mentality should be adopted by all.
Data breaches are an inevitability, and if you’re solely focused on prevention, you may be in for a rude surprise. In 2021, nearly 50% of all companies suffered a data breach, which was actually a reduction from 2019, where 65% of companies suffered a data breach. With those odds, you’re better off having a plan when a data breach happens.
One way organizations have been able to reduce financial damage is through cyber insurance.
In this article, we’re going to go through what cyber insurance is, whether you need it, and what you can expect from having it.
Cyber Insurance generally covers liability that stems from data breaches and related attacks and can also cover costs associated with forensic analysis, investigations, and other expenses that result from the data breach. While all cyber insurance policies differ, what they cover (and don’t cover) are generally consistent.
Some cyber insurance coverage can also provide financial assistance if you’re providing a service, such as ID theft protection to victims. Cyber insurance is also designed to cover financial losses that can result from specific types of attacks such as Business Email Compromise (BEC) or ransomware attacks. This, alongside coverage for investigation and other related expenses is referred to as first party coverage.
Liability coverage refers to costs associated with any damages levied on a company for failure to properly secure their data or organization. This can come into play if the affected company is sued for leaking customer data, for example.
When shopping for policies, make sure you’re noting what first party and liability coverage you have — ideally you’d have both.
Cyber insurance doesn’t cover any financial damage or losses incurred due to reputational damage. So, for example, if a company’s data breach leads to a material impact on a company’s revenue (or sales), cyber insurance won’t cover it. Cyber insurance also won’t cover any IP loss, so if a company succumbs to an APT attack where trade secrets are stolen, they’re on the hook for all recovery.
State-sponsored or nation-state attacks may be covered, especially if the attack falls within the covered cases listed above. However, there was one instance where a cyber insurance provider did not pay out after a NotPetya ransomware attack. Because NotPetya is a Russian-sponsored hacker group, the insurance company considered the attack an act of war and refused to pay out.
Here are a couple of starting points to consider if you think your organization should consider cyber insurance.
Most companies can benefit from cyber insurance but the decision to get coverage depends on budget and how you’re willing to spend the budget to ready your organization against attacks. Businesses that don’t have many resources to build a security department or devote their resources to bring on helpful vendors or tools may be best served by cyber insurance.
However, companies who have identified a priority to maintain uptime even in the face of an attack may want to leverage their resources to build up their security posture so they can react quickly and swiftly. In this case, while cyber insurance may be able to offset some costs, it won’t help in the actual recovery process, which can be an issue if business interruption is a critical risk.
For most organizations, they’ll likely find themselves somewhere in the middle of the two cases outlined above, making it a cost-benefit decision that requires considering an organization’s needs.
According to AdvisorSmith, the average cost of cyber insurance is around $1,500 a year for a $1M policy (with a 10,000 deductible), which sounds worth it. However, because this is an average figure and the US has way more small businesses than large ones, it skews towards small businesses.
For larger enterprises and corporations, you’ll likely see an increased cost for the following reasons
Unfortunately, because of the huge spike in cyber attacks (particularly ransomware attacks) since COVID, cyber insurance costs and premiums have increased dramatically, around 30%. This makes it even more difficult to ensure that cyber insurance is the right move for most organizations.
We think cyber insurance is best suited for small businesses who don’t have much of an option to invest heavily in their cybersecurity and who can withstand the time it takes to recover from an attack.
For larger organizations who need to be up and running even if they’re hit with an attack, cyber insurance should be considered as part of an overall cybersecurity strategy. If an enterprise just opts for cyber insurance, they’re not properly protecting their organization and we argue that the high cost may be best used in other ways, especially if other actions will bring down the cost of cyber insurance.
The financial support cyber insurance provides can be extremely helpful and should be taken into account as organizations consider the types of tools and vendors they’d like to work with.
To learn how an extended endpoint detection and response tool can provide comprehensive protection and proactive defense for an organization, check out Bitdefender’s XEDR tool.
Don’t miss out on exclusive content and exciting announcements!