What is Cyber Insurance?
A cyber insurance policy covers damage to you and/or damage to your clients and vendors from a cyberattack on your business. Although each policy is different, covered costs can include business interruption, data recovery, investigative services, legal fees, and the costs of providing legally required notifications and credit monitoring services to the parties whose data was stolen.
Five years ago, cyber insurance was rarely purchased. Ransomware did around $500 million of damage to the global economy. This year, however, the damage is predicted to be 10 to 20 times higher than that. It is now common for small and midsize businesses to have cyber insurance, and it’s becoming a necessity for a growing number of businesses each year.
Why Do I Need Cyber Insurance?
There are two predominant reasons that SMBs request a cyber insurance policy from their insurer.
The first and most obvious is that cyberattacks are becoming more common, and they are becoming more expensive.
Cyberattacks are less likely than ever to simply lock up your data. Once hackers have access to your data, they examine it to see what they can threaten to leak online if you don’t pay them. They pay special attention to any financial data, personnel information, embarrassing emails and legal correspondence. They also check your books, so they know how much cash you have on hand to pay their ransom.
This has escalated the average payout, which has in turn attracted more workers into the cybercrime industry. Today, most business IT networks of any size can expect to be examined from afar by hackers periodically, and if there’s any low hanging fruit, it’s likely to be targeted.
The second reason cyber insurance is purchased is because a customer or vendor has a clause in their contract requiring other companies to have a policy to be in place before they will do business with them.
The last thing you want to hear from a vendor (or customer) is that hackers stole your company’s financial information off their network and may have leaked that information on the Dark Web. You also don’t want to hear that a product or service delivery that you were expecting will be postponed indefinitely because of another company’s data loss or network outage. Both of these are common outcomes of modern cyberattacks, and a company’s cyber insurance policy can protect third-parties if either of those things happen.
What Will I Need to Get Cyber Insurance?
A policy with a sizable deductible will require a risk assessment of your security practices. Some insurers may perform their own, while others will rely on an experienced third-party to perform the assessment. One example is Digipol and FireEye/Mandiant, whose risk assessments include backup and recovery policies, incident response, penetration testing, audit logs and on-site inspections to determine whether your employees are adhering to your documented security policies.
Cyber insurance providers do this for the same reason that safe drivers get discounts on auto insurance. Companies that invest in network security are less likely to be hacked; even if they are hacked, they are likely to detect it quickly and take action to minimize the damage. Security-conscious companies are more likely to have data backups. Individual employees’ network access is more likely to be limited to required data. Each of these factors reduces the risk of cyber liability and shortens the length of business interruption caused by the attack. Their payouts will be lower, and these savings are passed on to policy holders in the form of reduced policy costs.
Where Do I Start?
It’s never too early to ask your insurance provider what would be required to get a comprehensive cyber insurance policy in place. If they require a risk assessment, ask for documentation on what they’re looking to see during that assessment.
Even if you don’t pursue a cyber insurance policy, striving to exceed their assessment requirements will reduce the exposure you have to cyberfraud, data theft and extortion. That’s because insurance companies know well what software, processes and infrastructure reduce the risk of a cyberattack – their bottom lines are dependent on getting it right.
Ask your IT team or IT Service Provider how your network stacks up to your insurance company’s standards, and start moving it in the right direction. If you don’t already have one, the day when you’ll want your business to have a cyber insurance policy in place probably isn’t that far off – and when that day comes, you won’t have time to design and stand up an entirely new cybersecurity process.
If you’d like to know more about how our cybersecurity services can help to prepare your business for a cyber insurance risk assessment, call us at 919-460-7011 or email us at Team_WingSwept@WingSwept.com.