Research from leading cyber insurer Beazley reveals 28% of business leaders rank cybersecurity as their leading risk management concern, but that number is falling steadily. The cyber insurance corporation notes that the drop may reflect a growing trend toward complacency.
Statistics about cyber attacks’ severity and expensive nature would seem to counter that overconfidence.
-
There’s been a 435% increase in ransomware attacks since 2020.
-
Globally, $4.35M is the average total cost of a data breach.
-
50% of SMBs don’t have a cybersecurity plan in place
These statistics help explain the growing buzz about cyber security insurance. However, cyber insurance can be complicated, making it frustrating to compare plans and prepare to apply for coverage.
Let’s discuss the elements of a cyber insurance policy first, then walk through improving your company’s chances of securing insurance coverage by using a cyber insurance coverage checklist.
What’s Covered by Common Cyber Insurance Policies
There are three common elements within a cyber insurance policy: First-party coverage, third-party liability, and crime insurance.
While businesses in certain industries that work with highly sensitive data, retain customer credit card numbers, or store personally identifiable information (PII) may need custom coverage, most businesses can use a standard policy. Cyber insurance is similar to car or house insurance in that it covers both damage to your property or business as well as damage you may cause to another person’s property or business.
First-party coverage addresses the cost to a company directly impacted by a cybersecurity incident. That coverage should deal with costs incurred:
-
To manage data loss
-
With any business interruption
-
For ransom payments
First-party coverage typically also covers the financial impact of digital theft or hacking, and both the deliberate and unintentional denial of service.
Third-party coverage, also called cyber liability insurance, focuses on third-party liability and certain penalties, fees and other costs stemming from damage to other companies or individuals.
Crime business insurance can be included in coverage to specifically deal with costs and other fallout from invoice manipulation, social engineering fraud, computer fraud, and theft of computer services.
Just as with any insurance policy, cyber insurance coverage focuses primarily on reimbursement of the financial trauma caused by cyber crime directed at a small businesses. For example, first-party coverage often covers the fees for forensic investigations required during and after a cyber attack and the replacement cost of damaged technology, such as laptops.
First-party coverage may also cover the financial hit of credit monitoring required as part of a data breach response plan. It may also help offset the costs of customer notifications and public relations required after a cyber incident. Third-party coverage is entirely focused on liability costs such as legal fees or regulatory fines and penalties.
Now that we’ve discussed the parts of cyber insurance, let’s review what business owners need to do to be better prepared to secure coverage.
Prepare for Cyber Insurance with a Cybersecurity Checklist
As you take the time to research and evaluate cyber insurance providers, you should also invest time to evaluate and prepare your IT environment for review before applying for cyber insurance.
Taking a few extra weeks to review your network security infrastructure, incident response, data recovery and internal cyber policies can improve your chances of securing coverage and better rates. The place to start that process is with a cyber insurance coverage checklist.
A checklist is a scorecard that consolidates the facts about your technology environment for easier review. By highlighting omissions in your security stance, the checklist helps insurance agents guide you to the best policy as well as highlighting areas for improvement you may not be aware of.
Because nearly all insurance companies require a checklist or other form of documentation before considering your organization for cyber insurance coverage, you can accelerate the process of securing a policy by tackling this work early on in the discovery process.
This checklist can help to establish a reference point for where your company sits in the cybersecurity hierarchy and guide future IT roadmap and investments. Most checklists ask for detailed information about the following topics, in no particular order of importance:
-
Asset discovery, mapping and management tool
-
Authentication processes
-
Customer information stored or handled in your network
-
Cybersecurity budget
-
Data backup, business continuity and other resiliency solutions and processes
-
Email security
-
ID and access management including multi-factor authentication
-
Inventory of obsolete technology
-
Personnel involved in cybersecurity
-
Remote desktop access and security
-
Security products in place
-
Training for employees
-
Unsupported and end-of-life software usage
-
Use of a security operations center (SOC) or managed security services provider (MSSP)
-
Use of DNS protection
-
Vulnerability scanning
Understanding who makes cybersecurity decisions helps reassure insurance companies about your commitment to security, so other questions may include inquiries about executive leadership’s involvement in cybersecurity decisions and policymaking.
Remember, cybercriminals and hackers are persistent and crafty, so insurance companies want to be reassured about your business’ commitment to risk management.
RELATED: Why Is Cybersecurity Protection Important?
The Pros and Cons of a Cyber Insurance Coverage Checklist
Many organizations may be shocked as they start to work through a cybersecurity checklist, which can present a harsh reality. Like many decisions made piecemeal, if cybersecurity has not been approached with a thorough strategy in place, or if management has chosen not to invest in technology and/or cybersecurity, the outcome can be less than optimal.
Many businesses, particularly small to medium-sized companies or those in highly regulated industries such as healthcare, may be shocked by what insurance companies require of them in terms of reducing exposure to cyber risks, especially those companies relying on legacy IT infrastructure. From an underwriting standpoint, end-of-life or outdated hardware and software are considered more vulnerable to a cyber attack and, therefore, riskier to cover.
Because cybersecurity is complex, with an ever-increasing number and types of threats, having an outsourced IT support partner may be the best solution for many SMBs.
By using professional tools such as ethical hacking and penetration testing, managed IT service providers can fully assessment of your current technology and cybersecurity solutions, identify gaps and recommend a sensible, affordable roadmap that ensures your business will meet the high standards demanded by cyber insurance providers.
Your business needs cyber liability coverage and a dedicated service provider
Unless you as a small business owner are confident your organization can withstand a cyber attack, keeping in mind the average cost of an attack on an SMB is about $3 million, investing in a cyber insurance policy is good business.
While cyber insurance quotes range according to industry, business size, location, size of the company, levels of sensitive customer data, and more, average annual costs fall between $500 to $5,000—significantly less than even one cyber breach.
If the thought of preparing for cyber coverage is daunting, talk with your managed services provider for support and consider preparing to cyber liability insurance an opportunities to tighten up your organization’s security measures and improve risk management.