Cyber Risk Insurance: Choosing the Best Policy for Your Small to Medium-Sized Business
Many insurance companies are diving into the cyber risk insurance game, and some have names you already recognize (such as Progressive Business and Travelers). Your business’ current insurance company may offer cyber risk insurance as an add-on to your existing policy.
The concept of cyber risk insurance has only been around since 2005 and is an offshoot of Errors and Omissions insurance. That means the industry is relatively new and still evolving.
Cyber risk insurance may be an entirely new idea for you, but it’s definitely something that you should include in your cybersecurity strategy along with your back-up and recovery solutions. Cyber risk insurance can help you recoup losses, pay for investigations, cover legal costs, and give you the funds you need to get your business back up and running.
What is Generally Covered Under a Cyber Risk Insurance Policy?
Most cyber risk insurance policies cover the fallout from a breach, helping to cover the costs directly related to the incident. Depending on the policy you choose, this coverage can include:
1. Network security damages as a direct result of a cybercrime, such as:
- Payment of ransomware
- Data breach notifications
- Identity restoration and credit monitoring
- IT forensics
- Legal expenses
- Data restoration
- Public relations intercessions
2. Business Interruptions
This allows the policy holder to recover some expenses following a breach, such as fixed operational expenses and lost profits. These clauses generally cover system failures, human error, and security failures.
Some cyber risk insurance policies also cover profit losses due reputational damages following a cyber breach.
3. Legal Fees Incurred Due to Breach of Contract
If a breach has kept you from fulfilling customer and client obligations, you can be held legally liable for damages. A good cyber risk insurance policy can help you mitigate these costs.
4. Breach of Privacy
Many verticals have stringent privacy rules and regulations. HIPAA is one that most people think of, with fees and fines for any violation they deem “negligent.” These regulations cover every employee working in the office, remotely from home, and even third-party vendors. Most cyber risk insurance policies will cover the legal costs and fees for violations resulting from a cyber breach that exposes data. It can also cover your business from class-action litigation actions and penalties awarded by the courts following a breach.
5. Replacement Hardware
Since many forms of malware can render hardware useless, a good cyber risk insurance policy will cover the replacement of damaged equipment following a cyberattack.
What is Usually Not Covered
Again, reading the fine print will help you understand the limitations of your cyber risk insurance policy. Many small to medium-sized businesses were taken by surprise when their claims relating to COVID19 security breaches were not covered. All insurance coverages are different, but you need to double check your policy to make sure it covers:
1. BYOD and Remote Worker Claims
Be aware for exclusions on BYOD and remote workers. Some of these exclusions can be very specific, like not covering a device that is unencrypted or refusing to cover employees who haven’t signed an acceptable use policy. In these cases, an employee’s personal device replacement costs will not be covered, even if it was destroyed as part of a malware attack. Read the fine print and make sure your coverage includes BYOD and remote worker claims.
2. “Acts of War”
This stipulation has been snuck into some cyber risk policies to disallow payment for cyberbreaches occurring from state-sponsored actors and foreign hackers. Considered “an act of terrorism,” you may be unpleasantly surprised to find your coverage doesn’t protect you from larger, organized groups of hackers.
3. Potential Profit Loss in the Future
Your cyber risk insurance policy may cover profit loss to a degree, but many will not cover “future” losses and may have a limited amount of time following the breach where they will reimburse you for lost profits.
4. Upgrading Technology
Unless the devices and hardware were damaged because of a cyberattack, most cyber risk insurance policies will not cover updating or upgrading equipment even if doing so increases your overall cybersecurity.
Choosing the Best Cyber Risk Insurance Policy for Your Business
Choosing the right policy, like choosing your car insurance or health insurance, will depend on your company’s size and your industry’s threat levels. When comparing coverage, look for these key points:
Cyber risk insurance will have deductibles, just like any other insurance policy. The average deductible, per a study from AdvisorSmith Solutions Inc, is around $10k for $1 million in liability coverage. The annual cost of a policy averages $1500 per year for that same $1 million policy, based on location and industry.
Stand-Alone Policy vs Add-On
Your existing business insurance company may offer cyber risk insurance as an add-on to your coverage. Look at what they offer and compare the pricing and coverages to cyber risk insurers; most of the time, a stand-alone policy will provide more comprehensive coverage than add-on policies.
Since employees accidentally cause 90% of breaches , it’s important to choose a policy that covers unintentional employee actions such as responding to a phishing attempt, clicking infected attachments, or falling for a “spoofed” web site. Make sure your policy covers “social engineering,” a blanket term that includes most of these email-related attacks.
Just like getting a car insurance discount for taking a safe-driving course, your policy may include discounts for employee cyber-security awareness training.
APTs (Advanced Persistent Threats)
APT cyber risk insurance coverage is tricky. The threat is not a single targeted incident; it is a slow process taking place over weeks, months, and even longer. Check to see how the cyber risk insurance carrier covers APT’s and choose a policy with longer time frames to collect for damages caused by them.
Any policy you find will cover breaches to your own business…but what if the threat came from a third-party vendor? Your point-of-sale software, your financial institution, your MSP, and even your accountants or attorneys are all closely connected with your business. When bad actors hack third-party vendors, they are looking for the bigger prize at the end of the game…your business’ sensitive data. Your customers will still hold you responsible, even if this breach wasn’t your fault. What type of coverage does the insurance company offer for damages resulting from third-party vendor breaches?
Some breaches occur because hackers cast out a wide net hoping to catch anyone they can while other attacks target a company specifically. There may be hidden clauses in the policy stating that you are only covered in the event of a targeted attack and not a wider spread hacking scheme.
Qualifying for a Cyber Risk Insurance Policy
When you apply for health insurance, the carrier will most likely have you get a physical evaluation to assess your health before choosing to cover you, the amount you will pay, your deductibles, and the amount of coverage you will qualify for.
Cyber risk insurance companies will ask you to get a cyber health evaluation. This looks at:
- Your location
- The size of your organization
- Your industry
- Your current cybersecurity strategy efficacy
- Any past cybersecurity incidents
You can prepare for this by having a professional network assessment performed for your organization. This assessment will show you, and the insurance carrier, how prepared you are to meet current cybersecurity trends and threats.
Iconic IT Offers a Comprehensive Network Audit at No Cost or Obligation to You
Iconic IT, a leading MSP in the industry, is offering a 100% free, no obligation network assessment to companies looking for cybersecurity risk insurance. Your audit will give you a clear picture of your overall network and strategies, showing you any gaps and vulnerabilities you may need to patch up before applying for a cyber risk insurance policy. You’d never apply for a loan without checking your credit score; don’t apply for cyber security insurance without checking your network score.