Steady, sedate, dull — these are words people commonly use to describe insurance. Policies undergo very few changes from year to year, customers submit predictable claims, and insurers usually issue payments promptly and earn a good rate of return. Cyber insurance, however, might be the one segment of the industry that breaks the mold.
For small and medium-sized businesses (SMBs) to withstand the threat of cyberattacks, they need a full understanding of their insurance options. Keep reading to uncover all the details of cyber insurance coverage, including why it’s so important, what protection it provides, and how you can find the right insurer for your organization.
Growth and Limitations in the Cyber Insurance Market
There’s no question that more companies than ever before are taking advantage of cyber insurance coverage. The value of the global market reached $13.33 billion in 2022, and experts project that it will exceed $84 billion by 2030.
What’s Driving the Demand
There are a lot of factors behind the rising adoption and exposure of cyber insurance. They include:
- The digital transformation: Companies have deployed digital technologies to achieve competitive advantage through faster product development and rollouts, operating efficiencies, and customer experience, which also increases their exposure and vulnerability to cyber threats. The popularity of remote work has also contributed to phishing attacks that exploit employees’ lack of knowledge or training in cybersecurity practices.
- Widespread ransomware: The growth of ransomware attacks is another important piece of this puzzle. One cyber insurance company saw a significant spike in the number of claims in 2023, most of which they attributed to the alarming frequency of ransomware.
- Government attention: Even the White House has stepped into the fray, generating news coverage on the issue of the recent wave of cyberattacks and highlighting the importance of insurance. In November 2023, the White House brought together the International Counter Ransomware Initiative (CRI) to discuss a wide range of issues related to cybersecurity, including the need for cyber insurance.
When you put all these components together, it’s easy to see why interest in cyber insurance has exploded over the past several years.
What’s Holding SMBs Back
A 2023 survey found that 61% of SMBs were hit by a successful cyberattack in the past year. Despite that troubling trend, many companies haven’t purchased cyber insurance. In 2021, CNBC found that only 26% of small businesses had existing coverage.
Some of the issues preventing SMBs from investing in coverage include:
- Limited budgets: Financial conditions carry some of the blame for this low adoption rate. During and since the COVID-19 pandemic, some SMBs have struggled to prioritize investments in cybersecurity practices and insurance.
- Lack of concern: Owners of small businesses often underestimate the likelihood that they’ll fall victim to an attack. They assume that their limited size protects them, when it might be exactly what’s making them a target.
- An uncertain future: Finally, insures are constantly reworking policy commitments because limited historical data makes it difficult to predict where cyber threats will come from in the future. On top of this, insurance industry leaders are having difficulty projecting the long-term trajectory of the market.
What many SMBs fail to realize is that the benefits of cyber insurance generally far outweigh these challenges. It enables them to recover revenue losses and pay for recovery expenses so that they don’t materially affect ongoing operations or lessen their competitive positioning.
Why Cyber Insurance Matters for SMBs
For business owners who aren’t convinced, a quick glance at the state of cybersecurity offers compelling support for the importance of cyber insurance. Beyond that, insurers and government agencies are working hand in hand to support organizations in other ways, including helping to create a more reliable security framework and providing access to valuable tools.
An Evolving Threat Environment
Every day, it seems like there’s more bad news about threats and vulnerabilities in cybersecurity. From malware to cryptojacking, organizations face risks on multiple fronts, all of which can have severe impacts on their operations.
That’s especially true of ransomware and SMBs. One study found that 82% of ransomware attacks in 2021 affected organizations with under 1,000 employees. Likewise, according to the 2023 Data Breach Investigations Report from Verizon, ransomware recovery costs have steadily increased, in part because attackers are setting their sights on smaller organizations.
Beyond the ransom itself, businesses that fall victim to ransomware often have to deal with revenue losses and damage to their brand and reputation. Cyber insurance covers many of these expenses to minimize the effect on an SMB’s future.
Establishing a Better Framework
Insurance companies are also adding structure to cyber risk engineering processes by using frameworks such as the Cybersecurity Framework (CSF), developed by the U.S. National Institute for Standards and Technology (NIST).
This framework is a voluntary initiative created through the collaborative efforts of industry and government. It consists of standards, guidelines, and practices for organizations to better manage risks.
The NIST Cybersecurity Framework involves five functions:
- Identify: Develop an organizational understanding to manage cybersecurity risks: systems, data, assets and capabilities
- Protect: Develop and implement appropriate safeguards to ensure delivery of services
- Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event
- Respond: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event
- Recover: Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event
Companies such as Axio have developed standalone risk management platforms based upon the NIST framework. These platforms include an insurance stress testing function to help companies figure out which coverage is most relevant to their unique risk profile.
Building Business Resilience
Cyber insurance companies and their agents also play a proactive role in preparing their clients to defend against and respond to cyber attacks. For example, insurers are deploying more technology to gauge risk levels than is ordinary for the insurance industry, including:
- Artificial intelligence (AI)
- Internet of Things (IoT) devices
- Business intelligence
- Data analytics
These developments give companies the opportunity to augment the cybersecurity component of their business continuity planning process. They can refine their investments in things like network infrastructure, multi-factor authentication, and data backup to avoid and prepare for the aftermath of data breaches and losses. Solutions like Datto SIRIS, with its comprehensive data protection capabilities, offer businesses a robust backup and disaster recovery option, and Datto SIRIS pricing is designed to fit various business needs, making it easier for companies to strengthen their data protection strategies while managing costs effectively.
Cyber Insurance Coverage in Detail
Cyber insurance pays a range of costs associated with an attack or incident. As you’d expect in a market that’s changing so rapidly, there’s no standard cyber insurance policy, so it’s up to the buyer to compare policy provisions.
First-Party Coverage
First-party policies cover the claims you make for breaches of your company’s network. It pays for costs such as:
- Restoring and recreating the compromised data
- Hiring experts to help you fix a problem and gain control of the issue
- Repairing your hardware systems and software
- Recovering income lost due to the breach
- Paying extortion costs
- Notifying vendors, customers or regulatory entities about the loss
- Restoring the personal identities of affected customers
- Supplying credit monitoring services and identity theft protection for affected customers
- Hiring a specialist to conduct a forensic investigation to find the source of the attack
- Paying public relations expenses
Under your first-party provisions, your cyber insurer will also take on some of the administrative burdens of recovering from a breach, including:
- Informing your customers of the breach and about how you are responding
- Notifying the proper authorities of the attack to start an investigation and ensure compliance with data breach laws, which vary by state and global region
- Supplying a negotiator to communicate with those making the ransom demands
First-party coverage is what businesses usually think of when they consider purchasing cyber insurance, but it’s not the only type of protection insurers provide.
Third-Party Coverage
Third-party coverage is for companies that handle other people’s sensitive data, such as tech companies, healthcare organizations, financial services, and retailers. These institutions are often legally liable when cyber incidents compromise their clients’ data.
Third-party coverage helps absorb costs associated with litigating a variety of issues, including:
- Privacy lawsuits brought by customers or employees who allege that you were responsible for the data loss
- Allegations of libel, slander, or copyright infringement that arise because of the data breach
- Allegations of breach of contract on your part
- Settlement costs
- Court-ordered damages
In addition to these legal costs, third-party insurance will cover the expenses associated with responding to regulatory inquiries and any resulting regulatory fines and penalties.
Additional Insurance Types
It’s also important to distinguish between cyber insurance and other kinds of coverage for SMBs. Some businesses run into trouble when they mistakenly assume that they already have coverage.
Technology Errors and Omissions Insurance (Tech E&O)
Tech E&O insurance is designed specifically for providers of technology products and services. It covers situations when there is some form of negligence that causes financial harm to users.
In the case of a cyber event where there is negligence on the part of the technology provider, the provider would make a claim to recover legal expenses under its tech E&O policy. However, if there is no negligence, then the claim would be made under its cyber insurance policy.
Business Owners Policy (BOP)
Small business owners can add a limited degree of cyber liability coverage with an endorsement to their BOP and the payment of an added fee. These policies will generally cover third-party legal and notification expenses but none of the first-party costs you incur. The payouts on the third-party costs tend to be limited to $100,000, which could be quickly exhausted in notification costs alone.
Commercial Property Policy
Commercial Property Policies protect physical property owned by a business. These policies will typically include some coverage for computers, often as part of broader coverage for electronics. While premises hardware damage is included, there’s rarely protection for software and data, and no coverage for data stored in the cloud.
Successfully Navigating the World of Cyber Insurance
Having all this information might clarify why you need cyber insurance, but it still leaves you with the dilemma of successfully securing and using it. Let’s look at some of the points you’ll need to consider before and after purchasing your policy.
Finding the Right Cyber Insurance Provider
There are a variety of companies competing for the fast-growing premiums generated in this market. All the large traditional players, such as AIG, Travelers, and Liberty Mutual, are among them.
Common Cyber Insurance Practices
Before engaging with an insurer or broker, it pays to know whether you’re following basic practices. Each insurer is different, but they generally have a few core requirements, such as:
- Maintaining a written cybersecurity policy
- Providing security training for employees
- Deploying firewalls and antivirus software
- Installing software patches regularly
- Using strong and complex passwords
- Encrypting mobile devices that interact with sensitive data
- Constantly reviewing and responding to security monitoring alerts
Failing to meet these expectations could cause problems if you ever need to file a claim.
Reasons for Rejection
While most cyber claims are paid, insurers can deny a claim if it could have been easily prevented or if a company cannot provide evidence that it was following policy requirements. These are some possible problems that might come up:
- Denying the full value of a claim: Cyber policies have individual limits for specific insuring clauses and subclauses, so it’s critical to carefully review these terms and pay particular attention to the ransomware provisions of a policy. The ability to anticipate your company’s potential exposure to extortion demands, lost income, and asset restoration will enable you to ensure payouts will meet your needs.
- Social engineering claims: Insurers can reject these claims if they can show that the employee was negligent. Negotiating a separate social engineering clause, rather than just having a computer fraud or forgery clause, can help protect you as social engineering attacks continue to evolve.
- Personal Card Industry (PCI) fines: Some insurers reject the PCI fines and assessments created and assessed by the Security Standards Council of the credit card industry. This usually occurs when financial services companies fail to provide adequate protection to consumers and businesses against data theft and fraud.
- Litigation requirements: Another cause for denied claims occurs if a company makes a claim against its policy when another company is at fault for the breach. The two companies have to litigate these issues in court rather than deal with them through the insurance company.
Knowing whether these or other factors could cause your insurer to deny part or all of your claim is vital to protecting your financial interests.
Getting Support and Facing the Threat
With so much in question, cyber insurance companies can provide a sense of stability and security. Over only a few years, they’ve proven that they’ll provide reliable payments for claims. By delivering updated threat data, platforms to test incident readiness, and frameworks for building protection, cyber insurers can be another component in your business continuity planning.
To learn more about cyber insurance coverage and business continuity, contact the team at Invenio IT. Speak to one of our experts to explore your options and get pricing for the best cyber insurance provider on the market.
There is not much change in the makeup of the companies that are offering insurance, agents generally have limited interaction with their customers and infrequently have an impact on business-critical matters, and seldom do you see headline news stories coming out of the industry.
It’s a different ball game with cyber insurance. The constantly evolving cyber threat environment, the rapidly increasing number of claims filed, the emergence of new competitors, and the fact insurers have only been operating in this segment for a couple of decades has created a dynamic environment.
The difficulty of projecting where cyber threats will be coming from in the future along with limited historical data for use in developing analytical models to project future risk exposure has caused a constant reworking of policy commitments. On top of this, insurance industry leaders are having difficulty projecting the long-term trajectory of the market.
Even the White House has stepped into the fray, generating news coverage on the issue of the recent wave of cyber attacks and highlighting the contribution insurance can play in building cyber security. At its recent White House summit of tech, financial services, insurance, energy, and education leaders, the administration called on the insurance industry to develop ways of incentivizing businesses to deploy and maintain good cybersecurity practices.
Actually, there is one aspect of the cyber insurance business that mirrors more traditional lines of insurance and that’s reliable payments on cyber incident claims. Cyber insurers have demonstrated a consistent track record on this score and that’s important for those considering adding this coverage for the first time.
The Business Environment
A prime cause of the increased exposure is driven by the ongoing digital transformation of business. As companies increasingly deploy digital technologies in an effort to achieve competitive advantage through faster product development and rollouts, operating efficiencies, and customer experience, their exposure and vulnerability to cyber threats grows as well.
The Covid-19 pandemic has had a dual impact on the increase in cyber vulnerability. Many companies have sped up their digital transformation plans in an effort to create greater efficiencies in their product and service delivery models.
According to a Munich Re survey, 33% of C-level respondents report that they have accelerated digitalization due to Covid-19. As a result, companies have struggled to bring their security practices along as rapidly. On the user side, more remote working has resulted in an increase in phishing attacks that often exploit workers’ interest in updated information on the pandemic.
State of Cyber Insurance Coverage
Despite the worsening threat environment, most small and medium sized businesses do not carry cyber coverage. According to a study by CyberScout, even though 76% of SMBs experienced a cyber attack, only 31% had cyber insurance. The report highlights the fact that businesses that are already under financial pressure in responding to the pandemic are struggling with prioritizing investments in cyber security practices and insurance.
The Evolving Threat Environment
According to an analysis of threat reporting by Dark Reading, ransomware and phishing will continue to be the main types of cyber incidents through 2021. The most prevalent attacks can be categorized according to five classes of incidents: human factor, malware, denial of service (DOS), web application, and password. These events have multiple impacts on business operations.
Cybereason examined ransomware attacks and found that 66% of companies attacked experienced a significant loss of revenue, 35% of businesses paid a ransom between $350,000 and $1.4 million, and 53% reported damage to their brand and reputation. As described below, cyber insurance helps recover the costs of all these factors.
Dealing with Uncertainty
In this uncertain environment, insurance companies, including majors such as Zurich, are adding structure to the cyber risk engineering processes by using frameworks such as the Cybersecurity Framework (CSF) developed by the U.S. National Institute for Standards and Technology (NIST).
This framework is a voluntary initiative created through the collaborative efforts of industry and government. The framework consists of standards, guidelines, and practices for organizations to better manage risks. Companies such as Axios have developed standalone risk management platforms based upon the NIST framework. These platforms include an insurance stress testing function to help companies figure out which coverages are most relevant to their unique risk profile.
The NIST Cybersecurity Framework provides a common vocabulary for risks and controls, allowing for more productive discussions among underwriters, brokers, and companies looking to obtain insurance. The framework facilitates conversations between insurance risk specialists and C-suite and board members by minimizing IT jargon.
Of note is the fact that nearly three-quarters of the security controls are non-technical in nature. A great emphasis is placed on roles and responsibilities, training, security procedures, incident response and communication.
Working with the NIST Cybersecurity Framework involves five functions. The purpose of the Framework is to provide a comprehensive view of the lifecycle for managing cybersecurity. The five functions consist of:
- Identify – Develop an organizational understanding to manage cybersecurity risks: systems, data, assets and capabilities.
- Protect – Develop and implement appropriate safeguards to ensure delivery of services.
- Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
- Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
- Recover – Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
Cyber Insurance and Business Resilience
Cyber insurance companies and their agents are also responding to the demands of this market environment by playing a proactive role in preparing their clients to defend against and respond to cyber attacks.
For example, Coalition, a cyber insurer and one of the participants in the White House summit, announced that it will make its cybersecurity risk assessment & continuous monitoring platform available for free to any organization. Others are deploying more technology than is ordinary for the insurance industry. Corvus, for example, is applying a combination of AI, IoT, business intelligence and data analytics to better gauge cyber risk.
These developments present an opportunity for companies to augment the cyber security component of their business continuity planning process and further refine ongoing investment activities in things like network infrastructure, multi-factor authentication, and data backup to avoid and prepare for the aftermath of data breaches and losses.
Cyber insurance provides companies with the financial resilience to complement its investments in operational resilience. Cyber coverage enables companies to recover revenue losses experienced and pay for the expenses related to recovering from a data breach so that these costs will not materially affect ongoing operations or lessen a company’s competitive positioning.
Defining Cyber Insurance
Cyber insurance pays a range of costs associated with a cyber incident such as ransomware, social engineering and denial of service. As you’d expect in a market that is changing so rapidly, there is no standard cyber insurance policy. This variety puts the onus on the buyer of insurance to compare policy provisions carefully.
Most cyber insurers offer two types of coverage: first-party and third-party. First-party policies cover the claims you make for breaches of your company’s network and will pay for the costs to:
- Restore and recreate the compromised data
- Hire experts to help you fix a problem and gain control of the issue
- Repair your hardware systems and software
- Recover income lost due to the breach
- Pay extortion costs
- Notify vendors, customers or regulatory entities about the loss
- Restore the personal identities of affected customers
- Supply credit monitoring services and identity theft protection for customers affected
- Hire a specialist to conduct a forensic investigation to find the source of the attack
- Pay public relations expenses
Under your first-party provisions, your cyber insurer will also step in and take on some of the administrative burdens of recovering from a breach. These services include:
- Informing your customers of the breach and about how you are responding
- Notifying the proper authorities of the attack to start an investigation and ensure compliance with data breach laws, which vary by state and global region
- Supplying a negotiator to communicate with those making the ransom demands
Third-party coverage is for companies that handle other people’s sensitive data, such as tech companies, health care companies, financial services, and retailers. If your company handles sensitive data for a client and it is compromised in a cyber incident, your company could be held legally liable. To absorb costs associated with these legal proceedings, third-party coverage will pay the legal costs necessary to litigate a variety of issues including:
- Privacy lawsuits brought by customers or employees who allege that you were responsible for the data loss
- Allegations of libel, slander or copyright infringement that arise because of the data breach
- Allegations of breach of contract on your part
- Settlement costs
- Court-ordered damages
In addition to these legal costs, third-party insurance will cover the expenses associated with responding to regulatory inquiries and any resulting regulatory fines and penalties.
Technology Errors and Omissions Insurance (Tech E&O)
Tech E&O insurance differs from cyber insurance in that it is designed specifically for providers of technology products and services and covers situations when there is some form of negligence on the part of the technology provider which causes financial harm to their users.
For example, a company might sue a technology provider for harm caused by missed project implementation deadlines or if it recommends the wrong solutions. In these cases, a tech E&O policy will cover the legal costs to defend against the accusations including court costs, attorney’s fees, settlement expenses, and any judgements ordered.
In the case of a cyber event where there is negligence on the part of the technology provider, the provider would make a claim for recover legal expenses under its tech E&O policy. However, if there is no negligence, then the claim would be made under its cyber insurance policy. These fine points create a gray area for tech companies, highlighting the vital role an insurance agent can play in working out adequate coverage without duplication.
Business Owners Policy (BOP)
Small business owners can add a limited degree of cyber liability coverage with an endorsement to their BOP and the payment of an added fee. These policies will generally cover the third-party legal and notification expenses described above but none of the first-party costs you incur. The payouts on the third-party costs tend to be limited to $100,000, which could be quickly exhausted in notification costs alone.
Commercial Property Policy
Commercial Property Policies protect physical property owned by a business. These policies will typically include some coverage for computers, often as part of broader coverage for electronics. While premises hardware damage is included, there’s rarely protection for software and data, and no coverage for data stored in the cloud.
What Insurers Will Expect
Before engaging with an insurer or broker, it pays to ensure that you are following certain basic practices. These practices should include:
- Maintaining a written cybersecurity policy
- Providing security training for employees
- Deploying firewalls and antivirus software
- Installing software patches regularly
- Using strong and complex passwords
- Encrypting mobile devices that interact with sensitive data
- Reviewing and responding to security monitoring alerts on a constant basis
Don’t Get Rejected
While most cyber claims are paid, insurers can deny a claim if it could have been easily prevented or if a company cannot provide evidence that it did everything to follow the requirements of the policy. In these cases, keeping detailed documentation of company policies and practices is a necessary procedure.
The full value of claims can be denied because cyber policies have individual limits for specific insuring clauses and subclauses, so a careful review of these terms at the time policies are negotiated is important. In this regard, particular attention should be paid to the ransomware provisions of a policy. The ability to anticipate your company’s potential exposure to extortion demands, lost income, and asset restoration will enable you to ensure payouts will meet your needs.
Social engineering claims have been rejected if employee negligence can be shown, so as social engineering attacks continue to grow and evolve, it is important to negotiate a separate social engineering clause rather than just having a computer fraud/forgery clause.
Some insurers have rejected Personal Card Industry, or PCI, fines and assessments. These are fines that were created and are assessed by the Security Standards Council of the credit card industry when financial services companies fail to provide adequate protection to consumers and businesses against data theft and fraud.
Another cause for denied claims occurs when a company makes a claim against their policy when another company is at fault for the breach. These issues have to be litigated rather than covered under insurance.
Finding Cyber Insurers
There are a variety of companies competing for the fast-growing premiums generated in this market, which have doubled since 2015 to over $3 billion. All of the large traditional players, such as AIG, Travelers, Chubb, CNA, and Liberty Mutual, are taking part in the cyber insurance market in a substantial way.
A new breed of company focused on the cyber insurance segment has also emerged in the last few years. These new entrants, such as Coalition, Resilience, At-Bay, Cyberdot, CyberScout and Corvus are leveraging technology to deliver their services and take a proactive stance in helping customers understand and anticipate the changing threat environment and offer a good match for SMB customers seeking cyber insurance.
Facing Up to the Threat
As the volume of cyber attacks grows and the nature of the incidents continuously evolve, engagement with a cyber insurer offers resources to meet this challenge. By delivering updated threat data, platforms to test cyber incident readiness, and frameworks for building protection, cyber insurers can be another component in your business continuity planning. And by rationalizing your insurance policy coverages, your insurer can make sure you carry optimal coverage to provide the peace of mind that your company will have the financial resources to bounce back from a cyber incident as completely as possible and limit damage to your competitive position.