In the past decade, alongside the increased importance of digital tools for business, a new category of insurance has sprung up to cover digital data breaches and liability. With the average total cost of data breaches reaching $4 million dollars and the average cost of each lost or stolen digital record increasing to $158, it is clear that experiencing a data breach is an expensive affair.
While dedicated security response teams and encryption do decrease these costs, and IPS/IDS systems and other security measures can help reduce the risk, many organizations will still experience a data breach at some point.
Cyberinsurance can help mitigate the cost of a data breach by reimbursing your company for legal fees, helping with the cost of crisis management and investigation, notification costs, extortion liability fees, and third party damages relating to network or system outages. But does every organization need cyberinsurance?
Your business likely already has general liability insurance to cover injury, property damage, and some other risks from your everyday services, operations, and products. However it often specifically excludes damages from cybersecurity related causes. Cyberinsurance comes in a number of flavors and has a premium cost between $1000 and $50,000 depending on your coverage and risk level, much of which is tied to the size of your company and the nature of your business.
Cyberinsurance is an evolved form of Errors and Omissions, a form of insurance that you may already have. Dating back decades, E&O covers any claims generated from service errors, like the disruption of your digital services. This also covers service problems from more office-oriented industries like legal, medical, or engineering. Eventually some E&O policies included coverage for network outages, unauthorized system access, or viruses.
Depending on the type of cyberinsurance you choose, it will cover:
Speak with an infrastructure consultant today.
Any business that performs a significant portion of its operations digitally should take a hard look at cyberinsurance. If you store or handle personal identifying information (PII) or personal health information (PHI) on a computer system, even if that system is operated by a third party service provider, cyberinsurance might be wise. This includes customer names, addresses, credit card processing, and so forth.
Talk to your broker about what your current general liability and/or E&O coverage might cover in the case of a digital incident. Consider how much information you might be processing or storing regularly. If you are a smaller organization, the additional cost may not be worth it compared to the risks — but consider that 43% or more of cyber attacks target small businesses.
Take a hard look at your existing cybersecurity measures before approaching a broker. What can you implement to minimize your risks and in turn minimize your deductible and premium? Do you have hardened and up-to-date software and hardware? Do you monitor your systems? Have you added IPS/IDS? Are your employees trained about security best practices, including avoiding phishing and social engineering? Have you had a threat assessment performed?
Talk to multiple insurance providers. Some of them may want to perform audits of their own on your IT systems. If one doesn’t have the coverage you think you need, move on. Compare deductibles and premiums, naturally, but also be aware of sublimits on fines, penalties, or other limits. These could include a maximum sublimit payout for regulatory fines; or that your network must be down for a minimum of 12 hours in order for coverage to kick in.
Ask about how making a claim — or not making one in a given year — might affect your premium. Inquire as to their guidance process around making smart security choices for your company. Some insurance providers may have special requirements like encryption, or may exclude internal breaches from employees. While more complicated to implement, a very detailed policy helps you avoid expensive liability.
Cyberinsurance is an evolving field, but it is becoming more essential to businesses of all sizes, especially as Software as a Service and other cloud-based services become commonplace. In the light of major breaches occurring every year, it may be wise to re-examine your business insurance to see if cyberinsurance coverage makes sense for you.