What would a cyber incident cost your organization? If you were CNA Financial Corp., that cost might run to $40 million — the price that they paid in March 2021 to ransomers to regain control of their own networks, as The Washington Post reported. Even for a company valued at $12 billion, this isn’t an insignificant amount — that money has to be found from somewhere. As criminals become more advanced in their tactics, techniques, and procedures, the risk of cyber compromise goes up. And as with many other risk-related business areas, you can insure against cyber risk, with Cyber Liability insurance.
In 2020, the FBI’s Internet Crime Complaint Center received a record number of cybercrime complaints and counted losses totaling over $4.1 billion, according to their Internet Crime Report 2020. At Accenture, their survey results in the State of Cybersecurity Report 2020 indicated that the “average cost per attack for non-leaders (in terms of cyber resilience) was US$380,000 per incident.” The survey also found organizations reporting, on average, 22 security breaches per year.
What Is Cyber Liability Insurance?
Cyber Liability Insurance is an insurance that covers against hacking, data breaches, and employee errors that result in data loss, regulatory breaches, compromised systems, and monetary losses.
This type of insurance can cover:
- The costs of your day-to-day business being interrupted
- Investigation with a trained team
- Data loss and recovery costs
- Extortion amounts
- Crisis management including reputation management
- Penalties from regulatory bodies
What Areas of the Business and IT Does Cyber Liability Insurance Cover?
Like any other type of insurance, you must read the fine print to know what will be covered and what will not. Insurance providers’ terms can vary significantly, so vendor appraisal and comparison is necessary if you are looking into this product. Using a broker to help you in the process is highly recommended.
So, what are you in for if you choose to purchase Cyber Liability Insurance and you experience an attack?
An example is given by CPA Australia of a law firm using third-party cloud-based software which holds confidential information. After unauthorized access was reported to the law firm, data was deleted that included information associated with 5,000 clients, leaving the firm unable to operate. A claim of $124,000 AUD (approx $93,000 USD) was made, which covered the cost of business interruption, forensic investigation and recovery, and legal costs, plus help with notification to the Notifiable Data Breaches Scheme (compulsory). Another bookkeeping business experienced a crypto-locked ransomware attack. The payout in this case was $120,000 in legal fees, IT service fees, and business interruption costs, including $25,000 to the attackers ransom.
What Are Some of the Stipulations Required for Taking Up Cyber Liability Insurance?
As the costs for cyber insurance climb, as well as the amount for payouts, it makes sense that insurers are becoming more rigorous in their stipulations. This includes items like always having multi-factor authentication (MFA) switched on or implementing encryption of sensitive data at rest. Insurers may also request to see your systems, processes, tools, and more to ensure they are compliant with security best practices. Using a platform like JumpCloud, where security and compliance is baked into the foundational directory and device management solution, can assist companies in meeting these increasing standards.
Why Is Cyber Liability Insurance Important?
Accenture’s report notes that cybersecurity programs only actively protect around 60% of a business’s systems. With attacks extending to the supply chain, and hidden or indirect attacks on the rise, it becomes more difficult to guard against them. Enhancing coverage against cyberattacks is not only technically sprawling and ever-growing, but also expensive. Costs inevitably increase around the practices of network security, threat detection, security monitoring, identity management, firewalls, governance activities, application security, and more.
So much like many small-to-medium enterprises (SMEs) take the option to either invest in an expanded tech stack to support their growing security needs or outsource their cybersecurity functions to a managed service provider (MSP) in order to reduce the risk of the impact of an attack landing, there are also options to reduce the risk of business impact in the event of an attack; that’s what’s covered with Cyber Liability Insurance.
Is Cyber Liability Insurance Necessary?
With rising rates, complexity, and impact to business, cyber incidents are a real risk to organizations large and small the world over. And as with many other risk events, these can be insured against.
Like any non-mandatory insurance, Cyber Liability Insurance is just that — non-mandatory, an optional extra. However, with the threat landscape outpacing many organizations’ ability to mitigate and respond to it, it is a type of insurance more and more organizations are opting for.
However, it requires careful consideration in cost-benefit analysis as part of your overarching security plan and general risk appetite. Each business is different in these two aspects. As Accenture notes in their State of Cybersecurity Report 2020, businesses can significantly reduce the costs of cyberattacks by up to 72% by investing in their cybersecurity teams, advanced technologies, agility in security, and leverage of current investments. So while Cyber Liability Insurance may provide excellent coverage in the event of an incident, investing in your defense systems will also help allay risk. For more advice on what you can do to bolster your defenses, especially as a small-to-medium sized enterprise, take a look at this Security Checklist for Your Startup.