How much would a cyber incident cost your organization?
If you were CNA Financial Corp. in 2021 the answer would be a cool $12 billion. That’s how much the organization paid ransomers to regain control over their own networks.
Despite the company’s high valuation, this wasn’t a small setback. Executive leadership most likely put high-priority initiatives on the backburner to salvage the business.
As criminals advance their tactics, the number of reported cybercrimes only continues to grow. According to the FBI’s Internet Crime Complaint Center, businesses lost approximately $18.7 billion from 2017 to 2021:
Furthermore, a whopping 72% of insurance brokers in the United States reported an increase of claims for cyber insurance policies during the first quarter of 2022. As reported by IBIS, the U.S. cybersecurity insurance market is expected to increase to $3.5 billion in 2023.
Unsurprisingly, an increasing number of organizations are now investing in cyber liability insurance to protect what has become the most important asset in the world — data.
Keep reading to learn more about the ins and outs of obtaining cyber liability insurance in 2023.
What Is Cyber Liability Insurance?
Cyber liability insurance is a type of insurance that covers organizations against hacking, data breaches, and employee errors that result in data loss, regulatory breaches, compromised systems, and monetary losses.
Here’s a summary of what cyber liability insurance can cover:
- The costs of your day-to-day business being interrupted
- Investigation with a trained team
- Data loss and recovery costs
- Extortion amounts
- Crisis management including reputation management
- Penalties from regulatory bodies
What Types of Coverage Are There?
Cyber liability insurance is typically broken down into three categories:
1. First-party coverage: This type of coverage provides financial assistance to businesses wanting to lessen the effects of online attacks. It covers incident investigation, financial loss, public relations damage control, customer notification, credit monitoring, and coverage-based payment in the event of ransomware.
2. Third-party coverage: This type of coverage provides liability protection should a third party suffer a cyberattack and file a claim against the insured company. It covers attorney fees, court fees, fines for noncompliance, and paying damages.
3. Technology errors and omissions: This type of coverage is useful when a cyberattack happens because of company errors and oversights. For example, say a business sells a software product that inadvertently contains a security vulnerability. Should user data be stolen because of the vulnerability, the insurance would cover court cases, legal fees, and related costs.
Like other types of insurance, reading the fine print is imperative. Insurance provider terms often vary significantly, so vendor appraisal and comparison is crucial to ensuring organizations get the coverage levels they are expecting. Even members of the U.S. Senate recognize the need to make cyber insurance policy information easier to understand:
“Small businesses need to be able to count on cyber insurance policies to protect them,” Sen. John Hickenlooper (D-CO) said. “But policies can be confusing or unclear about coverage, leaving many businesses at more risk than they think. That’s why we’re making more cyber insurance resources available and policy information easier to understand.”
Translation: Definitely partner with a reputable broker who can help you navigate the options!
Cyber Liability Insurance Payout Examples
So, what type of payment could you expect should you experience an attack? Let’s review a couple of examples provided by CPA Australia:
A law firm was using third-party, cloud-based software to hold confidential information. After an individual reported unauthorized access to the law firm, it discovered the private information of 5,000 clients had been deleted; the disappearance left the firm inoperable.
The firm filed a claim of $124,000 AUD (approx $93,000 USD), which covered the cost of business interruption, forensic investigation and recovery, and legal costs, plus help with notification to the Notifiable Data Breaches Scheme (compulsory).
Another bookkeeping business experienced a crypto-locked ransomware attack. The payout in this case was $120,000 AUD in legal fees, IT service fees, and business interruption costs, including $25,000 AUD to the attackers’ ransom.
Stipulations for Securing IT
As cyber insurance costs continue to climb, as well as payouts, it’s not surprising that cyber insurance carriers are now requiring the implementation of stricter security controls and procedures.
This includes items like having multi-factor authentication (MFA) switched on and implementing encryption of sensitive data at rest. Insurers may also request to see your systems, processes, tools, and more to ensure they are compliant with security best practices.
Many SMEs either invest in an expanded tech stack to support their growing security needs or outsource their cybersecurity functions to a managed service provider (MSP) in order to reduce the risk of potential attack impacts and qualify for cyber liability insurance.
Heather Thornburg of Wade Associates Insurance & Risk Management recently shared with the JumpCloud Community eight best practices companies can follow to prepare for cyber risk insurance renewals. Hint: JumpCloud makes it easier to streamline some of these tasks.
Should You Get Cyber Liability Insurance?
Like any non-mandatory insurance, cyber insurance is optional. It requires careful consideration in cost-benefit analysis as part of your overarching security plan and general risk appetite.
Quick facts to consider:
- Ransomware costs companies between $25,600 to $200,000 on average.
- Cybersecurity programs only actively protect around 60% of an organization’s systems.
- Attacks against small and medium-sized enterprises (SMEs) are also on the rise.
- Breaches through the supply chain have increased from 44% to 61% in 2021.
Enhancing coverage against cyberattacks is necessary, but expensive. Costs also inevitably increase around practices like network security, threat detection, security monitoring, identity management, firewalls, governance activities, application security, and more.
So, should your organization get cyber liability insurance? If confidential data is essential to the business, and you can find room in the budget, it’s highly recommended.
Reduce Vulnerabilities with JumpCloud
One way to reduce vulnerabilities, and lower coverage expenses, is to switch from on-prem to the cloud. In this event, a SaaS provider with a proven software development lifecycle (SDLC), a security operations center (SOC), and an experienced team is taking on some of the risk.
This partnership gives insurance providers more confidence in your ability to minimize loss in the event of a breach. The JumpCloud directory platform combines identity and access management (IAM), mobile device management (MDM), and audit reporting functionalities in one frictionless location. Further, JumpCloud has completed a SOC 2 Type II examination for its directory platform.