- Find out which types of cyber insurance fit your business
- Learn how much to buy and what to know beforehand
Why the Recent Buzz about Cyber Insurance (CI)
Disturbingly, cyber attacks have now begun to focus more on small businesses because they are vulnerable. In fact, attacks on small businesses now account for about a 1/3 of all cyber crimes. The average cost of each attack for a small business now stands at $55,000 and climbing. (Ransomware attacks drive the cost much higher.) That sum is enough to threaten the very existence of many businesses, forcing owners to consider adding cybersecurity insurance to their security plans.
Types of Cyber Insurance and What They Do
CI usually comes in two major categories: first-party coverage and third-party coverage. Which type your business needs will depend on what kind of data your business handles.
First-Party Coverage
First-party cyber insurance covers direct harm to your business. Typically, it includes
- Recovery and replacement of lost or stolen data
- Costs associated with customer notification and call center services
- Fees, fines, and penalties for which you might be liable
- Lost revenue due to business disruption
- Expenses for crisis management and PR
- Legal counsel to determination your regulatory obligations
- Technical services to investigate causes the breach
- Costs associated with ransomware attacks
If your prospective or current insurer does not cover these items, you might discuss with them what your alternatives are.
Third-Party Coverage
Third-party coverage protects you from liability in case they experience a cyber-attack due to error, omission, or negligence on your part. Insurers usually sell this type of coverage separately from first-party coverage. Usually, it includes
- Payments to the third-party’s consumers affected by the breach
- Costs for litigation and response to regulatory agencies
- Claims, settlements, or other expenses arising from litigation
- Lost revenue due to intellectual property theft
- Accounting expenses
How Much to Buy
Deciding how much cyber insurance to buy can be tricky. The amount of coverage usually varies according to the size of your business and the type of data protection that you need.
Large corporations can insure their operations against massive losses that could amount to millions of dollars. Small businesses usually cannot afford to pay the high premiums that would protect against such large liabilities.
If your business collects highly sensitive personal data from your customers, it becomes more attractive to cyber criminals. That also means that the cost of a data breach is likely to be higher than if you did not need to use such sensitive information. While the average cost of a single data breach to small businesses is about $55,000, actual costs can range much higher. Therefore, you should discuss with your insurer the amount of coverage that is appropriate for your particular circumstances. If the cost of an attack significantly exceeds the amount of your coverage, it could put you out of business.
Some Things to Consider about the CI Market
Cyber insurance is a new field. Because insurers have had only brief experience in this area (unlike their vast experience in property or personal injury liability), they typically set limits on how much risk they will cover. That’s why it can be difficult for a small business to purchase coverage that exceeds $1 million.
In addition, the amount of premium charged can vary widely. If a CI carrier were to cover damages for even a few cyber-attacks, the amount paid could easily outstrip the total premium revenue from all insured clients. As a recent article in the Harvard Business Review points out, the pool of buyers of CI is not growing as fast as the number and severity of cyber-attacks. So, be prepared to shop around for the right coverage for your business at a price that you can afford.
What You Need to Do in Addition to CI
Cyber insurance can be an important part of your security plan, but it is not a panacea. In addition to CI, you should include other measures designed to protect against an attack and to recover the ability to continue doing business when (not “if”) an attack occurs.
Other needed measures include automatic monitoring of email and typical employee behavior when connecting to your network; training employees about how to thwart attacks and be aware of new methods of attack; and building in redundancy of data storage that can foil a ransomware attack.
Finally, if you have a robust cybersecurity plan in place that incorporates these other measures, you will be perceived as a better risk by CI carriers. That could save you money on premiums.
If your current IT team is overburdened to the point that they cannot handle these tasks, please contact us at Now IT Works. We can help.