Cyber insurance is a policy that covers expenses and responsibilities arising from cyberattacks or computer incidents. As this coverage can help with financial and legal costs that stem from cyber incidents, maintaining it can be a savvy strategy to protect business assets and brand reputation.
Some insurance companies provide coverage for specific cybersecurity events in their standard business liability products, such as in a Business Owners Policy (BOP), or offer it as an additional option. However, these policies typically cover a limited range of cyber threats. Accordingly, businesses aiming to manage risks often decide on a separate cyber insurance policy tailored to their unique risks.
Cyber threats include malware, ransomware, bot attacks, data theft, and unauthorized use of an organization's network, data, or devices. Attackers primarily use stolen credentials, phishing, and exploiting vulnerabilities to gain access, as per Verizon's 2023 Data Breach Investigation Report.
Cyberattacks can lead to financial and reputation issues. These issues include unhappy customers, lost money, penalties, lawsuits, lower company value, and difficulties managing resources. The first line of defense is knowing your attack surface and creating an incident response plan. Preparedness should also include a plan for managing the financial and legal implications that can arise.
Any organization, regardless of size, can be an attractive target. Attackers seem to be especially interested in companies that handle or store private or other types of valuable data, including:
Cyberattacks have become increasingly sophisticated, expensive, and far-reaching. The federal government has increased its monitoring of the threat landscape due to the growing vulnerability of U.S. infrastructure. Hits to large banks, student loan servicers, and high-profile tech brands like Twitter, Uber, and WhatsApp have made headlines for years.
However, breaches impacting small businesses have also wreaked havoc. An incident at a startup in 2022 exposed the personal data of over 50,000 users, leaking home addresses, email, and some credit card details. Some network intruders aim to steal the intellectual property, brand strategy, and trade secrets of up-and-coming innovators. Hackers often also go after other operational data, such as email accounts, preventing a business from engaging with customers.
"Will a breach happen to our organization?" has been replaced by "When a breach happens, how will we be prepared to resolve it, minimize the damage, and return to normal operations as quickly as possible?"
According to the IBM Cost of a Data Breach Report 2023, the global average data breach cost in 2023 was $4.45 million, a 15 percent increase over three years. The FBI reported in 2022 that the potential total loss in the landscape it monitors grew from $6.9 billion in 2021 to more than $10.2 billion in 2022.
In addition to financial and legal liabilities, cyber incidents can spark regulatory penalties, adding to the overall costs. For example, an online fashion retailer incurred a fine of $1.9 million from the state of New York by failing to disclose a data breach in years prior that impacted 39 million consumers. When looking at these or other estimates about data breaches, keep in mind:
1. Many incidents go unreported because of a target's fear of reputational or legal ramifications.
2. Cyberattacks can impact future revenue and profits, especially if the breach and subsequent fallout aren't appropriately mitigated.
Standard cybersecurity liability policies can cover costs typically associated with the most common cyber risks such as ransomware, malware and phishing scams, and similar breaches:
Standard cyber risk coverage can help mitigate the costs of a breach investigation and loss of income during downtime. However, many insurers don't provide coverage for other repercussions that can occur after an incident. Uncovered losses can include:
Also, many cyber insurance providers don't cover costs to replace hardware or other property damaged in a cyber incident. However, businesses may be able to mitigate these costs with coverage under commercial property insurance. While insurers typically won't reimburse policyholders for establishing a virtual private network (VPN) or training employees to prevent future attacks, policyholders may be offered incentives for implementing these preventive measures.
The continued rise in cyber incidents and related costs trigger forecasting and risk pricing challenges. Premium rates vary based on company needs and operations, so they can be low for some organizations and high for others. Some insurers offer access to cybersecurity experts and resources for faster data recovery and resuming normal operations. Ultimately, a policy premium can be cheaper than the costs of starting over or paying legal fees after an incident.
An insurance professional can help you find the right amount of coverage for your organization's unique cybersecurity needs. Discuss how cyber policies handle email compromise, phishing scams, and other security risks, and address your company's liability concerns. Insurers may provide guidelines or requirements for how your organization can handle incidents. Be sure to evaluate how those restrictions might impact operations.
Triple-I remains committed to policyholder awareness and education. To learn more about cybersecurity threats, check out our additional resources below. Also, follow our blog for an insider look at trends in managing cyber liability risks.