Cyber Insurance is a developing market with businesses regularly purchasing cyber coverage in addition to liability, errors and omissions, fire and flood. With so many attacks and data breaches happening every day, it’s important to learn about cyber insurance protections available to you. Like flood and fire insurance, cyber insurance is there to help when a catastrophe strikes. Cyber Insurance policies typically cover losses that are related to hacking, malware, theft, extortion, or lawsuits that come from security breaches. This article will explain important cyber insurance concepts and protections you should consider for your business.
Do You Need Cyber Insurance?
Certainly, large companies should adopt it, but the SMBs should be too. SMBs particularly are prime targets for hackers, indicating they should probably take a gander at some cyber insurance policies. With SMBs making up approximately half of the targeted cyberattacks, they need to ensure they are doing whatever they can to secure themselves, as hackers know SMBs tend to lack proper security measures. Working with an insurance company and purchasing a cyber insurance policy to help when you most need it, immediately following a breach, is a great idea for businesses nowadays. Cyber Insurance is a great tool to have in your toolbox, although it does take time to implement as the insurance carriers typically require a lengthy questionnaire process to be completed outlining your protective measures and risk factors.
If Needed, Here’s What It May Not Cover
Paying Fines & Penalties
You may want to use your insurance as a way to pay off fines and penalties related to cybersecurity, but it’s a good idea to look at the litigation in the federal and state jurisdictions you may fall under as some jurisdictions don’t allow this to occur. The reason why government entities may not allow you to use insurance to pay fines is that they are meant to be punitive, not something you simply throw money at to go away. CyberHoot recommends that you don’t bank on the insurance companies paying off the penalties you incur, as it’s a grey area at the moment.
Compliance Not Insurable
You may be sitting there wondering, “Can I get cyber insurance to help pay for our upcoming Risk Assessments and Penetration Testing?”. For any control that improves compliance, you are generally not allowed to use insurance to cover the fees. For example, Awareness Training, policy creation, Pen Testing, Risk Assessments, etc. are all the class of controls that you wouldn’t be able to pay off with cyber insurance. Virtually anything that improves security you probably can’t fund with insurance policies.
One part CyberHoot wants to point out is that cyber insurance can certainly help with post-breach payments, for example, ransomware. It’s great that insurance companies help with the ransomware costs to keep your business moving, but the breach can damage your business’s reputation enormously. Nearly 1 in 4 Americans will not pay for a company’s services or product if that has encountered a data breach. If you do encounter a ransomware attack, you may lose future customers (25% in theory). Reputational loss is a coverage feature in policies but only applied for a short period of time.
Relying on Insurance
Insurance companies help businesses get back on their feet after a breach, however, it’s not something to rely upon. Some companies think they can “insure” their way out of risk from a breach. These companies think that because they bought a robust cyber insurance policy that they don’t need an equally robust cybersecurity program. Without a cybersecurity program, it’s tough to stay secure. The issue with relying on insurance to recover from a breach is that not only will you lose customers and damage your reputation, but it also reduces the amount of insurance you receive the next time you have a breach. Moreover, your insurance premiums and your deductibles may go up. It’s best to build a cybersecurity program with proper controls in place, instead of relying solely on insurance to reduce your risk.
Know Your Insurance
Becoming aware of what your insurance policy includes is important, as it may have requirements that must be met in order for them to provide you coverage. For example, the insurance company will likely require businesses to report changes to cybersecurity controls as soon as they are implemented if it could materially change a risk. If a company becomes complacent and fails to report new security measures, the insurance company may deny coverage following a breach.
As mentioned before, you shouldn’t be relying on the insurance as your line of defense. If your company doesn’t show initiative to improve security measures following a breach and continually gets hacked you may end up not being able to get insurance. If businesses keep costing them money, they may not renew the insurance policy. Insurance companies are in business to make money, not to pay out ransomware payments for businesses three times a year. If a business continues having breaches creating a high loss ratio (What you paid÷What Insurer Paid), insurers can either deny providing a quote or have an enormously high rate that wouldn’t make sense for most companies.
CyberHoot unquestionably recommends adopting cyber insurance for your business, it’s a must in 2020. We want business owners to know that insurance is great, but when used as the last line of defense. Keep in mind all of these factors when adopting cyber insurance.
In addition to adopting cyber insurance, it’s vital that you ensure compliance. Companies should be training users on the cybersecurity basics and governing them with policies as well. Work with CyberHoot to get your policy governance up-to-date and train your users to spot and avoid the threats they face on the Internet.