Cyber insurance, also known as cyber risk insurance, refers to a contract that companies can purchase to reduce the risks associated with conducting business online. Cyber insurance covers your organization’s risks due to data breaches caused by a cybersecurity incident.
The number of crimes is increasing, and that means more companies are being put at risk from data breaches, ransomware, and other forms of cybersecurity incidents. Although various solutions within your cybersecurity platform can help protect your business and close these breaches before they happen, your organization may still be liable for any sensitive information stolen due to a cyber risk event.
With cyber insurance, the liability of the company to pay for any damage caused by a cybersecurity attack is minimized, which alleviates the financial consequences in case something happens. Think of it as an option to mitigate the cyber risk that comes with doing business online.
A lot of the ideas presented here come from Steven Haase. For the past 20 years, since the early days of the Internet as we know it today, he used to be the CEO of INSUREtrust from 1997 to 2020, a company that specializes in cyber insurance. He’s become an authority on the market and coverage developments and is widely respected for his contributions.
Twenty years ago, in 1997, one Steve Haase is credited with creating the first internet liability policy, which can be traced back to the origins of cyber insurance. The widespread adoption of internet use at the time was a major factor, and traditional policies such as CGL and E&O failed to cover the emerging threats posed by the digital realm. Nowadays, what was once known as an internet liability policy is called a cyber risk policy.
What does cyber insurance cover?
Any loss, compromise, or theft of electronic data can negatively impact your business. This can include a loss of trust in your business that translates to lost customers or the potential financial costs that come with recovering from an attack. Cyber insurance can help reduce this financial risk and prevent your business from paying for everything out of pocket.
Cyber insurance can help reduce:
- Legal fees
- The cost of restoring the personal identities of affected customers
- The cost of recovering compromised data (as in the case of ransomware)
- The overall cost of repairing any damage to compromised computer systems
- The financial cost of notifying customers of any possible data breaches
As more people transact online, malicious actors can collect this data. Investing in cyber insurance can be an effective and smart way to reduce the overall risk to the business, should a breach occur.
Who needs cyber insurance?
Any business that creates, stores, or manages electronic data online can benefit from cyber insurance. Sensitive customer data such as contact numbers, sales records, personally identifiable information, and credit card numbers are lucrative targets for criminals. E-commerce businesses can also benefit from cyber insurance, as downtime due to ransomware or other cyberattacks can negatively impact a business’s finances.
What does cyber insurance not cover?
The coverage offered by a cyber insurance policy depends on what type of insurance is needed, and on the company. There are several things that cyber insurance policies do not comply with:
- Any pre-existing breaches or cyber events that occur before the policy has been purchased
- The general costs to improve the technological systems of the company, including the cost of new applications as well as the strengthening of security systems
- Cyber events initiated and caused by employees or insiders
- The company not fixing known vulnerabilities. If a vulnerability is discovered and the company does not fix the issue, your insurance may not cover losses caused by the resulting breach.
- Infrastructure failures due to external factors other than an intentional attack or cyber event
Obtaining cyber insurance for your business can potentially be more difficult now than in the past. As more data becomes available online, insurers are fighting back, forcing companies to pay expensive premiums for more prescriptive policies. Many companies even require you to use certain systems in their cybersecurity platform, such as endpoint detection and response (EDR).
Insurers may not offer a solid policy at a low price, based on several factors. However, there are some things you can do to lower your premium cost.
Make sure you meet any requirements your potential insurer asks for. As highlighted above, specific features may be required to be included in your cybersecurity platform.
There are also multiple factors that insurers consider when determining the cost of cyber insurance:
- Business history and client files
- Customer demographics
- Policy terms, such as various insurance plans
- Any potential risk of exposure
- Your company’s overall cybersecurity risk posture
It is important to take this information into account when looking for cyber insurance.
Maintaining the cyber hygiene of your company
One potential method that can reduce the cost of cyber insurance for your business is to maintain a cyber hygiene routine. By being proactive, you can help reduce the risk of cyberattacks, allowing your insurer to offer you better policies with lower premiums. It is an important point for your company and should be a priority when looking for a cyber insurance policy that works for your needs.
Keep an eye on your assets. Make sure you have a way to audit event and incident logs. You’ll also want to identify any devices and software that have access to these assets – whether authorized or not. This will help confirm that unauthorized personnel are not accessing your assets.
Your company must configure and monitor all access and administration rights. Set up and follow privilege rules to ensure that access to important data is not being granted to unauthorized employees or outsiders. Also, take the time to deliberately manage your hardware and software configurations. Monitoring the use of network protocols, ports, and devices is a great way to practice better cyber hygiene. Detect any unauthorized traffic and stop it before data can be leaked. You should also configure and implement security protocols on all firewalls and routers to help mitigate cyber risk.
Immediately patch any vulnerability or problem. Use risk-based patch management strategies to prioritize severe vulnerabilities. Make sure all software and apps are updated to the latest versions to avoid potential exploits.
Data recovery and protection should be another key part of your company’s cyber hygiene routine. Maintain backups and enforce data protection. Multi-factor authentication can be a great way to protect data and limit access to important assets.
Implement sandbox analysis protocols to facilitate the examination and blocking of any malicious email or other communication systems. Use the latest versions of security solutions at all layers to prevent exploits in older vulnerabilities. Use your security platform to detect early signs of attacks and intrusions, and remediate these attacks before they can infiltrate data and assets. Use up-to-date machine learning and artificial intelligence systems to increase monitoring capabilities. In this way, your security experts will be able to detect vulnerabilities before they can be exploited by cybercriminals, allowing you to patch them as soon as possible.
Finally, educate and test your systems and security professionals so they’re always on top of the latest cyber risks and global events. Give your security team the tools to handle cybersecurity events. Run test scenarios to increase response time and train security teams to prepare for a real attack.
With all of this in mind, you can reduce the cost of your insurance premium while mitigating overall risk to your business.
Is cyber insurance an effective replacement for a cyber defense?
No. Cyber insurance does not eliminate the need for a cyber risk management policy. Although it is recommended that businesses purchase cyber risk insurance, it should only be considered as an option, not a requirement.
Instead, a cyber insurance policy should act as a complement to the security that already exists in any company’s risk management plan.
Cyber insurance should be thought of as an effective strategy to leverage new or existing cyber defense plans rather than as a replacement or alternative.