The University of Maryland found that there is an average of 2,244 cyberattacks per day. That is one every 36 seconds. A lot of these attacks are targeting small and medium-sized businesses. Hackers aren’t just going after the big guys anymore.
As the threat level continues to rise, companies are finding it harder to keep cybercriminals away. It’s not a matter of if you’ll get attacked, it’s just a matter of when and how bad the damage will be.
The attacks continue to increase and so does the financial impact on businesses. According to the World Economic Forum, the average cost of cyber attacks due to malware is $1.4 million. This doesn’t include hidden costs such as loss of talent, reputational damage, or declining stock prices.
How are companies protecting themselves from these costs? They are turning to cyber insurance.
What is cyber insurance?
Cyber liability insurance is an insurance policy that provides businesses with a combination of coverage options to help protect the company from data breaches and other cyber security issues. The insurance policy doesn’t protect you from the attack itself but from the costs associated with being attacked. The level and cost of coverage for your business depend on the insurance carrier. Just like your homeowner’s insurance, the more you want to cover the higher the price.
In 2020, the average cost of cyber insurance policies in the U.S. was about $1,500 per year. For 2022, I’ve seen policy premiums as high as $5,000 per year for some companies.
There are steps you can take to help reduce the overall costs of your cyber insurance policy.
Steps to reduce costs
Most cyber insurance policies will require that you have certain protective measures in place. For example, some insurance carriers are requiring companies to have multi-factor authentication for all critical applications to get cyber insurance. Companies will get charged more for a policy if they have bad security practices than if they have excellent preventative measures.
Here is a list of preventative measures insurance carriers might look at when assessing a businesses risk:
- Perform an annual risk assessment
- Create an incident response plan.
- Conduct regular penetration testing. At least once per year.
- Have a strong password control policy
- Make sure you have multi-factor authentication on critical applications, including email.
- Encrypt sensitive data and personal information
- Make sure that all systems have end-point protection and anti-virus software in place
- Continuous employee security training
- Be in compliance with any regulatory requirements such as PCI, HIPAA, SOX, etc.
Overall, following good security practices will help reduce the overall costs of your cyber insurance policy.
After signing up for a policy, it’s important to know what is and isn’t covered in your policy. Don’t just stick it in a file and forget about it.
Cyber insurance can help cover
Insurance won’t cover everything, but your policy should help cover the following:
- Legal services to help you meet state and federal regulations
- Notification expenses to alert affected customers
- Extortion paid to recover locked files in a ransomware attack
- Lost income from a network outage
- Lawsuits related to customer or employee privacy and security
- Regulatory fines from state and federal agencies
Cyber security policies don’t cover everything.
Cyber insurance probably won’t cover
While cyber insurance provides financial protection for businesses, it doesn’t cover every possible risk and cost. Some things a typical cyber insurance policy might exclude are:
- Upgrades – If you decide to upgrade after a data breach to prevent future incidents your policy may not cover the cost to upgrade.
- Future profits – Cyber insurance doesn’t usually cover potential profits that may be lost due to reputational damage.
- Decreased valuation – If your company’s valuation decreases as a result of the cyberattack, an insurance policy probably won’t cover the loss.
- War, Terrorism, or Insurrection – Almost all cyber insurance policies exclude coverage for loss from acts of war, terrorism, and insurrection.
- Prior acts – They won’t cover you for anything that occurred prior to the policy effective date
- PCI fines & assessments – I mentioned above that cyber insurance covers regulatory fines, except for PCI fines and assessments. Most policies exclude coverage for PCI fines specifically.
Your policy might be different. Review your policy with your insurance agent and understand what is and isn’t included. The wrong time to realize you aren’t covered is after you’ve been attacked. That’s when you’ll need it most.