MENU
In our tech-savvy world, data breaches, viruses and cybercrimes can cripple a business. While proper cybersecurity software is a crucial first line of defense, even the best programs don’t guarantee protection from complex attacks. If you want extra protection, consider taking out a cyber insurance policy for your business. Here’s what you need to know about cyber insurance to protect your online assets.
Data breaches and other cybercrimes can damage a business’s reputation and put both customers’ and employees’ personal information at risk. Breaches can also result in significant fines and legal fees for companies of all sizes. Cyber insurance can help protect against these negative outcomes by covering a business’s liability for any data breaches involving sensitive customer information, including credit card data, bank account numbers, health records, driver’s license numbers and Social Security numbers.
Cyber insurance can help companies notify customers about data breaches involving their personal information. (This process is mandatory in most states and can quickly become expensive.) Cyber insurance policies also protect businesses against cyberattack damages and help cover the cost of restoring and recreating any lost or compromised data. Finally, cyber insurance can offer free credit monitoring and public relation services following a data breach and help restore the personal identities and credit history of any affected customers.
Becoming the victim of a cyberattack can be expensive. Cyber insurance helps businesses recover after being targeted by hackers or other malicious actors.
Generally speaking, cyber insurance packages cover one of three major issues: risks to the business, liability for claims and any consequences of those claims. As such, there are three primary categories of cyber insurance that cover each of these issues: first-party liability, third-party liability and general benefits.
A first-party cyber insurance package protects all people directly involved in the data breach or incident. It typically offers coverage to the victim for various issues, including data destruction, extortion, online theft, hacking, and deliberate or accidental denial of service. The package is designed to cover the policyholder’s costs for the fees, damages and inconvenience resulting from the incident. These are some common insurance configurations:
>> Learn More: Business Insurance Guide
Third-party liability cyber insurance protects policyholders who offer professional services to other businesses, specifically if those services are susceptible to digital threats. These may include errors of commission, errors of omission, data breaches, data theft or business secrets, and defamation and related negative publicity. These are some common options in liability insurance:
Cyber insurance should match the needs of your business, so consider which circumstances are most likely to affect you before choosing a particular type of cyber insurance policy.
A general benefits package covers various other benefits associated with cyber insurance. These may include structured and planned security audits, post-incident management, public relations initiatives and support, criminal reward funds, and major investigations and reports.
Any company that handles or uses digital information can benefit from extra protection. However, certain business types or activities increase the need for a cyber insurance policy. Organizations that use any online or offline computer system to handle sensitive customer data (such as names, addresses, health information, credit card data and Social Security numbers) should strongly consider purchasing cyber insurance. Businesses in industries with specific standards for customer confidentiality — such as healthcare, education and finance — would also be wise to look into cyber insurance.
The size of a business is also a factor in which type of cyber insurance to purchase. For example, large businesses should opt for a cyber liability insurance package, which broadly covers financial losses due to cyberattacks or other tech risks, as well as any subsequent privacy investigations or lawsuits. This level of protection may not be necessary for small businesses dealing with lower volumes of customer data. Instead, they may consider purchasing data breach insurance, a type of cyber insurance that helps companies respond to the breach in the event of lost or stolen personal information.
However, it is still possible for small businesses to fall victim to a major cyberattack, especially as more and more people work remotely, so a comprehensive cyber insurance package covering both data breaches and attacks is the safest option for most businesses.
On top of investing in cyber insurance, businesses must also take proactive steps to prevent issues from occurring in the first place.
“By taking proactive steps to combat cyberattacks, organizations avoid not only massive breaches but also the consequences of the breach’s aftermath,” said Grant Burst, director of sales engineering at Wallix. “Spending money and time to invest in proactive cybersecurity solutions has countless benefits for organizations. While most companies don’t think their information will ever be compromised, with the increase of breaches in the last few years, it’s not a matter of if your company will face a breach, but when.”
Burst added that businesses could suffer financial loss, loss of trust and operational downtime if they don’t take cybersecurity seriously.
Small businesses are not immune to cyberattacks just because of their size. In fact, cyberattackers know small businesses tend to have less sophisticated cybersecurity measures in place, which makes them attractive targets.
While the exact coverage will depend on the specific policy or type of coverage you seek, cyber insurance can generally protect businesses against the ramifications of a cyberattack or data breach.
In the event of a data breach, cyber insurance can help pay to notify any affected clients or employees and hire a PR firm to mitigate reputational damages. It can also offer credit-monitoring services to victims of the breach, a typically voluntary act that can go a long way in fostering goodwill with your customers.
Cyber insurance can also help cover a variety of fees for businesses that fall victim to a cyberattack. These include regulatory fines from state or federal agencies (as well as fees for legal services to help you meet their requirements), lawsuits related to customer or employee privacy and security, the expenses of notifying affected customers, and lost income or paid extortion.
It’s important to understand that cyber insurance does not cover every type of claim. You may need to purchase other types of insurance to ensure appropriate protection for every facet of your business. These are some types of insurance policies that cyber insurance doesn’t generally include:
Create a cybersecurity plan to help protect your business. Identify vulnerabilities and take steps to fortify them by implementing the necessary technology and educating employees on best practices.
As of May 2023, the average cost of cyber insurance in the U.S. is $1,740 per year (or $145 per month), according to Tech Insurance. However, several factors impact how much your business will pay for coverage. Generally speaking, larger companies pay more than smaller companies because of their increased risk of phishing and social engineering attacks. Organizations in high-risk industries, such as healthcare and higher education, also face higher fees.
The amount and sensitivity of data will also impact the cost of cyber insurance. For example, local businesses with a small customer base will pay less than hospitals with large amounts of sensitive personal and health data. These companies will need third-party coverage in case customers blame them for a data breach. Additionally, companies with higher revenue are seen as bigger risks, so they have to pay more for cyber insurance. Insurers will also look into your claim history. If you have made multiple insurance claims, you will likely have higher premiums.
Check your state’s requirements for insurance in your industry. Particular fields — like construction or real estate — will require special insurance coverage, which will increase your expenses.
Finally, your coverage limits and deductible will influence the cost of your cyber insurance. Coverage limits typically range from $500,000 to $5 million per occurrence; the higher your coverage limit, the more your business will pay. However, higher deductibles lead to lower premiums (and vice versa). Ultimately, cyber insurance is a necessary expense — especially given the fact that criminals are known to target small businesses because they often overlook proper security measures.
Businesses can lower these premiums by dedicating resources and efforts to preventing cybercrime, which cyber insurers often reward. You may also be able to save by bundling your policy, or paying your premium annually instead of monthly. [Read related article: The Cost of Cybersecurity and How to Budget for it]
In conjunction with other types of insurance, cyber insurance can protect your business when something goes wrong. Buying the proper coverage is well worth the peace of mind that your business has the support to make it through potential cyber disasters.
Here’s what to consider when looking for cyber insurance:
“Cyber insurance companies should have cybersecurity analysis reports that they send out to their clients,” said David Vranicar, managing partner and founder of FBS Fortified and Ballistic Security. “Ask to see past reports. See what the cyber insurance company’s responses have been to [past] situations, or at least make sure they’ve been on top of them … if they’re not transparent about that information, they’re not for you.”
Before you sign with any insurance company, carefully look over the contract for situations that allow the insurer not to pay the policy. One particular item to watch out for is “war clauses.”
“‘War clauses’ have caused problems in the past,” said Mark Stamford, founder and CEO of OccamSec. “Cyberattacks which are believed to have originated with a nation-state, such as WannaCry, enable insurers to not pay out on policies, since it’s considered an act of war. So reading any ‘war clause’ fine print is crucial, especially given how difficult attribution is for an attack.”
Finally, make sure you know how much the policy will pay out, and weigh that against the cost of the insurance.
“There is an old security formula which states the cost you spend to address something should be less than the cost you will incur if the event happens,” Stamford said. “So, if your cyber insurance policy is going to cost you $50,000, but your maximum loss is (you believe) $25,000, then don’t do it.”
However, Stamford warns that estimating the maximum loss from a cybersecurity breach is difficult. The potential loss in time, money and consumer trust may be so great that your business will never be the same again.
A cyber risk assessment may initially result in a higher premium, but it will also provide you with a thorough checklist of your cyber concerns. Improving those vulnerable areas can ultimately lower your premium.
When you choose a cyber insurance company, take the following steps to help you make the right decision for your business.
Every business has different insurance needs. And you don’t need to pay for features in a plan that your business won’t benefit from. Common cyber insurance policies may cover issues like data leaks, lawsuits and extortion. Think about how your business exists online. What issues or risks do you commonly face? What kind of insurance might your customers expect you to have?
Before committing to a cyber insurance provider, look into all of your options — and don’t be afraid to speak to brokers or agents to get a full breakdown on their coverage. You may be able to find specific providers that specialize in your industry and offer exactly what your business needs. Others may be less suited for your business. You may even discover that certain providers require you to have specific security measures in place before being covered.
Your cyber insurance will likely come with high premiums. Each year, you may need to pay anywhere from a few hundred to a few thousand dollars. This price will depend on how the provider assesses your liability, history, clients and level of risk. You may have trouble getting an accurate quote without all the pertinent information, so provide the insurance company with as many details as you can.
Although speaking to insurance agents can be helpful, keep in mind that company representatives are ultimately looking to make a sale. Find reviews for each of your potential providers online; some review platforms even allow you to filter reviews by customers similar to yourself. Do your best to find both positive and negative reviews — even if you have to hunt for them. Look out for recurring issues and complaints.
As you determine the right provider for your business, compare deductibles and coverage costs. Your deductible will need to be met with out-of-pocket payment before your insurance kicks in. Make sure your business can cover the deductible and that the coverage you receive is worth the cost.
Not every policy will cover every cyber concern. In fact, some policies may leave you vulnerable to a particular kind of threat. Even if the most basic policy works for your wallet, it may not provide the best protection — and every provider will have differing standards for their most basic policy. Carefully read the fine print to see if the insurer can meet your business’ needs.
Danielle Fallon-O’Leary contributed to this article. Source interviews were conducted for a previous version of this article.