The Changing Landscape of Cyber Insurance

cyber insurance depiction

In a world where every organization is a potential target for cyber attacks and their devastating consequences, all businesses today need cyber insurance. Ransomware incidents have increased over the past decade and the cost to recover from a cyber attack, insofar as it is possible, is extremely expensive. $2.98 million is the average cost of a data breach for small businesses, according to IBM and the Ponemon Institute.

Not surprisingly, the cost of corporate cyber insurance premiums doubled in the past year and coverages are being reduced. According to Bloomberg, “A typical small business that previously paid $10,000 annually for $5 million worth of coverage in the event of an attack is now likely paying closer to $20,000, with just $1 million worth of protection.” 

Despite the fact that 83% of SMBs are not financially prepared to recover from a cyber attack, 91% haven’t purchased cyber liability insurance. That might be because many SMB owners don’t know what, exactly, cyber insurance covers.

The US Federal Trade Commission (FTC) states, “Cyber insurance is one option that can help protect your business against losses resulting from a cyber attack. If you’re thinking about cyber insurance, discuss with your insurance agent what policy would best fit your company’s needs, including whether you should go with first-party coverage, third-party coverage, or both.”

The following tips are from the FTC web page on cyber insurance.

Make sure your cyber insurance policy includes coverage for:

  • Data breaches (like incidents involving theft of personal information)
  • Cyber attacks on your data held by vendors and other third parties
  • Cyber attacks (like breaches of your network)
  • Cyber attacks that occur anywhere in the world (not only in the United States)
  • Terrorist acts

Also, consider whether your cyber insurance provider will:

  • Defend you in a lawsuit or regulatory investigation (look for “duty to defend” wording)
  • Provide coverage in excess of any other applicable insurance you have
  • Offer a breach hotline that’s available every day of the year at all times

First-Party Coverage

First-party cyber coverage protects your data, including employee and customer information. This coverage typically includes your business’s costs related to:

  • Legal counsel to determine your notification and regulatory obligations
  • Recovery and replacement of lost or stolen data
  • Customer notificationand call center services
  • Lost income due to business interruption
  • Crisis management and public relations
  • Cyber extortion and fraud
  • Forensic services to investigate the breach
  • Fees, fines, and penalties related to the cyber incident

Third-Party Coverage

Third-party cyber coverage generally protects you from liability if a third party brings claims against you. This coverage typically includes:

  • Payments to consumers affected by the breach
  • Claims and settlement expenses relating to disputes or lawsuits
  • Losses related to defamation and copyright or trademark infringement
  • Costs for litigation and responding to regulatory inquiries
  • Other settlements, damages, and judgments
  • Accounting costs

Security measures insurers are requiring for coverage

“Insurance carriers are now requiring a slew of security items in order to even get a policy,” said Robert McClure, Director of Technical Services at JDL Technologies. He has seen this firsthand working with the company’s managed services clients. “Tending to your organization’s cyber hygiene is key to protecting your business and to getting a cyber insurance policy.” McClure says most underwriters require the following security measures:

  • Two factor authentication (2FA) or multi-factor authentication (MFA)
  • Email security or spam filtering services
  • Advanced anti-virus such as endpoint detection & response (EDR)
  • Employee education on cyber security with both an annual security awareness training and regular phishing tests

In his capacity as a virtual CIO, McClure also helps clients with assessments and planning. “In order to improve your security posture, you need to understand several aspects of your business first. You need to have a clear understanding of your data governance – where data originates, where it’s housed and how it’s shared.”

McClure recommends conducting a risk assessment to identify current vulnerabilities and implement risk mitigation strategies. “You need to vet your third-party vendors, too. Adopting a zero-trust security model is something insurers like to see. It shows how serious you are about protecting your business.” Finally, he recommends developing a plan for simple security actions, like installing software patches regularly, as well as detailed incident response and disaster recovery protocols. “It’s like the Scouts say – be prepared.”

And now there’s war…

Most cyber policies cover companies against business interruption losses and the repair of hacked networks following a cyber attack, but contain exclusions for war. Russia’s 2022 invasion of Ukraine has raised fears of increased cyber attacks against Western businesses and government agencies. It is not altogether clear which cyber attacks insurance companies will consider “acts of war.”

Last month Reuters reported that insurance company Munich RE was planning to add wording to its cyber insurance policies to exclude war, so as to avoid disputes over what is covered. Bloomberg wrote, “In new wording added to contracts recently, all that’s needed to invoke such a provision is for a government to declare the hack to be state-backed. And an insurer can merely rely upon inference which is objectively reasonable in doing so. That means that a hack connected to Russia’s war on Ukraine, for example, might trigger the escape clause, leaving insurance clients out of luck.” If you enjoy legalese, you can read examples of Lloyd’s exclusion language surrounding war and cyber war here.

What this means to business owners and their employees

The impact of this to business owners is clear: increased costs and complexity.  The impact to employees, less so: we all must do our part and expect changes to our normal workday, including increased use of security models with multifactor authentication (MFA) and Security Awareness training and testing. Fortunately, JDL Technologies can help you reduce complexity and increase security to meet the requirements of cyber insurers.

The teams at Ecessa and JDL Technologies stand ready to help you with your cybersecurity needs. Contact us today to get started.