Cyberattacks and data breaches are becoming more frequent and costly, posing a serious threat to the security and continuity of businesses of all sizes and industries. According to a report by IBM, the global average cost of a data breach in 2023 is USD 4.45 million, a 15% increase over the past 3 years. A similar report in 2021 also found that the average time to identify and contain a breach was 280 days, with the most common causes of breaches being malicious attacks, human error, and system glitches. One of the most effective ways to prevent the monetary and reputational loss of such breaches is to get cyber insurance.
This blog will show you the intricacies of Cyber Insurance, how insurance premiums are calculated, the factors insurers consider before granting cyber insurance to companies, and how to beat the crowd by obtaining the much-needed cyber insurance using the Complyan platform.
Cyber insurance is a type of insurance that helps businesses protect themselves from the financial losses and legal liabilities caused by cyberattacks and data breaches. Cyber insurance covers various expenses and damages that result from cyber incidents, such as customer notifications, credit monitoring, forensic investigation, legal fees, fines, and ransom payments. It can also provide access to expert services and resources that can help businesses prevent, mitigate, and recover from cyber incidents.
“Some Cyber Insurance Providers are excluding Ransomware Liability coverage unless they demonstrate robust measures are in place.”
How Cyber Insurance Differs from General Business Insurance
Cyber insurance differs from general business insurance in several ways. General business insurance policies, such as property, liability, or professional indemnity insurance, cover physical or tangible losses and damages resulting from accidents, natural disasters, theft, vandalism, or negligence. However, these policies usually do not cover losses and damages that result from cyberattacks or data breaches. These cyber-related losses and damages can be significant and can affect not only the business itself but also its customers, partners, suppliers, and other stakeholders.
Cyber insurance can fill the gaps and provide more comprehensive protection for cyber-related losses and damages. Cyber insurance can cover various types of expenses and benefits that general business insurance policies may not cover, such as:
- Incident response: Cyber insurance provides access to expert services and resources that can help businesses respond to cyber incidents quickly and effectively. These services and resources may include forensic investigation, crisis management, public relations, legal advice, and breach notification.
- Legal liability: Cyber insurance can cover the legal costs and settlements that businesses may face because of cyber incidents. These costs and settlements may arise from third-party claims by customers, partners, suppliers, or regulators who have suffered losses or damages due to the breach of data privacy or security obligations by the business.
- Business interruption: Cyber insurance can cover the loss of income and extra expenses that businesses may incur as a result of cyber incidents that disrupt their everyday operations. These expenses may include restoring or replacing damaged systems or data, hiring temporary staff or equipment, or relocating to an alternative site.
- Data restoration: Cyber insurance covers the costs of recovering or recreating lost or corrupted data that is essential for the business. These costs may include hiring data recovery specialists, purchasing new software or hardware, or paying ransom demands.
- Reputational harm: Cyber insurance can cover the loss of goodwill and customer loyalty that businesses may suffer due to cyber incidents that damage their reputation. These losses may include reduced sales, increased marketing costs, or decreased market share.
Cyber insurance gives businesses peace of mind and confidence that they are prepared for and protected from cyber risks.
How Providers Calculate Cyber Insurance Premiums
Cyber insurance premiums are how much businesses pay to obtain cyber insurance coverage. Cyber insurance premiums are calculated based on the level of risk that a business faces from cyber threats. The higher the risk, the higher the premium. Some of the factors that affect cyber insurance premiums are:
- The size and industry of the business: Larger businesses and businesses in high-risk industries, such as finance, health care, and retail, tend to pay more for cyber insurance because they have more data and assets to protect and are more likely to be targeted by cybercriminals.
- The type and amount of coverage: Different cyber insurance policies offer different types and amounts of coverage for various cyber risks. Businesses can choose the coverage that suits their needs and budget, but generally, more comprehensive coverage will cost more than basic coverage. A policy that covers first-party and third-party losses, such as incident response, legal liability, business interruption, data restoration, and reputational harm, will be more expensive than a policy that only covers one or a few of these losses. Similarly, a policy with a higher coverage limit or a lower deductible will be more expensive than one with a lower coverage limit or a higher deductible.
- The security posture and practices of the business: Businesses with strong security measures and practices, such as data protection controls, data loss prevention and encryption, next-generation firewalls, EDR, immutable backups, employee training, and incident response plans, can reduce their cyber risk and lower their premiums. Businesses that have poor security hygiene or have experienced previous cyber incidents may face higher premiums or even be denied coverage.
- The claims history and loss experience of the business: Businesses that have filed claims or suffered losses due to cyber incidents in the past may have higher premiums than businesses that have not. This is because insurers use historical data and statistical models to estimate each business’s likelihood and severity of future cyber incidents.
Cyber insurance premiums are not fixed and may change over time as the cyber threat landscape evolves and new data becomes available. Businesses can review their cyber insurance policies regularly and update their security measures and practices to keep their premiums affordable and their coverage adequate.
What Insurance Providers Look For
Obtaining cyber insurance in the current market is not easy. Due to the high frequency and severity of cyber incidents, many insurers have become more selective and cautious in underwriting cyber risks. Some insurers have increased their premiums, reduced coverage limits, or exited the market altogether. For businesses seeking cyber insurance, demonstrating a solid commitment to cybersecurity, and implementing relevant precautions is pivotal to overcoming these challenges. Insurance providers closely scrutinize a business’s cybersecurity attitude and the precautions it has taken. Here are the key aspects:
- Cybersecurity Culture: Insurers seek a genuine commitment to cybersecurity within the organization. This involves fostering a culture of awareness and responsibility among employees, promoting security best practices, and emphasizing the importance of safeguarding sensitive data.
- Leadership Involvement: Active involvement of senior leadership in cybersecurity initiatives is a positive indicator. It signifies that cybersecurity is a top-level priority and receives the necessary attention and resources.
- Continuous Improvement: Demonstrating a commitment to ongoing cybersecurity improvement is crucial. This includes regularly assessing vulnerabilities, adapting policies to address emerging threats, and staying up-to-date with industry best practices.
- Risk Assessment: An in-depth risk assessment is fundamental. Insurers want to see evidence that your organization has identified potential vulnerabilities, assessed their potential impact, and has a plan to mitigate these risks.
- Cybersecurity Policies: Having well-documented and comprehensive cybersecurity policies and procedures in place is essential. These documents should outline how your organization handles data protection, employee training, access controls, and incident response protocols.
- Incident Response Plans: Providers require proof of a well-structured incident response plan. This plan should detail the steps your organization will take in the event of a data breach or cybersecurity incident, including communication protocols and remediation strategies.
- Employee Training: Insurers place a high value on an educated workforce. They want assurance that your employees are trained to recognize and respond to threats effectively. Evidence of ongoing training and awareness programs is beneficial.
- Security Technologies and Tools: Demonstrating the use of robust security technologies and tools is vital. This shows that your organization actively invests in cybersecurity defenses, including CSOC, NGFW, DLP, EDR, Backup etc.
Common Questions from Insurance Providers
- The Insured runs industry-grade firewalls and anti-virus software across their network
- The Insured encrypts all portable media, including phones, tablets and USB memory sticks.
- The Insured secures remote access to their network and data.
- The Insured has a Business Continuity Plan in place, as it pertains to Cyber perils, and has been tested within the past 12 months, and/or the Insured has access to multiple data centres / cloud environments in the event of system outage.
- The Insured has a procedure in place to back up critical data at least once per week.
- Confirmation that the Insured has processes in place to identify and apply critical patches.
- Confirmation of whether the Insured outsources any element of their network, and if so, what part and to whom?
- Confirmation that the Insured segments its production network from its external facing websites etc.
- Confirmation that the Insured, during the past 12 months, can confirm ‘No’ to the following;
- Experienced any unscheduled or unintentional network outage, intrusion, corruption or loss of data?
- Become aware of any privacy violations or compromise of personally identifiable information
- Notified any customers that their information may have been compromised
- Become aware of any circumstance or incident that could be reasonably expected to give rise to a claim against the Cyber Insurance policy under consideration
Obtaining Cyber Insurance Compliance Through Complyan
Complyan is an all-in-one GRC automation platform that not only supports cybersecurity compliance, data protection, and third-party risk management but also assists organizations in obtaining cyber insurance by demonstrating the robust level of controls implemented.
- Cybersecurity audit: Complyan helps organizations conduct a comprehensive cybersecurity audit that assesses their security posture and identifies their strengths and weaknesses. The audit can also benchmark their security performance against industry standards and best practices, such as ISO 27001, NIST CSF, or CIS Top 20 Critical Controls. The audit can provide customers with a detailed report and recommendations on improving their security and reducing their risk and can be used to provide information to cyber insurance providers.
- Cyber risk management: Complyan helps organizations assess and manage cyber risks by quantifying and classifying their assets, using metrics and Key Risk Indicators to assess effectiveness, monitoring for potential vulnerabilities, and considering the organization’s risk appetite. In doing so, the organization can manage risks better for a higher chance of securing lower premium cyber insurance.
- Financial Analysis: Complyan helps organizations understand the cost and likelihood of a breach and how that compares to the insurance premium being quoted by providers to perform a cost vs. benefit analysis.