Do you really need cybersecurity insurance? Well, that depends!
The number of businesses who took out cyber insurance policies in the last few years has sky-rocketed, thanks to a drastic increase in cyber attacks during the pandemic. This also means more claims were made. Thus, rates have increased and insurance providers have become way more selective on who and what gets covered.
With escalating costs, many businesses are now deliberating whether cyber insurance is actually worth it - read on to learn the pro's and con's.
Table of Contents
What is Cyber Insurance, Anyway?
Why Cyber Insurance Policies are Changing
Who Really Needs Cyber Insurance?
What Does Cyber Insurance Cost?
What is NOT Covered by Cyber Insurance?
How to Qualify for Cyber Insurance in 2022
Cyber Insurance Checklist
Is Cyber Security Worth it for My Business?
There probably aren't too many business owners out there who have NOT heard of cyber insurance, but put simply:
Cyber security business insurance is a coverage policy for organizations who suffer financial losses resulting from a cyber attack.
Cyber insurance typically covers items such as:
A good insurance policy can help cover many of these expenses, with one small caveat:
You must get absolute clarity from your insurer about what they do and do not cover.
And that's where it can get complicated.
First, let's set the stage.
At the risk of repeating yet more scary statistics on cybercrime here are a few key ones:
It's no wonder there has been a mad dash to purchase cyber insurance!
But of course, along with all those purchases came the claims, which have jumped over 100% annually since 2020.
This jump took a toll on insurance providers, who watched their profits decline sharply. To adapt, the cost of cyber insurance policies rose 22% in 2020 and 74% in 2021, according to FitchRatings.
In the first quarter of 2022, some companies saw rate increases of 83.3%! And as cyber liability insurance premiums have climbed, policy limits have shrunk.
Many insurance carriers have attempted to limit exposure by limiting capacity, offering policy limits about half as large of those offered in the 2021 renewal cycle.
And that's not all.
Most insurers have also attempted to limit risk by tightening up on their terms. Additional restrictions are starting to creep in.
As an example, many major carriers have adopted exclusions for catastrophic cyberattacks conducted by "state-backed actors," a very slippery slope.
Of course, in order to qualify in the first place, you must pass a cyber risk assessment as part of the insurer's underwriting process, which has gotten a lot more stringent.
There are definitely industries who need cyber insurance more than others, simply because they’re exposed to greater cyber risk and liability.
The organizations that should be particularly interested in purchasing cyber insurance are the ones responsible for collecting and storing personal financial records and personal health records (such as credit card data, patient files, doctor information).
To put it bluntly, if your business handles sensitive personal information, you probably need to prioritize cyber insurance.
Industries that are highly regulated by state, federal and international agencies also require cyber insurance. These industries include hospitality, retail, health care, entertainment, technology and government contractors.
And finally - many companies are simply contractually obligated to have a cyber insurance policy. If you can't win business without it, then clearly you need to jump into the pool.
There's no easy answer on this one.
Premiums for cyber insurance vary depending on many factors, including the strength of your cybersecurity measures, the types and amount of coverage included in your policy and the size of your business.
The cost per year of cyber insurance can range from as little as few thousand for a small business to tens of thousands of dollars for bigger companies.
In 2021, the average cost of cyber insurance was $1,589 per year, compared with $1,485 in 2020. However, as mentioned above the average cost of premiums has risen dramatically with some policyholders paying over an 80% higher rate in 2022.
For companies where having an extensive cyber insurance policy is critical, it's not uncommon to pay thousands a month for $3M to $5M worth of coverage.
In a recent study of more than 100 CFO's by FM Global, a commercial property insurer, almost half believed they their insurer would cover "most" related loses from a cyber security event.
Almost a third said they expected their carrier to cover "all" related losses.
But here's what a typical cyber insurance policy doesn't cover:
Note that while insurance will cover lost revenue during the span of the actual disruption, lost revenue related to the after affects is not normally covered.
Cyber insurance may be considered essential to protect you from serious pain, but it DOES NOT relieve your organization from necessary tasks such as implementing the most proactive cybersecurity protection possible.
Whether you are getting a cyber insurance policy for the very first time, or renewing an existing, be prepared for a very lengthy questionnaire with a lot of tough questions.
Cyber insurers now want to know if there is an organized and proactive effort at your company regarding cybersecurity risk management.
Most insurers will carry out a cyber insurance risk assessment as part of their underwriting process, in order to determine your premium, coverage limits and whether you even qualify for cyber insurance in the first place.
Every insurer will have different requirements, but following is a short list of the most common security controls you will likely need to have in place.
The answer is - it depends!
Most organizations should at least consider evaluating their need for cyber insurance. Like all forms of insurance, cyber insurance allows you to offload financial risk.
How big that risk is and how much you want to (or can afford) to pay is up to you to decide.
Ultimately, it’s up to you to determine whether cyber insurance is worth the cost or if you would rather take the risk of covering your own losses in the event of a breach or attack.
While cyber insurance is important, and sometimes a necessity, it should take a back seat to a broader cyber security discussion.
Insurance helps you recover from a situation, filling in the gaps when problems occur that you can’t prevent.
But preventing the problems in the first place is a crucial first step.
Cyber insurance policies don't eliminate the need for organizations to take proactive steps to secure their data.
In fact, insured customers are required to do so or their policies will be voided.
Not completing what the insurer deems "due diligence" has led to many companies being left in the cold when filing claims after an attack.
A proper security risk assessment from a qualified third party is the best way to make sure you're doing all you can to prevent cyber attacks in the first place. You are then able to proactively implement the cyber protection you should have in place anyway, regardless of insurance.
You will also be better prepared to speak to a cyber insurance representative to help you figure out which is the best policy for your company, budget and tolerance for risk.
We help many of our clients not only get prepared, but also assist them in working through this process. Filling out the forms can be daunting, and if you're paying big premiums, you really want to make sure this is done properly from start to finish!
Want to learn more about Cybersecurity Services for your business? See Ntiva’s Cybersecurity Services.
Managed Cybersecurity Services and Solutions
Dark Web Monitoring for Businesses
Managed Endpoint Detection & Response Services
Intrusion Detection & Prevention System Services
Multi Factor Authentication Services and Management
Phishing Prevention Training Services & Solutions
Cybersecurity Risk Assessment Services
Virtual CISO Services & Solutions
Vulnerability Testing & Assessment Services