Cyber Insurance. What is it good for?
Armour Cybersecurity Small & Medium Cybersecurity Enterprises Series
Cybercrime has been on the rise, especially in the past couple of years. Criminals find Small and Medium Businesses (SMBs) especially attractive targets. It is not surprising due to a simple reason there are many of them. In the USA and Canada, SMBs represent more than 99.8% of the total companies on the market. Another factor contributing to hackers' focus on SMBs is the lack of the security infrastructure that large companies have. And yet, SMBs do have all the "goodies" that can be traded for profit, like customers' and employees' sensitive data, financial information and, of course, business system data or system availability that can be used as leverage to extort ransomware money.
According to Cyber Security Ventures research, 60% of Small & Medium Businesses that became victims of a significant cyber attack are going out of business in 6 months following such an event.
Why your company needs Cyber Insurance?
Being a victim of a cyber-attack can result in hefty fines, loss of reputation, high legal fees, and specialized repairs fees. It is very unpleasant and stressful to go through with a potentially high impact on your firm's ability to operate. Often, it imposes high direct and indirect costs that are very hard to anticipate.
Cyber insurance can help your business cover a significant part of those costs.
What Is Cyber Insurance?
Cyber Insurance is designed to protect your business from the high costs of the cyberattack, including ransomware payments, legal fees, forensics, and cleanup fees associated with the attack.
What Does a Typical Cyber Insurance Cover?
Not all Cyber Insurance coverages are created the same. Good Cyber Insurance covers the damage your business suffers from a cybersecurity attack. Here are a few examples of the coverage:
Forensic services – Technical services involved at the time or post cyber attack.
Breach coach – Typically a very experienced person who helps you navigate the time of crisis and orchestrates all involved parties to achieve the fastest and most cost-effective recovery.
Data and identity recovery associated costs.
Fees associated with the damage repairing the impact on your customers or business partners.
Customer notifications and settlement costs.
Customer and employee lawsuits due to privacy breaches.
Loss of income because of network outages.
Public relations costs to restore your company's reputation.
As a business owner or executive, you should ask yourself questions: Does my business have cyber insurance? Do I have a clear understanding of what my cyber insurance coverage includes? When was the last time when you reviewed the cyber insurance policy lately? Was the policy "pick-the lowest-price" philosophy driven, or does it reflect the real risk to your business?
Reviewing your Cyber Insurance policy to ensure proper coverage might be a good idea. We see all kinds of policies on the market, and some companies think they have good coverage until the moment their insurer denies them.
Who Needs Cyber Insurance?
We strongly recommend having Cyber Insurance for everyone. Like you have a home and car insurance, you should have cyber insurance for your business. There is a limited number of thieves in your area who can break into your home; however, to commit a cybercrime, there is no physical limitation. Hackers can target anyone around the globe as long as the victim has an Internet connection. It makes it much easier to commit a crime, as hackers do not have to be close to your business physically. Hence the chance that cybercrime will happen is significantly higher, as seen in empirical studies. Attackers have a worldwide and year-round "open season" on any business connected to the Internet. It is not a question of "if." It is a question of "when" you will be attacked.
Having the right Cyber Insurance will ensure you can recover faster in the event of a cyber incident. At the same time, the insurer covers a large portion of the financial costs associated with the incident, making it significantly cheaper.
Among our clients, we see the following industries most benefiting from having cyber insurance:
Marketing & Media Companies
Real estate agents
Wholesale and Distribution Companies
Non for profits organizations
How to maximize the value of Cyber Insurance?
Some cybersecurity insurance policies will exclude some coverage due to technical deficiencies in the client environment and look for "negligence" or any means that will take them off the hook, basically will allow them to avoid a payout. Here are a few examples of what underwriters are looking for in purpose to hedge their risk, and as a result, you may pay a higher premium or get a less favourable coverage policy:
1. Poor Security Posture - Poor cyber posture in your infrastructure is "inviting" hackers and hence can be used as an excuse not to pay or reduce the payout amount.
2. Prior breaches - Breaches or events occurred before an organization purchased a policy.
3. Human error - Any attack or data loss because of a mistake made by an employee.
4. Insider attacks - Loss or theft of data made by an employee.
5. Pre-existing vulnerabilities - Data breach because of a previously known vulnerability that wasn't addressed proactively and on time.
6. Untrained Staff - Lack of cyber awareness training.
Can Cyber Insurance Take the Place of proactive Cyber Defense?
There is a misconception that cyber insurance is the "silver bullet" and that it replaces the need to defend the business. The fewer defences you have, the higher the insurance will be (if you can even get it all), and the more exit points the insurance company will have not to pay! Even the best insurance does not cover all the costs and does not account for many of the impacts on your business and the loss of reputation. They will always look for reasons not to pay, and when paying, it will be the minimum which will not always align with your business needs. Like with home insurance, we first lock the doors and windows and take precautions to ensure no one breaks in. You also install an alarm at your home that actively monitors for break-in signs. You want to have enough sensors around your house to identify break-in as early as possible, and dispatch responders on the ground that will minimize the damage; only after the active scene is stabilized and damages minimized you might call your insurance to cover the cost of the damage.
The same should be done with your business from a Cyber protection perspective – You should have enough sensors and protection in your environment so you can identify and potentially prevent cyber incidents as early as you can, only then call insurance to cover hopefully minor damage if it at all.
Not having adequate protection can mean significantly larger damages to your business that will take years to recover or can push you to go out of business.
What can you do to reduce the impact of the next cyber-attack?
Unfortunately, no one can guarantee that cybercriminals will not attack your organization. As I mentioned, this is just a question of "When" your turn is. More pragmatic assumptions should be that your business will be attacked. Preparing your organization proactively to deal with such an event by placing modern adequate cyber defences and having cyber insurance in place can make the difference between a major business disaster to an event with minimum implications.
Here are a few practical steps where to begin:
Be proactive in preparing for different scenarios based on your specific business risks.
Understand the effects of a potential security incident on your company and quantify it in terms of the cost of each day of being down (average breach is two weeks downtime). From our experience, quantifying the impact in $ value can be a sobering exercise.
Get help assessing your Cyber Posture to identify the gaps and develop a comprehensive organizational mitigation plan.
Your IT support staff are not Cyber Experts– Augment your IT team with capabilities beyond your IT systems' security. Work with cybersecurity experts to help you understand business risks associated with cyber and build this organization's comprehensive Cyber Resilience program.
Review insurance policies and premiums that will further reduce residual risks. Understand the requirements for claims and renewals.
Implement the multilayered protection needed to minimize the possibility of exposure, breach, or any other form of cyber attack.
For more information and advice on how you can better protect your business and reduce cyber insurance costs, contact Armour Cybersecurity team here.