Understanding the Basics of Cyber Liability Insurance
Today, cyber insurance is a must, particularly with expanded remote work options. Remote work during the pandemic, for example, increased cloud-based attacks by 630%. Plus, ransomware attacks have already exceeded the 2020 threshold midway through 2021.
So, when asking what businesses need cyber insurance, the answer today is pretty much every business. Despite that claim, it’s estimated only one-third of U.S. businesses hold cyber insurance policies.
Cyber insurance covers risks related to the internet and information technology. It protects your business from cyber events, including data breaches, malware attacks, phishing attacks, ransomware, fund-transfer fraud attacks, business email compromise scams, and other cyber-related events. Typically, there are distinct insuring agreements relating to:
- Network security: Coverage extends to network security failure involving a data breach, malware infection, cyber extortion demand, ransomware, or business email compromise. It includes first-party costs relating to expenses you incur directly resulting from the incident.
- Privacy liability: Data compromises expose sensitive information with potential liabilities attached. Privacy liability protects your business from third-party costs relating to class action litigation or settlements stemming from a breach. It also covers regulatory investigations and potential fines.
- Network business interruption: Downtime is a significant consideration leading to lost profits, additional expenses, and more. That downtime can stem from a successful cyber-attack or even system failure. Network business interruption covers those expenses.
- Media liability: This coverage protects against intellectual property infringement relating to online advertising, social media posts, and even printed advertising.
- Errors and Omissions: E&O covers errors in the performance of or failure to perform services. It addresses negligence or breach of contract allegations, including legal defense costs or indemnification.
That said, your actual coverage should consider your entire business, including financial disruption, customer communication, regulatory fines, brand reputation, ransom payments, legal fees, and more.
What’s Not Included with Cyber Security Insurance?
Even though a business may activate other policies in conjunction with a cyber incident, you can expect gaps in coverage. Traditional insurance policies like property liability, general liability, or directors’ and officers’ insurance may not cover damages from a cyber-attack, something referred to as “Silent Cyber.”
Cyber insurance is somewhat limited compared to the number of risks organizations face. Specific exclusions relating to cyber insurance typically include:
- Potential or future lost profits
- Loss of value owing to intellectual property theft
- Reputational costs or lost customers.
- Costs to improve internal systems after a cyber event such as software or security upgrades
The most frequent claims surrounding cyber insurance relate to hacking, ransomware, phishing, and employee negligence.
Factors Impacting Cyber Policy Costs
Cyber coverage is very much a tailored product – one size doesn’t fit every business. Coverage and costs depend on your industry, revenue, employee, and other factors.
Many insurance companies consider revenue when determining premiums. The larger the revenue, the higher the premium. Type of business plays a factor as well. Companies storing sensitive information like social security numbers, birth dates, financial records, and other personal information generally pay higher premiums.
For example, the health and finance sectors usually pay more for cyber coverage due to data sensitivity. In addition, the greater the number of sensitive records stored, the greater your premium.
Your cybersecurity posture also impacts and whether you’re using best practices for some of these considerations:
- Security procedures for remote desktop protocol
- Secure email gateway
- Cyber awareness training and education
- Incident response plan
- Software update policies
In general, the better your security posture, the more favorable your rates. An organization presenting poor cybersecurity practice or with a history of a breach can expect to pay more than a company with cybersecurity best practices in place. Considering the risks attached to cyber policies, you can expect a rigorous underwriting process.
So, What Does Cyber Insurance Cost?
According to AdvisorSmith, premiums range from $650 to $2,357 for companies with moderate risks. Higher-risk organizations like hospitals can pay as much as $250,000 annually. The average cost in the U.S. is $1,485. That rate is based on liability limits for $1 million, with a $10,000 deductible and $1 million in company revenue. Limits range from $1 million to $5 million and even more.
In Pennsylvania, the cost is slightly less than the national at $1,466.49 or minus 1.24%. PA premiums remained steady from 2019 to 2020, with only a nominal increase.
With the number and size of data breaches growing annually, liabilities increase, as does the cost of coverage. Ransomware incidents, for example, increased 486% between Q1 2018 and Q4 2020. Those types of increases prompt premium increases. Most reports anticipate double-digit gains this year, with some experts predicting rate increases as high as 50%. Howden Group, an insurance broker, reports that insurance rates have increased 30%, for example. By the way, you can read their in-depth report on the state of cyber insurance here.
Understandably, the higher your coverage limits, the more you can expect to pay. Additional coverage costs, however, cost less per dollar of coverage versus base coverage. For instance, the first $250,000 of coverage costs an average of $739, while the next $250,000 of coverage costs $407 on average.
Ultimately, select an affordable coverage level that also protects your business in the event of a data breach or hack.
Cybercriminals Don’t Discriminate
If you think you can get by without cyber liability insurance, you might want to reconsider. Cybercriminals don’t discriminate based on size or annual revenue. In fact, 49% of the time, small businesses with under $50 million in annual revenue are the primary target. Where claims are concerned, companies with less than $2 billion in revenue account for 85% of insurance claims.
Hackers assume smaller companies have fewer protective measures in place, making them easier to breach. The same holds for industrial companies. Hackers perceive they have less invested in their IT security but have valuable intellectual property.
From a claim’s perspective, incidents reported cut a wide swath. Industries with the most claims include:
- Professional services (20%)
- Healthcare (17%)
- Financial services (12%)
- Retail (10%)
- Education (7%)
- Nonprofit (6%)
- Technology (6%)
- Manufacturing (4%)
So, as you can see, hackers aren’t particular about industry targets. Cyber insurance may be a wise investment.
Investing in Your Security Posture
Don’t invest in cybersecurity insurance without an accompanying investment in your security posture. For one, your investment may make your premium lower.
For another, establishing best practices significantly reduces your attack points to minimize your data breach changes in the first place. As a managed IT services provider, we help SMBs throughout Harrisburg, Lancaster, and York lockdown their IT environments using layers of security for the utmost cyber protection. The next time you’re looking for a cybersecurity company near you, get in touch.