Cybersecurity insurance, once a measure only certain sectors took, is now becoming ubiquitous. The increase in ransansomeware, especially since the Covid-19 pandemic, has been a catalyst which now means that insurance is no longer just an option but is a necessary cybersecurity protocol. As a result, providers are putting up their premium prices and turning away prospects without sufficient cybersecurity precautions. For companies unable to secure cyber insurance, it may not just be risky but an impediment to their business, as it is becoming a condition of doing business in some areas. In certain industries and certain revenue segments it’s not uncommon to see a requirement for cyber insurance before engaging in a contract.
Below, we answer some common questions for those who are new to this type of insurance.
What is Cybersecurity Insurance?
Cyber insurance (also referred to as cyber risk or cyber liability insurance) is a form of cover designed to protect your business from threats in the digital age, such as data breaches or malicious cyber hacks on work computer systems.
A business is responsible for its own cybersecurity, but in the event of a cyber attack having the right insurance will mean you aren’t alone. Cyber liability cover will provide crucial support to help your business stay afloat.
What Does Cyber Insurance Cover?
A robust cyber insurance policy covers three main categories of financial risk:
- First-Party Expenses: This category includes costs that organizations would ordinarily have to pay to mitigate losses related to a data breach or privacy incident. Examples of first-party expenses are incident response and digital forensics services, PR services to manage reputational damage caused by a breach, notification to affected parties, and other expenses involved with directly responding to a cyber incident.
- Third-Party Expenses: This category covers costs associated with defending liability claims and/or fines and penalties assessed by regulating authorities. Examples include legal fees to defend lawsuits against the company and fines for violating HIPAA regulations.
- Cyber Crime Costs: This category deals with financial losses resulting directly from criminal activity. An example is the theft of funds as a result of digital fraud.
When assessing the strength of a cyber policy, it’s a good idea to look for coverage pertaining to the following common issues:
- Cyber Extortion: Ransomware attacks are a prevalent form of cyber extortion.
- Social Engineering: Phishing and spear phishing campaigns are types of social engineering.
- Business Interruption: Losing revenue from downtime caused by a cyber incident constitutes business interruption.
- Virus Transmission: End-to-end coverage applies from discovery to removal of a virus, even if the virus spreads before being removed.
- Liability Implications: Legal fees and regulatory fines comprise typical liability costs.
Who Needs Cyber Insurance?
Businesses that create, store and manage electronic data online, such as customer contacts, customer sales, PII and credit card numbers, can benefit from cyber insurance. In addition, e-commerce businesses can benefit from cyber insurance, since downtime related to cyber incidents can cause a loss in sales and customers. Similarly, any business that stores customer information on a website can benefit from the liability coverage that cyber insurance policies provide.
Current Pressure on the Insurance Industry
But the ongoing ransomware crisis has put the sector under extreme pressure, as a growing number of victims are being squeezed for eye-watering sums. “You’ve got two very interesting dynamics happening, both at the same time,” explains Lori Bailey, chief insurance officer at Corvus Insurance. “One is a huge increase in claim frequency, which is a result of the ransomware epidemic over the last couple of years.”
The second dynamic is the growing value of claims. The average ransom demanded by cybercriminals in the first half of 2021 was $5.3m, up 518% from the 2020 figure, according to Palo Alto Networks’ Unit42 research division. The average payment grew by 82%, reaching a record $570,000.
These two dynamics are squeezing the insurance industry’s ability to pay out on its customers’ claims. “Carriers, and more specifically re-insurers, really struggle with this dynamic in the market,” says Bailey.
What Policies You Need to have in Place Before Obtaining Insurance
“Having cyber insurance doesn’t take the place of a strong cybersecurity infrastructure. Increasingly sophisticated attacks continue with larger payouts that make obtaining cyber insurance more difficult and more expensive. This comes from a recent report by Fortified Health Security’s “2022 Horizon Report” in which they urged healthcare organizations to remember that cyber insurance is not a band-aid for inadequate cybersecurity measures.
Cyber insurers are increasingly requiring organizations to implement security technologies, such as endpoint detection and response (EDR) solutions, into their security architecture to mitigate risk. Some insurers will not cover expenses associated with a security incident if the organization did not implement basic cybersecurity measures.
Don’t Ignore Security Monitoring
User Activity Monitoring allows you to monitor users to verify that their actions meet good security practices. If a malicious outsider gains access to their log-in information, or if an insider chooses to take advantage of their system access, you will have a record of the suspicious activity.
If your organization is like most others, you don’t have the budget to stand up your own security operations center. But that doesn’t remove the need for around-the-clock monitoring and intelligence that will help you investigate incidents and minimize attacks.
In the spirit of preserving your data, session recording software offers a way to protect your organization. Visit www.tsfactory.com to learn more about how we can help you prevent data insider threats and theft.