Steady, sedate, dull — these are words people commonly use to describe insurance. Policies undergo very few changes from year to year, customers submitpredictable claims,and insurers usually issue payments promptly and earn a good rate of return.Cyber insurance, however, might be the one segment of the industry that breaks the mold.
For small and medium-sized businesses (SMBs) to withstandthethreat of cyberattacks, they need a full understanding of their insurance options. Keep reading to uncover all the details of cyber insurance coverage, including why it’s so important, what protection it provides, and how you can find the right insurer for your organization.
Growth and Limitations in the Cyber Insurance Market
There’s no question that more companies than ever before are taking advantage of cyber insurance coverage. The value of the global market reached $13.33 billion in 2022, and experts project that it will exceed $84 billion by 2030.
What’s Driving the Demand
There are a lot of factors behind the rising adoption and exposure of cyber insurance. They include:
- The digital transformation:Companies have deployed digital technologiestoachieve competitive advantage through faster product developmentand rollouts,operating efficiencies, and customerexperience, which also increases theirexposure and vulnerability to cyber threats. The popularity ofremote workhas also contributed to phishing attacksthat exploitemployees’ lack of knowledge or training in cybersecurity practices.
- Widespread ransomware:The growth ofransomware attacks is another important piece of this puzzle. One cyber insurance company saw a significant spike in the number of claims in 2023, most of which they attributed to the alarming frequencyof ransomware.
- Government attention:Eventhe White Househasstepped into the fray, generating newscoverageon theissueofthe recent wave ofcyberattacksandhighlighting theimportance ofinsurance. In November 2023, the White House brought together the International Counter Ransomware Initiative (CRI) to discuss a wide range of issues related to cybersecurity, including the need for cyber insurance.
When you put all these components together, it’s easy to see why interest in cyber insurance has exploded over the past several years.
What’s Holding SMBsBack
A 2023 survey found that 61% of SMBs were hit by a successful cyberattack in the past year. Despite that troubling trend, many companies haven’t purchased cyber insurance.In 2021, CNBCfound that only 26% of small businesses had existing coverage.
Some of the issues preventing SMBs from investing in coverage include:
- Limited budgets:Financial conditions carry some of the blame for this low adoption rate. During and since the COVID-19 pandemic, some SMBshave struggledto prioritize investments incybersecurity practices and insurance.
- Lack of concern:Owners of small businesses often underestimate the likelihood that they’ll fall victim to an attack. They assume that their limited size protects them, when it might be exactly what’s making them a target.
- An uncertain future:Finally, insures are constantly reworking policy commitments because limited historical data makes itdifficult to predict where cyber threats will come from in the future.On top of this, insurance industry leaders are havingdifficulty projecting thelong-term trajectoryof the market.
What many SMBs fail to realize is that the benefits of cyber insurance generally far outweigh these challenges. It enablesthem to recoverrevenue lossesandpay for recovery expenses so that they don’t materially affect ongoing operationsorlessentheir competitive positioning.
Why Cyber Insurance Matters for SMBs
For business owners who aren’t convinced, a quick glance at the state of cybersecurity offers compelling support for the importance of cyber insurance. Beyond that, insurersand government agencies are working hand in hand to support organizations in other ways, including helping to create a more reliable security framework and providing access to valuable tools.
An Evolving Threat Environment
Every day, it seems like there’s more bad news about threats and vulnerabilitiesin cybersecurity. From malware to cryptojacking, organizations face risks on multiple fronts, all of which can have severe impacts on their operations.
That’s especially true of ransomware and SMBs. One study found that 82% of ransomware attacks in 2021 affected organizations with under 1,000 employees. Likewise, according to the 2023 Data Breach Investigations Report from Verizon, ransomwarerecovery costs have steadily increased, in part because attackers are setting their sights on smaller organizations.
Beyond the ransom itself, businesses that fall victim to ransomwareoften have to deal with revenue losses and damage to their brand and reputation. Cyber insurance covers many of these expenses to minimize the effect on an SMB’s future.
Establishing a Better Framework
Insurancecompanies are also adding structure to cyber risk engineering processesby using frameworks such as theCybersecurity Framework(CSF), developed by the U.S. National Institute for Standards and Technology (NIST).
Thisframeworkis a voluntaryinitiativecreated through the collaborative efforts of industry and government. It consists of standards, guidelines, and practices for organizations to better managerisks.
The NIST Cybersecurity Framework involves five functions:
- Identify:Develop an organizational understanding to manage cybersecurity risks: systems, data, assets and capabilities
- Protect:Develop and implementappropriate safeguardsto ensure delivery of services
- Detect:Develop and implement theappropriate activitiestoidentifythe occurrence of a cybersecurity event
- Respond:Develop and implement theappropriate activitiestotake actionregardinga detected cybersecurity event
- Recover:Develop and implementappropriate activitiestomaintainplans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event
Companies such as Axio have developed standalone risk management platforms based upon the NIST framework. These platforms include an insurance stress testing function to help companies figure out which coverage is most relevant to their unique risk profile.
Building Business Resilience
Cyber insurance companies and theiragents also playaproactiverolein preparing their clients to defend against and respond tocyberattacks.For example, insurersaredeploying moretechnology to gauge risk levels than is ordinaryforthe insurance industry, including:
- Artificial intelligence(AI)
- Internet of Things (IoT) devices
- Business intelligence
- Data analytics
These developmentsgive companies the opportunity to augment the cybersecuritycomponentof their business continuityplanning process. They can refine their investments inthings like network infrastructure,multi-factor authentication, and data backupto avoidand prepare for the aftermath ofdata breachesand losses.
Cyber Insurance Coverage in Detail
Cyber insurance pays a range of costs associated with an attack or incident. As you’d expect in a market that’schanging so rapidly, there’sno standard cyber insurance policy, so it’s up to thebuyerto compare policy provisions.
First-Party Coverage
First-partypoliciescover the claims you makeforbreachesofyourcompany’s network. It pays forcosts such as:
- Restoringand recreatingthecompromised data
- Hiringexperts to help you fix a problem and gain control of the issue
- Repairing your hardwaresystemsandsoftware
- Recovering income lostdue tothe breach
- Paying extortion costs
- Notifying vendors, customers or regulatory entities about the loss
- Restoringthe personal identities of affected customers
- Supplying credit monitoring services and identity theft protection for affected customers
- Hiringa specialist to conduct a forensic investigationtofindthe source of the attack
- Paying public relations expenses
Under your first-party provisions, your cyber insurer will also take on some of theadministrativeburdens of recovering from a breach, including:
- Informing your customers of the breach andabout how you areresponding
- Notifying the proper authorities of the attack to start an investigationand ensurecompliance with data breach laws,which vary by stateandglobal region
- Supplyinga negotiator to communicate with those makingthe ransom demands
First-party coverage is what businesses usually think of when they consider purchasing cyber insurance, but it’s not the only type of protection insurers provide.
Third-Party Coverage
Third-party coverage is for companies that handle other people’s sensitive data, such as tech companies, healthcare organizations,financial services,and retailers. These institutions are often legally liable when cyber incidents compromise their clients’ data.
Third-party coverage helps absorb costsassociated with litigating a variety of issues, including:
- Privacy lawsuits brought by customers or employees who allege that youwere responsible forthe data loss
- Allegations of libel, slander, orcopyright infringement that arise because of the data breach
- Allegations ofbreach of contract on your part
- Settlement costs
- Court-ordered damages
In addition to these legalcosts, third-party insurance willcovertheexpensesassociated with responding to regulatory inquiries and any resulting regulatory fines and penalties.
Additional Insurance Types
It’s also important to distinguish between cyber insurance and other kinds of coverage for SMBs. Some businesses run into trouble when they mistakenly assume that they already have coverage.
Technology Errors and OmissionsInsurance(Tech E&O)
TechE&Oinsuranceisdesignedspecifically for providers of technology products and services. It covers situations when there is some form of negligence that causes financial harm to users.
In the case of a cyber eventwhere there is negligence on the part of the technology provider, the provider would make a claim torecover legal expenses under its tech E&O policy. However,if there is no negligence, thenthe claimwouldbemadeunder its cyber insurance policy.
Business OwnersPolicy(BOP)
Small business owners can addalimiteddegree of cyber liability coveragewithan endorsem*ntto their BOPand the payment ofanaddedfee.These policies willgenerallycover third-party legal and notification expensesbut none ofthefirst-partycostsyou incur.The payouts on the third-party costs tend tobe limitedto $100,000,which couldbe quickly exhaustedin notification costs alone.
Commercial Property Policy
Commercial Property Policiesprotectphysical property owned by a business.These policies will typically include some coverage for computers, often as part of broader coverage for electronics.Whilepremiseshardware damageisincluded,there’s rarely protection forsoftware and data, and no coverage for data stored in the cloud.
Successfully Navigating the World of Cyber Insurance
Having all this information might clarify why you need cyberinsurance, but it still leaves you with the dilemma of successfully securing and using it. Let’s look at some of the pointsyou’ll need to consider before and after purchasing your policy.
Finding the Right Cyber Insurance Provider
There are a variety of companies competing for thefast-growingpremiums generated in this market. All the largetraditional players, such as AIG, Travelers,andLiberty Mutual, are among them.
However, there’s a significant advantage to working with an insurer focused specifically onSMBs. A company that understands the unique needs of smaller organizations can often provide a more affordable, practical solution. When you research providers, look for an insurer that offers coverage for a variety of losses, such as ransomware, data breaches, and cyber extortion.
Common Cyber Insurance Practices
Before engaging with an insurer or broker, itpays to know whether you’re followingbasic practices. Each insurer is different, but they generally have a few core requirements, such as:
- Maintaining a written cybersecurity policy
- Providingsecurity trainingforemployees
- Deploying firewalls and antivirus software
- Installing software patches regularly
- Using strong and complex passwords
- Encrypting mobile devices that interact with sensitive data
- Constantly reviewing and responding to security monitoring alerts
Failing to meet these expectations could cause problems if you ever need to file a claim.
Reasons for Rejection
While most cyber claimsare paid, insurers can deny a claim if it could havebeen easily preventedor if a company cannotprovideevidence that it was following policy requirements. These are some possible problems that might come up:
- Denying the full value of a claim:Cyber policieshaveindividual limits for specific insuring clauses and subclauses, so it’s critical to carefully review these termsand pay particular attention to theransomware provisionsof a policy. The ability toanticipateyour company’spotentialexposure to extortion demands, lost income, and asset restorationwill enable you to ensure payouts will meet your needs.
- Social engineering claims: Insurers can reject these claims if they can show that the employee was negligent. Negotiating a separate social engineering clause, rather than just having a computer fraud or forgery clause, can help protect you as social engineering attacks continue to evolve.
- Personal Card Industry (PCI) fines:Some insurers reject the PCI fines and assessments createdand assessedby the Security Standards Council of the credit card industry. This usually occurs when financial servicescompaniesfail toprovideadequate protectiontoconsumers and businessesagainst data theft and fraud.
- Litigation requirements:Another cause for denied claimsoccurs if a company makes a claim againstit*policy when another company is at fault for the breach. The two companies have to litigate these issues in court rather than deal with them through the insurance company.
Knowing whether these or other factors could cause your insurer to denypart or all of your claim is vital to protecting your financial interests.
Getting Support and Facing the Threat
With so much in question, cyber insurance companies can provide a sense of stability and security. Overonly a few years, they’veproven that they’ll provide reliable payments for claims.Bydeliveringupdated threat data, platforms to test incident readiness,and frameworks for building protection,cyber insurers canbeanothercomponentinyourbusiness continuity planning.
To learn more about cyber insurance coverage and business continuity, contact the teamat Invenio IT. Speak to one of our experts to explore your options and get pricing for the best cyber insurance provideron the market.
There is not much change in the makeup of thecompaniesthat areoffering insurance,agentsgenerallyhave limited interaction with their customersandinfrequently have an impactonbusiness-criticalmatters, andseldom do you seeheadline news stories coming out of the industry.
It’s a different ball game withcyber insurance.Theconstantly evolvingcyber threatenvironment,therapidlyincreasingnumber of claimsfiled,the emergence of new competitors,andthe fact insurers haveonly beenoperatingin this segmentfora couple ofdecadeshascreated adynamicenvironment.
The difficulty of projecting wherecyberthreats will be coming from in the futurealong withlimitedhistoricaldatafor useindevelopinganalytical models to project future risk exposurehascausedaconstantreworking of policycommitments.On top of this, insurance industry leaders are havingdifficulty projecting thelong-term trajectoryof the market.
Eventhe White Househasstepped into the fray, generating newscoverageon theissueofthe recent wave ofcyberattacksandhighlighting thecontributioninsurancecan play in buildingcybersecurity.At its recentWhite House summitof tech, financial services, insurance,energy, and education leaders, the administration called ontheinsurance industry to develop ways of incentivizing businesses to deploy andmaintaingood cybersecurity practices.
Actually,thereis one aspect of the cyber insurance business thatmirrors more traditionallines of insuranceand that’s reliable payments on cyber incident claims.Cyber insurershavedemonstratedaconsistenttrack recordon this score andthat’simportant for those consideringadding this coveragefor the first time.
TheBusiness Environment
A primecause of the increasedexposureis drivenby the ongoingdigitaltransformationof business.As companiesincreasinglydeploydigital technologiesin an efforttoachieve competitive advantage through faster product developmentand rollouts,operating efficiencies, and customerexperience, theirexposure and vulnerability to cyber threats grows as well.
TheCovid-19pandemic has had a dual impact on the increase incyber vulnerability. Manycompanies havesped uptheir digital transformationplansin an effort tocreate greater efficiencies intheir productand servicedelivery models.
According to aMunich Re survey, 33% of C-level respondentsreport that they have accelerateddigitalizationdue to Covid-19.As a result,companies have struggled to bring theirsecurity practices along as rapidly. On the user side,moreremote workinghas resulted in an increase in phishing attacksthatoftenexploitworkers’interest in updated information on the pandemic.
State ofCyber InsuranceCoverage
Despite theworseningthreat environment, most small and medium sized businesses do not carry cyber coverage. According toastudy byCyberScout,even though 76% of SMBs experienced acyber attack,only 31%hadcyber insurance.The report highlights the fact that businesses that are already under financial pressure in responding to the pandemic arestruggling withprioritizing investments incyber security practices and insurance.
The Evolving Threat Environment
According toan analysis of threat reportingby Dark Reading, ransomware and phishing willcontinue tobe themaintypesofcyberincidentsthrough 2021.Themost prevalent attacks canbe categorizedaccording tofiveclassesof incidents: human factor,malware, denial of service (DOS),web application, and password.Theseevents have multiple impacts on business operations.
Cybereasonexamined ransomwareattacks and found that66%of companies attackedexperienced a significant loss of revenue,35% of businesses paid a ransom between $350,000 and $1.4 million, and 53% reported damage to their brand and reputation.As described below, cyber insurance helps recover the costs of all thesefactors.
Dealing with Uncertainty
In this uncertain environment,insurancecompanies, including majors such as Zurich, are adding structure to thecyber risk engineering processesby using frameworks such as theCybersecurity Framework(CSF) developed by the U.S. National Institute for Standards and Technology (NIST).
Thisframeworkis a voluntaryinitiativecreated through the collaborative efforts of industry and government. The framework consists of standards, guidelines, and practices for organizations to better managerisks. Companies such as Axios have developedstandalone risk management platformsbased upon the NIST framework. These platforms include an insurance stress testing function to help companiesfigure outwhich coverages are most relevant to their unique risk profile.
The NIST Cybersecurity Frameworkprovidesa common vocabulary for risks and controls, allowing for more productive discussions among underwriters, brokers, and companies looking to obtain insurance. The frameworkfacilitates conversations between insurance risk specialists and C-suite and board members by minimizing IT jargon.
Of note is the fact that nearly three-quarters of the security controls are non-technical in nature. A great emphasisis placedon roles and responsibilities, training, security procedures, incident response and communication.
Working with the NIST Cybersecurity Framework involves five functions. The purpose of the Framework is toprovidea comprehensive view of the lifecycle for managing cybersecurity. The five functions consist of:
- Identify– Develop an organizational understanding to manage cybersecurity risks: systems, data, assets and capabilities.
- Protect – Develop and implementappropriate safeguardsto ensure delivery of services.
- Detect – Develop and implement theappropriate activitiestoidentifythe occurrence of a cybersecurity event.
- Respond – Develop and implement theappropriate activitiestotake actionregardinga detected cybersecurity event.
- Recover – Develop and implementappropriate activitiestomaintainplans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
Cyber Insurance and Business Resilience
Cyber insurance companies and theiragents arealsorespondingto the demands of this market environment by playing aproactiverolein preparing their clients to defend against and respond tocyberattacks.
For example,Coalition, a cyber insurer and one of theparticipantsin the White House summit, announced that it will make itscybersecurity risk assessment & continuous monitoring platformavailable for freeto any organization.Others aredeploying moretechnology than is ordinaryforthe insurance industry.Corvus, for example,is applying acombination ofAI,IoT,business intelligence and data analytics tobetter gauge cyber risk.
These developmentspresent an opportunity for companies to augment the cybersecuritycomponentof their business continuity planning processandfurtherrefineongoinginvestmentactivities inthings likenetwork infrastructure,multi-factor authentication, and data backupto avoidand prepare for the aftermath ofdata breachesand losses.
Cyber insuranceprovidescompanies with thefinancial resilienceto complementit*investments inoperationalresilience.Cybercoverageenablescompaniesto recoverrevenue lossesexperiencedandpay for theexpensesrelatedto recoveringfrom a data breachso that these costswill not materially affect ongoing operationsorlessena company’scompetitive positioning.
Defining Cyber Insurance
Cyber insurance pays a range of costs associated with acyber incidentsuch asransomware,social engineeringand denial of service.As you’d expect in a market that is changing so rapidly, there is no standard cyber insurance policy.This variety puts the onus on the buyer of insurance to compare policy provisionscarefully.
Most cyber insurers offer two types of coverage: first-party and third-party.First-partypoliciescover the claims you makeforbreachesofyourcompany’s networkandwill pay for the coststo:
- Restore and recreatethecompromised data
- Hireexperts to help you fix a problem and gain control of the issue
- Repair your hardwaresystemsandsoftware
- Recoverincome lostdue tothe breach
- Payextortion costs
- Notify vendors, customers or regulatory entities about the loss
- Restore the personal identities of affected customers
- Supplycredit monitoring services and identity theft protection for customersaffected
- Hire a specialist to conduct a forensic investigationtofindthe source of the attack
- Paypublic relations expenses
Under your first-party provisions, your cyber insurer will also step in and take on some of theadministrativeburdens of recovering from a breach. These services include:
- Informing your customers of the breach andabout how you areresponding
- Notifying the proper authorities of the attack to start an investigationand ensurecompliance with data breach laws,which vary by stateandglobal region
- Supplyinga negotiator to communicate with those makingthe ransom demands
Third-party coverage is for companies that handle other people’s sensitive data, such as tech companies, health care companies,financial services,and retailers.Ifyourcompanyhandlessensitivedatafor aclient and itis compromisedinacyberincident,your companycouldbe heldlegally liable.To absorb costs associated with these legal proceedings, third-party coverage will paythe legalcosts necessary tolitigatea variety of issues including:
- Privacy lawsuits brought by customers or employees who allege that youwere responsible forthe data loss
- Allegations of libel, slander or copyright infringement that arise because of the data breach
- Allegations ofbreach of contract on your part
- Settlement costs
- Court-ordered damages
In addition to these legalcosts, third-party insurance willcovertheexpensesassociated with responding to regulatory inquiries and any resulting regulatory fines and penalties.
Technology Errors and OmissionsInsurance(Tech E&O)
TechE&Oinsurancediffers from cyber insurance in that itis designedspecifically for providers of technology products and services and covers situations when there is some form of negligence on the part of the technology providerwhich causes financial harm totheirusers.
For example, a company might sue a technologyproviderfor harm caused by missed project implementation deadlines orifit recommends thewrongsolutions. In these cases,atech E&Opolicywill cover the legal costs to defend against the accusations includingcourt costs, attorney’s fees, settlement expenses, andanyjudgements ordered.
In the case of a cyber eventwhere there is negligence on the part of the technology provider, the provider would make a claim for recover legal expenses under its tech E&O policy. However,if there is no negligence, thenthe claimwouldbemadeunder its cyber insurance policy.These fine points create a gray area for techcompanies, highlighting thevitalrole an insurance agent can playinworking outadequatecoveragewithout duplication.
Business OwnersPolicy(BOP)
Small business owners can addalimiteddegree of cyber liability coveragewithan endorsem*ntto their BOPand the payment ofanaddedfee.These policies willgenerallycover thethird-party legal and notification expenses described abovebut none ofthefirst-partycostsyou incur.The payouts on the third-party costs tend tobe limitedto $100,000,which couldbe quickly exhaustedin notification costs alone.
Commercial Property Policy
Commercial Property Policiesprotectphysical property owned by a business.These policies will typically include some coverage for computers, often as part of broader coverage for electronics.Whilepremiseshardware damageisincluded,there’s rarely protection forsoftware and data, and no coverage for data stored in the cloud.
What Insurers Will Expect
Before engaging with an insurer or broker, itpays to ensure that you are following certain basic practices. These practices should include:
- Maintaining a written cybersecurity policy
- Providingsecurity trainingforemployees
- Deploying firewalls and antivirus software
- Installing software patches regularly
- Using strong and complex passwords
- Encrypting mobile devices that interact with sensitive data
- Reviewing and responding to security monitoring alerts on a constant basis
Don’tGet Rejected
While most cyber claimsare paid, insurers can deny a claim if it could havebeen easily preventedor if a company cannotprovideevidence that it did everything tofollowthe requirements of the policy. In these cases,keepingdetailed documentation of company policies and practices isa necessary procedure.
The full value of claims canbe deniedbecausecyber policieshaveindividual limits for specific insuring clauses and subclauses, so a careful review of these terms at the time policiesare negotiatedis important.In this regard, particular attention shouldbe paidto theransomware provisionsof a policy. The ability toanticipateyour company’spotentialexposure to extortion demands, lost income, and asset restorationwill enable you to ensure payouts will meet your needs.
Social engineering claims havebeen rejectedif employee negligence can be shown, so as social engineering attacks continue to grow and evolve, it is important tonegotiatea separate social engineering clauserather than just having a computer fraud/forgery clause.
Some insurers have rejected Personal Card Industry, or PCI,finesand assessments. These arefines thatwerecreatedandareassessedby the Security Standards Council of the credit card industrywhen financial servicescompaniesfail toprovideadequate protectiontoconsumers and businessesagainst data theft and fraud.
Another cause for denied claimsoccurs when a company makes a claim againsttheirpolicy when another company is at fault for the breach. These issueshave tobe litigatedrather than covered under insurance.
Finding Cyber Insurers
There are a variety of companies competing for thefast-growingpremiums generated in this market, which havedoubled since 2015 to over$3 billion.All ofthe largetraditional players, such as AIG, Travelers,Chubb,CNA,andLiberty Mutual, aretaking partinthecyber insurance market ina substantial way.
A new breed of company focused on the cyber insurance segment hasalsoemergedin the last few years.These new entrants, such asCoalition,Resilience,At-Bay,Cyberdot,CyberScoutand Corvusareleveragingtechnology to deliver their services andtake aproactivestancein helpingcustomers understand andanticipatethe changing threat environmentand offer a good match for SMB customersseeking cyber insurance.
Facing Up to the Threat
As the volume ofcyberattacksgrows and the nature of the incidents continuously evolve, engagement with a cyber insurer offers resources to meet this challenge.Bydeliveringupdated threat data, platforms to test cyber incident readiness,and frameworks for building protection,cyber insurers canbeanothercomponentinyourbusiness continuity planning.Andby rationalizingyourinsurance policy coverages, yourinsurercanmake sure you carryoptimalcoverage toprovidethe peaceof mind that your company will have thefinancial resourcestobounce backfrom a cyber incidentascompletely aspossibleand limitdamage to your competitive position.
