What is cyber insurance, and do you need it?
For as long as the internet has existed, there have always been risks associated with going online – threat actors like hackers and viruses, and on the other end of the spectrum, permanent outages stemming from natural disasters or even simple human error.
In the wake of the pandemic, more and more organizations have begun transitioning to virtual workspaces where they can collaborate remotely through the cloud. Because of this, it’s more important than ever to make sure you and your team are covered by cyber insurance – but just what is it, exactly?
Cyber insurance is similar to most other kinds of insurance in that it provides coverage for losses, accidents, and perilous unforeseen circumstances. However, unlike professional liability, general liability, and other common types of insurance, cyber insurance is specifically tailored to cover and reimburse for digital data breaches and online privacy claims.
While common types of insurance may cover some virtual claims, experts are adamant that cyber insurance is the only surefire way to make sure you’re covered in the cloud.
A recent study found that 40 per cent of small businesses expect a cyberattack will cost them less than $1,000, and that they would be able to fully recover in less than three months. Here’s the reality of the situation: the average hit tallies upwards of $25,000 in recovery costs, and the average recovery time for a business post-attack is 279 days. In many cases, it’s often years before the final fees associated with a cyberattack are incurred.
Recent surveys have also taken a close look at the businesses themselves, revealing that just 56 per cent of small business owners offer yearly cybersecurity training, with less than a quarter of them sending out preparatory phishing email tests to their employees. While 71 per cent of medium-sized businesses report having some kind of cyber insurance, only 28 per cent of small business owners report having the same kind of protection.
“There are only two types of companies: those that have been hacked, and those that will be.” – Former FBI Director Robert Muller
As is the case with other kinds of insurance plans, customers of cyber insurance can shop around and look for coverage that best suits them. Organizations and enterprises can expect to pay more for cyber insurance based on variables such as their industry, their size, their revenue, and the value of their sensitive information. Cybersecurity insurance is often bundled with basic Business Interruption (BI) coverage, which is meant to cover immediate income losses and extra expenses, and therefore keep your business afloat if it ends up getting hit.
Those who are looking to purchase cyber insurance can be sure that providers will require certain security thresholds in order to qualify for a plan. If your security posture isn’t up to a certain standard – if you don’t have best practices like multi-factor authentication (MFA) and encrypted servers in place for your employees – don’t expect to get any coverage. If you do want coverage, expect to have to address your risk profile by complying with certain rules and adhering to specific security precautions laid out by other professionals.
TIP: Another basic security precaution is 3-2-1 backup, meaning that you have three different copies of your data on two different mediums (e.g., on both cloud and drive), and one server that’s hosted off site.
Here are some examples of data privacy claims in the news:
- One of our client’s laptops were stolen, resulting in a potential leak of confidential information belonging to more than 10,000 people
- A hacker attack incapacitated a law a firm, shutting down their services for more than three days
- An employee at a social service agency accidentally downloaded a virus, enabling a threat actor to upload a decryption tool and crack the entire team’s user names and passwords
- A paralegal went rogue, stealing some of their former employer’s litigation strategies and attempting to sell them to an opposing counsel
- A group of hackers from Russia breached their way into an enterprise mainframe and stole private information regarding a merger
It’s important to note that, on average, it’s getting harder and harder to get cyber insurance. With the prevalence of ransomware being worse than ever, carriers have become less optimistic about signing on the dotted line when it can be so easy for their clients to get hit by a threat actor and need to file a claim. For this reason, premiums are also on the rise and customers can expect to pay more for less overall coverage (e.g., it used to cost around $250,000 for $130 million of coverage, but now it takes about $500,000 just to break $50 million of coverage).
By the numbers: Several studies have recently broken down just how common and costly data breaches and ransomware have become in 2022:
- 83% of organizations have suffered from more than one data breach
- 60% of breaches lead to increases in price passed onto customers
- 19% of breaches occur because a business partner was compromised first
- 45% of breaches are cloud based
- Ransomware is up 323% from Q1 2019 to Q4 2021
- The average cost of a data breach is $5.73 million CAD
- The average cost of a major ransomware attack is $5.98 million CAD
- 22 days is the average amount of time breaches and ransomware attacks interrupt organizations for
According to IBM, data breaches are more costly now than they ever have been before, and there’s a strong chance they’re only going to become even more expensive in the future. Furthermore, Canada is the third hardest hit country by data breaches, trailing behind only the United States and the Middle East. Lastly, out of all industries, healthcare has been shown to be highest cost industry when it comes to data breaches (followed by financial, pharmaceuticals, technology, and energy industries).
There is also a common misconception that due to the nature of most data breaches, commercial crime insurance will cover cyberattacks. Unfortunately, this is not the case – while crime insurance may cover things like fraudulent money transfers made online and maybe even certain ransomware, only cyber insurance can cover the loss of confidential information and intellectual property stored in the cloud, as well as any consequential losses, fines or penalties.
While we have comprehensive cyber insurance policies in place to protect data and sensitive information, there will always be factors beyond our control and the potential for claims. It’s a smart decision for our clients to investigate coverage to make all bases are covered.” – FSET COO Nicole Brown
Here are four key tips for organizations looking into cyber insurance:
- Check your pre-existing policies to be clear on what is already covered and research what you stand to gain by getting cyber insurance
- Review your cybersecurity posture and make sure you are compliant with the rules and safety precautions providers will be asking for
- Be proactive and stay on the front foot by finding a broker that knows their stuff and will go to bat for you every single time your insurance is up for renewal
- Risk management, while vital, is not a replacement for insurance. If you have your own IT department and they say you don’t need cyber coverage, they’re wrong!