As more companies are experiencing an increase in cyberthreats, both internally and externally, they are taking cyber risks and prevention more seriously. C-level executives list security as a top concern. In fact, one recent EY study (via CNBC) found that CEOs see cybersecurity as the No. 1 threat to the global economy in the next 5 to 10 years. Rightly so.
One study from Risk Based Security (via TechRepublic) found that there had been 3,800 breaches as of August 2019. According to the IBM-Ponemon Institute 2019 data breach report (via DarkReading), it took on average over nine months to discover and remediate a data breach. As a result, the number of attacks is likely higher, and many companies may still be unaware of existing threats.
Daniel Schwartz also points to the growing attention on internal attacks in a 2019 Forbes Technology Council post, stating that employees (or users) are a large risk. Their access from within enables them to easily exploit systems. It also makes it possible for costly mishaps and unintentional errors (like clicking on a phishing link) to occur.
Along with the rise of all kinds of cyberattacks, cyber insurance is becoming more prominent as a measure to cover the loss and damages of cyber intrusions. According to Statista, the U.S. personal cyber insurance market (paywall) is projected to grow from $500 million in 2018 to $3 billion annually by 2025. When companies can be hit from all directions, I believe security solutions are a must but if there is a breach, cyber insurance is a safety net that can help recover the costs.
Based on my experience in leading technology teams and developing security strategies, I’ve learned firsthand that regardless of the defenses you put in place, crafty hackers with innovative schemes are always presenting new security challenges that you can’t always be prepared for. It’s better to be safe than sorry if there’s an unpreventable breach. That’s the value of cybersecurity insurance as a second line of defense.
How do you determine the cyber insurance you need?
The fact is, if you rely on technology to do business and if you manage and store company data, financial or transactional information, customer details or any proprietary business information on computers or servers or in the cloud, I believe you need some level of coverage. How much depends on a number of factors, but the following are several considerations to keep in mind when it comes to cyber insurance.
Does company size matter when you’re considering insurance coverage?
I advise companies of all sizes to have cyber insurance. Middle-market companies may wrongly assume that enterprise businesses are at greater risk, and therefore, they don’t need insurance. That’s not true. A midmarket business may not spend as much on cybersecurity as larger companies, which could make them even more vulnerable to threats.
One reason middle-market companies may be at risk is that cybercriminals don’t necessarily target a company based on size or name. Instead, they may use bots to scan the internet and search for companies with security gaps. If midmarket companies generally spend less on cybersecurity tools, they could be at greater risk of being found.
Do you need less coverage if you have security solutions in place?
Having security systems in place is not a replacement for cyber insurance. Systems can fail; humans err, and hackers are always finding inventive ways to breach not only business technology but also security solutions. New viruses, attacks and schemes emerge constantly. Realistically, you can benefit from both security solutions and insurance.
While security solutions are almost a prerequisite for coverage, having a security strategy and leveraging security systems could shave costs off of insurance premiums.
Will cyber insurance cover all types of breaches?
Cyber insurance is the new kid on the block when it comes to insurance. Policies and coverage vary from one insurance carrier to the next. Some companies offer cyber liability coverage as a secondary arm of their liability and casualty business, but with the growing number of cyber risks, there’s also a niche for specialized cyber insurance providers.
Cyber insurance coverage can be as varied as health, life and car insurance. A company needs to know its vulnerabilities and make sure its coverage is matched to its potential exposure. You can get insight into those vulnerabilities in various ways. For example, your company can conduct simulated hacks to uncover weaknesses. It is something we do in my organization, in addition to performing audits on our systems and developing a threat intelligence framework for exactly what we need to protect and possible sources of threats. If the company doesn’t have a policy that matches its risks and the types of attacks and breaches it might experience, no matter how good a carrier is, it won’t have a good policy.
For example, some cyber insurance may not protect against insider threats, such as fraud or employee theft, in which case a secondary commercial crime policy may be required.
I’ve also heard debate over breaches, such as nation-state threats, that may be considered acts of war, which might make them covered under the federal Terrorism Risk Insurance Program and exclude them from general cyber insurance coverage. Buyers need to clarify whether such attacks are covered in their policies to prevent claim denials due to a war exclusion if they feel this is a risk to their business.
Double layer of protection
The combination of your security solutions and cyber insurance offers a twofold approach to protection against attacks. The cyber insurance market has shown rapid growth in the more recent past; in fact, 76% of firms surveyed (via Marketwatch) said they had some form of cyber insurance in 2018, which is up from 50% in 2017. To me, this signals that businesses are adding dedicated cyber insurance to their risk mitigation strategies.
Know all of your risks, and understand the full coverage you need. Frequently review your risk landscape to revise your cyber insurance policy as needed.