In 2019, still reeling from a ransomware attack that compromised data and halted city operations, officials in Baltimore voted to purchase $20 million in cyber risk insurance. Among other items, the city’s new insurance underwriting covers any disruptions to city networks, business interruption costs, digital data recovery, and a team to investigate attacks.
While Baltimore’s insurance purchase came too late to help with many of the costs associated with its initial attack, the city’s decision to buy insurance is a prudent one. Cyber attacks are just like any other disaster. They can devastate a city or wreak havoc on a business as thoroughly as a storm or embezzlement.
As with any other sort of disaster, you should insure for it.
What is cyber risk insurance?
Cyber risk insurance, also called cyber liability insurance, does one simple thing: it helps you keep your business running when there’s a security breach. As with other kinds of insurance, you transfer some of your risk to an insurance company, so you don’t have to pay out of pocket when a breach occurs.
The very first cyber risk policies were offered in 1999, although they’ve changed since then to cover the evolving landscape of cyber threats.
What does cyber liability insurance include?
Today, cyber risk insurance underwriting covers your organization’s liability for a data breach involving sensitive information.
That can include:
- Legal fees and expenses
- Repairing damaged computer systems and networks
- Recovering data
- Restoring personal identities of affected customers
- Notifying customers and regulatory agencies about a data breach
Cyber insurance is often not included in general liability policies, and this exclusion may become more explicit in the next year.
Why you need cyber risk insurance
The average cost of a data breach is $3.9 million, according to the Ponemon Institute’s Cost of a Data Breach report. Those costs include fees, remediation, continuity costs, and lost business — and they’re so steep, they could spell the end of a business. Cyber risk insurance means an organization doesn’t have to bear those costs alone.
Companies are starting to warm to this fact — a growing number of organizations are buying cyber risk insurance. According to a 2019 survey by Marsh and Microsoft, 47% of businesses now say they have cyber insurance, up from 35% in 2017, and 89% of the businesses with cyber insurance reported confidence that their policies would cover the cost of a cyber event.
Many of the organizations with cyber insurance are larger businesses; 57% of organizations with annual revenues above $1 billion had a cyber risk policy, compared to 36% of businesses with revenue under $100 million.
That’s a problem; since 2015, the percentage of small business respondents that have suffered a cyberattack has tripled, according to the 2019 Travelers Risk Index, growing from 4% to 12% this year. Increases in breaches have also been reported among medium-sized companies (10% in 2015 to 20% this year) and large businesses (from 19% to 33%).
Despite the increased interest in cyber insurance policies, not enough businesses are investing in cyber risk insurance, according to Tim Francis, Enterprise Cyber Lead at Travelers, quoted in Insurance Journal. While more businesses are taking steps to prevent a cyber event, “it’s still alarming that nearly half don’t have the proper insurance coverage.”
There’s another reason your organization needs to invest in cyber risk insurance: your existing policies are unlikely to cover a cyber event.
Traditionally, property and casualty (P&C) policies are intended to respond to physical risk alone, but cyber risk often has a widespread impact on organizations — the city of Baltimore, for example, experienced some system shutdowns that meant things like water billing and real estate transactions were shut down or delayed.
Because the effects of data breaches can make themselves felt as physical risks, some breaches have resulted in unintended cyber event coverage, commonly known to the insurance industry as “silent cyber” risk.
Lloyd’s of London, for example, is now taking the position that all P&C insurance policies must, as of January 2020, either explicitly exclude or include cyber coverage. This means “silent” or unintended cyber risk may not be covered by your organization’s standard insurance policies.
Cyber risk insurance is part of risk mitigation
A single cyberattack can put an unprepared company out of business. With this in mind, it’s important that all organizations implement a cyber risk management program that does at least three things:
- Monitors an organization’s risk
- Helps a company avoid breaches
- Helps them recover a possible breach
Cyber risk insurance is an important part of that third bullet point. If you’ve suffered a breach, cyber risk insurance can help you recover losses, pay fees and damages, and continue business as usual while you rebuild and repair your systems and networks.
How SecurityScorecard can help
Companies can also avoid attacks by continuously monitoring their risk profile with smart tools, like SecurityScorecard’s security ratings. Our ratings help you monitor all an organization’s potential risk, so you know where your risk is, and exactly what you have to do to remediate it.