Posted on Oct 28, 2019
This month, still reeling from a ransomware attack that compromised data and halted city operations, officials in Baltimore voted to purchase $20 million in cyber risk insurance. Among other items, the city’s new insurance underwriting will cover any disruptions to city networks, business interruption costs, digital data recovery, and a team to investigate attacks.
While Baltimore’s insurance purchase comes too late to help with many of the costs associated with its initial attack, the city’s decision to buy insurance is a prudent one. Cyber attacks are just like any other disaster. They can devastate a city or wreak havoc on a business as thoroughly as a storm or an embezzlement.
As with any other sort of disaster, you should insure for it.
Cyber risk insurance, also called cyber liability insurance, does one simple thing: it helps you keep your business running when there’s a security breach. As with other kinds of insurance, you transfer some of your risk to an insurance company, so you don’t have to pay out of pocket when a breach occurs.
The very first cyber risk policies were offered in 1999, although they’ve changed since then to cover the evolving landscape of cyber threats. Today, cyber risk insurance underwriting covers your organization’s liability for a data breach involving sensitive information.
That can include:
Cyber insurance is often not included in general liability policies, and this exclusion may become more explicit in the next year.
The average cost of a data breach is $3.9 million, according to the Ponemon Institute’s Cost of a Data Breach report. Those costs include fees, remediation, continuity costs, and lost business — and they’re so steep, they could spell the end of a business. Cyber risk insurance means an organization doesn’t have to bear those costs alone.
Companies are starting to warm to this fact — a growing number of organizations are buying cyber risk insurance. According to a 2019 survey by Marsh and Microsoft, 47% of businesses now say they have cyber insurance, up from 35% in 2017, and 89% of the businesses with cyber insurance reported confidence that their policies would cover the cost of a cyber event.
Many of the organizations with cyber insurance are larger businesses; 57% of organizations with annual revenues above $1 billion had a cyber risk policy, compared to 36% of businesses with revenue under $100 million.
That’s a problem; since 2015, the percentage of small business respondents that have suffered a cyber attack has tripled, according to the 2019 Travelers Risk Index, growing from 4% to 12% this year. Increases in breaches have also been reported among medium-sized companies (10% in 2015 to 20% this year) and large businesses (from 19% to 33%).
Despite the increased interest in cyber insurance policies, not enough businesses are investing in cyber risk insurance, according to Tim Francis, Enterprise Cyber Lead at Travelers, quoted in Insurance Journal. While more businesses are taking steps to prevent a cyber event, “it’s still alarming that nearly half don’t have the proper insurance coverage.”
There’s another reason your organization needs to invest in cyber risk insurance: your existing policies are unlikely to cover a cyber event.
Traditionally, property and casualty (P&C) policies are intended to respond to physical risk alone, but cyber risk often has a widespread impact on organizations — the city of Baltimore, for example, experienced some system shutdowns that meant things like water billing and real estate transactions were shut down or delayed.
Because the effects of data breaches can make themselves felt as physical risks, some breaches have resulted in unintended cyber event coverage, commonly known to the insurance industry as “silent cyber” risk.
Lloyd’s of London, for example, is now taking the position that all P&C insurance policies must, as of January 2020, either explicitly exclude or include cyber coverage. This means “silent” or unintended cyber risk may not be covered by your organization’s standard insurance policies.
A single cyber attack can put an unprepared company out of business. With this in mind, it’s important that all organizations implement a cyber risk management program that does at least three things:
Cyber risk insurance is an important part of that third bullet point. If you’ve suffered a breach, cyber risk insurance can help you recover losses, pay fees and damages, and continue business as usual while you rebuild and repair your systems and networks.
Companies can also avoid attacks by continuously monitoring their risk profile with smart tools, like SecurityScorecard’s security ratings. Our ratings help you monitor all an organization’s potential risk, so you know where your risk is, and exactly what you have to do to remediate it.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 9 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.