Security and business IT professionals are pretty much in agreement that it’s impossible for commercial organizations to completely avoid being hit by some form of cyber-attack or security breach – either as a future event or an incident that’s already occurred.
While planning, policy-making, and the deployment of security mechanisms, devices, and protocols may offer some relief, the inevitability of having to cope with some kind of unforeseen security event calls for an additional layer of protection for the enterprise – and this is one area in which cybersecurity insurance can be of help.
There are several other benefits to taking out a cybersecurity insurance policy, and we’ll be exploring them, in this article.
What is Cybersecurity Insurance?
Cybersecurity insurance is intended to help protect businesses which have suffered a financial impact due to the effect of risks based in the internet or the digital transfer of information. It’s also referred to as cyber insurance, cyber risk insurance, or cyber liability insurance coverage (CLIC).
Its roots are in the large-scale virus outbreaks and network outages experienced by companies during the 1990s. In those days, many companies bought additional coverage to their existing Errors and Omissions (E&O) insurance – a form of professional liability insurance which protects companies and their workers from claims made by clients over negligent actions.
Escalating numbers of security breaches affecting consumer databases containing personal information during the early 2000s prompted most U.S. states to enact security breach notification laws. Large banks, financial services companies, and Fortune 500 firms raised the demand for larger, and more comprehensive insurance policies.
Cybersecurity insurance was designed to help organizations mitigate their risk exposure by offsetting the costs involved in recovering after a cyber-related security breach or similar event. These security breaches can also be prevented using DNS filtering that can help in many security related issues. The Cybersecurity insurance market gained traction in 2005, and it’s estimated that the total value of premiums will reach $7.5 billion by 2020.
At present, roughly one-third of U.S. companies purchase some form of cybersecurity insurance.
Reasons for Seeking Coverage
Commercial organizations tend not to report the full extent of their security breaches, for fear of negative publicity and an erosion of consumer trust. Yet they nonetheless suffer financial consequences from these incidents.
Cybersecurity insurance typically offers pay-outs with regard to the initial (first party) losses suffered due to an attack or breach, and with respect to the financial claims made by injured third parties (customers whose data has been stolen, etc.).
In this light, any organization which stores or processes customer data or collects online payments – or uses the cloud for any form of data processing – should consider taking out some kind of cybersecurity insurance policy.
As corporate networks and the Internet of Things (IoT) expand and evolve, the number of exposed devices and attack vectors continue to increase – and these also need to be factored into the equation regarding cyber insurance coverage.
Over 30% of phishing attacks in 2015 were launched against organizations having fewer than 250 employees – so the risk isn’t confined to large-scale enterprises. According to Symantec’s 2016 Internet Security Threat Report, 43% of all attacks in 2015 were targeted at small businesses.
With many smaller companies unable to afford the costs associated with regular penetration testing and threat intelligence monitoring, cybersecurity insurance offers a measure of protection at a more affordable price.
Looked at more globally, with the average cost of a data breach at a large company estimated at over $3 million – and with the Center for Strategic and International Studies estimating annual costs to the global economy from cyber-crime at between $375 billion and $575 billion in 2014 – cybersecurity insurance presents a real option for mitigating these losses, worldwide.
Expenses or Damage Covered
There’s currently no standard for underwriting policies, but a cybersecurity plan should typically address and provide reimbursement for expenses such as:
- Digital forensic investigations required to determine the nature and extent of a security breach.
- Business losses due to network downtime, business/operational interruptions, data loss recovery, and costs involved in crisis management.
- Costs associated with notifying affected parties of a data breach, and credit monitoring for consumers whose information was or may have been breached.
- Legal expenses incurred due to the compromise or leakage of confidential information and intellectual property, regulatory fines, or settling lawsuits.
- Reimbursement for costs suffered due to extortion or ransomware attacks.
Better Risk Management
Cybersecurity insurance is well placed to add financial substance to the security strategies and risk management policies of commercial organizations. It can play a significant role in rounding out a more holistic security posture which includes both preventative security mechanisms and an incident response plan that factors in the monetary consequences of a cyber-attack or data breach.
Insure, But Take the Necessary Precautions
This isn’t to say that organizations should rely on cybersecurity insurance, alone. Having something to fall back on for meeting expenses in the event of a successful attack really can’t compare to avoiding or severely mitigating the effects of an attack, in the first place.