Overview
As the frequency of cyber incidents and the costs of data breaches continue to climb, businesses need additional ways to minimize their cyber risk. Although most organizations employ varied defenses in their risk management processes, no single security control can prevent every incident. In particular, the continued threat of ransomware attacks, data breaches, and associated business interruptions underscores the need for businesses to employ a defense-in-depth approach.
Defense-in-depth involves using numerous complementary tools to lower a business’s cyber risk as much as possible. Cyber liability insurance protects organizations accordingly. Although it is impossible to reduce risk to zero, cyber liability insurance transfers any residual risk away from the business to the insurance company. With that in mind, the question that organizations and their brokers need to answer is, “how much cyber insurance do I need?”
Are Your Clients at Risk for Cyber Incidents?
As the cyber threat landscape continues to grow, every organization, regardless of its industry or size, faces increased cyber risk. The continued rise in ransomware and data leaks is a major reason why. Threat actors may use these breaches to force businesses to pay a ransom or as the first step in selling personally identifiable information (PII). Any business that handles data is a target for threat actors.
This notion has become especially true in recent years.
What factors determine cyber risk?
There are a number of factors that determine an organization’s risk and how much cyber insurance it may need. That said, it’s worth noting that threat actors are opportunistic and may target any business. Still, organizations’ potential cyber risk is typically a composite of the following:
Company size. Larger companies are more likely to face a higher number of attacks. This is due to their publicity and threat actors’ belief that they hold more valuable information or can more easily pay the ransom.
Types of information held. Threat actors specializing in specific types of data will target different companies. For example, threat actors specializing in credit card theft are more likely to target e-commerce businesses than those in healthcare. However, threat actors will ultimately target any business that may have PII, including social security numbers or credit card numbers. Both these types of data can be resold on the black market relatively easily.
Company security practices. Threat actors are more likely to launch cyber attacks against a business with old, outdated, or missing security controls than a company that is well-defended.
Availability of credentials. Threat actors may also target a business if they happen to discover breached employee logins or email credentials. This is especially likely if the business has not implemented security controls such as two-factor authentication (a key cyber insurance requirement) to help secure accounts.
Company clients. Sometimes threat actors view a business as a stepping stone for attacks against their actual intended targets. Threat actors may thus target businesses that hold valuable target lists as the first stage of a larger cyber attack.
Common practices for risk mitigation
One of the most effective ways an organization can lower its cyber risk is through cyber insurance and Tech E&O insurance policies. These policies require organizations to achieve and maintain a minimum level of cyber readiness. They also transfer residual risk from the business to the insurance company.
Larger businesses should always hire a broker while purchasing insurance to perform a thorough analysis and ensure the insurance policy covers everything necessary. Smaller businesses may also benefit from this expert help, as well as the broker’s expertise in comparing several plans’ insurance costs and coverage limits.
In addition to cyber insurance and Tech E&O policies, organizations should prepare a cybersecurity risk management plan. This plan will help to identify and monitor risks while limiting them to a predetermined acceptable level. As part of this plan, organizations should perform regular security risk assessments to understand and categorize any threats they may face.
Lastly, organizations should create a cyber incident response plan. This plan should lay out how the business will prepare for and respond to a wide range of potential cyber incidents.
What does cyber insurance cover?
The coverage provided by a cyber insurance policy is highly variable based on the insurance company. In general, though, cyber insurance covers the below.
Costs associated with a data breach. Insurance typically covers data loss and recovery fees. It usually covers breach response and reputation repair services as well, such as consumer credit monitoring and data breach notifications.
Computer forensics costs. In the event of a data breach, insurance covers the costs of hiring a forensics expert to investigate the cyber incident’s source. It also typically covers the costs of containing and consolidating the forensic findings.
Legal fees. Cyber liability insurance covers any legal fees associated with hiring privacy lawyer/breach response counsel, regulatory fines, and judicial fees. The insurer typically provides lawsuit assistance as well should this be necessary following a cyber incident.
Business interruption costs. Insurance may cover the costs of revenue lost to a cyber incident-caused interruption.
Extortion costs. Most cyber liability insurance plans cover the costs associated with cyber extortion events.
Equipment repair/replacement costs. Cyber liability insurance typically covers costs associated with equipment damaged in a cyber incident.