Does Your Business Need Cyber Insurance?

Cybersecurity breaches are costly.

IBM reports that “the global average cost of a data breach [stands at] $3.86 million.” And the “average cost for each lost or stolen record containing sensitive and confidential information”? It’s a hefty $148.

Recently, our clients have asked me if they need cyber insurance.

And I can understand why. It’s easier to pay a monthly premium than to shell out thousands of dollars down the road.

If you have questions such as…

• What is cyber insurance?
• Do I need cyber insurance if I have managed IT services?
• What can I expect to pay for a policy?

…this article is for you, so keep on reading.

What Is Cyber Insurance, and What Protection Does It Provide?

Before we can answer whether you need cyber insurance, let’s define what we’re talking about.

Cyber insurance is also known as cyber liability insurance.

Like other insurance products, this policy creates a financial safety net should your company experience a data security breach.

If a hacker takes down your IT infrastructure, a cyber insurance policy can…

• Mitigate the financial impact of downtime. For instance, your insurance carrier might state it covers “loss of business,” “lost profits,” or something similar.
• Pay for costs directly tied to the data breach. An example of this is coverage for fines.
• Help you navigate extortion. Yes, this means paying a hacker that’s threatening your business.

Interestingly enough, a cyber insurance policy can also include coverage for copyright or trademark violations. And you may get additional services other than a financial payout. (For instance, AIG offers an IBM specialist for its CyberEdge policy, and Chubb provides help with passwords and other benefits.)

As you research different insurance carriers, you might run across two important terms: first-party coverage and third-party coverage. Here’s a quick way to understand what these are:

• First-party coverage. Basically, this refers to losses sustained by your business because of the cyber event.
• Third-party coverage. As we all know, a data breach isn’t limited to your company’s information. As an example of third-party coverage, one AIG policy says it will “cover third-party claims by outside parties such as suppliers or customers resulting from a cyber breach.”

If I Have Managed IT Services, Do I Need Cyber Insurance?

Great question. 

After all, better security is one reason you have an IT support partner. So why pay regular premiums if your IT company is doing its job?

Here’s my answer: Your managed IT services provider should act like your IT department. And even the best IT departments can’t always prevent things such as end-user errors.

Employees get scammed.

Phishing attacks are successful.

Locking down your network is only half the battle. 

In fact, it wasn’t too long ago that I was the target of a spear-phishing attack myself.

Given these risks, a cyber insurance policy can provide some much-needed protection. But making a decision for your company probably comes down to several considerations…

• What is the size of your business?
• What is the size of your risk?
• Can you afford the risk?

Let’s say you’re a three-person firm specializing in leadership training. You only have a small handful of clients. And you rarely handle sensitive information.

In a situation like this, you probably don’t need a cyber insurance policy.

But perhaps you’re a mid-sized accounting firm.

You have hundreds of customers. You process boatloads of highly sensitive private and business information—day in and day out. And the nature of your work probably exposes you to more risk.

Or maybe you’re…

• An attorney with a practice that handles high-profile or nonstandard court cases.
• A staffing organization that routinely collects HR information.
• An underwriting firm that has strict compliance responsibilities.

In these cases, you might need to consider researching different insurance policies.

What Does Cyber Insurance Cost?

Spoiler alert: There’s no definite answer. 

Granted, if you look online, you’ll find articles that provide an estimated cost range. For instance, Fit Small Business says a small business might pay between $1,000 and $7,500 a year in premiums. 

And this article says that small businesses “can expect to pay from $750 on the low end and up to $8,000 on the high end.”

However, one of my team members actually spoke to a Charlotte-based insurance company representative on the topic. The representative wouldn’t provide an “on-the-record” answer, but they did explain that the number of records your business handles will affect underwriting.

Bottom line: Don’t base your estimated cost on an online article.

Your better option is calling an insurance carrier and getting a quote.

Can Managed IT Services Impact My Cyber Insurance Premiums?

I don’t claim to be an underwriter. So I’m not going to promise that having a reliable IT support company is going to decrease your premiums. 

But that doesn’t mean you can’t examine cyber insurance applications…and infer what underwriters are looking for.   

Let’s examine some information Chubb requests from small-business applicants for its Cyber ERM policy.

In the application, they ask you to indicate if your business has…

• Antivirus and firewall protection.
• Encryption for devices and confidential data.
• A formal plan for addressing a cyber event.
• Procedures for software patching as well as data backup and recovery.
• PCI, HIPAA, and HITECH compliance if applicable.

All these are important considerations for Chubb to assess your business’s level of risk. 

And it’s a great example of how a managed IT service provider can help.

At Proactive IT, we don’t simply provide comprehensive IT support. We effectively lower your risk by ensuring you have the proper IT safeguards for your business.

Ready to discuss your cybersecurity? Drop us a note online, or give our Charlotte team a call at 704-464-3075. 

Update

In this post, I mentioned how cyber insurance can help you navigate extortion. Since then, the U.S. government published its Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. I addressed this development in “Should You Pay a Ransom to Cybercriminals? My Take on the Legality Issue.” Please read this article to learn more about the advisory.