The average cost of a data breach is $4.45 million. It’s even higher in industries like healthcare, finance, and pharmaceuticals. Cyber attacks are impacting the public and private sectors so much that “widespread cybercrime and cyber insecurity” is a newly added threat to the World Economic Forum’s Global Risks Report 2023.
Not only is cyber crime costly, but it can disrupt business, affect your credit rating, and erode customer trust. Additionally, many small businesses are forced to shut their doors after a cyber attack. That’s why cyber insurance is so important, but it’s getting harder and more costly to obtain–especially without meeting security requirements.
Choosing Cyber Insurance
First, determine whether your organization actually needs cyber insurance. Here are some items to consider:
- Data types: Does your organization handle, store, or transmit sensitive or regulated data like PII (personally identifiable information like social security numbers) or PHI (protected health information)?
- Business practices: If your website stores customers passwords or other customer data, you are at risk. Even if you use vendors to manage aspects of your business like databases or e-commerce, you may want insurance.
- Applications: Does your company use web, mobile, or fat apps for critical business processes? If so, downtime caused by a cyber incident can cause major problems.
- BYOD: If you let employees use their personal devices to do work, your business is at increased risk of a breach.
- Targeting: If your organization is involved with politics or social causes, it could be a target for “hacktivism” or extortion.
- Funds availability: If you don’t have the immediate means to cover the costs of a cyber attack, you may want to look into insurance options.
If you decide you need insurance, determine how much you might need by calculating the potential cost of damages. One way to do this is to find the average cost of a stolen record of the data type your company handles. Then multiply that cost by the number of records your company possesses. This gives you a general idea of the extent of possible damage your organization might face in a data breach. Also, it helps to determine whether you’re subject to regulatory fines in your industry and what the fine structures are. Then you can decide what kind of coverage to look for.
Get Coverage at a Better Rate
Cyber insurance providers will often ask you to complete a questionnaire to determine your company’s risk level, which impacts your premium. You can keep premiums down by implementing and maintaining effective cybersecurity controls.
The types of data you possess will also impact insurance costs. Organizations that store, process, or transmit sensitive data–like those in finance and healthcare–will probably pay higher premiums.
Cybersecurity consultants like Corsica Technologies can help companies complete their insurance questionnaires to ensure they understand the process and responsibilities. The Federal Trade Commission and cyber insurance companies also provide helpful information on their websites.
What Does Cyber Insurance Cover?
Coverage will vary by provider and circumstances. To ensure you get the coverage you want and need, here are some questions to ask:
What types of incidents and damages are covered? Is the policy only for a deliberate attack, or will it cover errors and omissions? Will it cover legal costs?
What time frames are covered? If you have a cyber attack that’s not detected until years later, is that still covered if you changed your policy?
Does coverage apply to third parties? Does the policy just cover you, or are your vendors or suppliers covered as well? And what are first and third-party limits?
Are there location restrictions? For instance, does the coverage only work for data and resources that are located in the U.S., or is it worldwide?
Will the premium increase after a claim? Do premiums stay reasonably constant or will a claim impact my policy?
What will my deductible be? Policy details vary by industry and insurer. It pays to research companies and shop around.
What are our responsibilities for maintaining coverage? For example, an insurer may require multi-factor authentication, security awareness training for employees, and more. Failure to maintain these practices may void the policy.
What is the service level agreement (SLA) for claims processing times? How quickly will they respond?
As a cybersecurity managed services provider, Corsica can help clients with forensics, incident response, and mitigation to provide information to the insurance company for their investigation. In case of a cyber breach, Corsica will handle remediation at no extra charge to the client.
Improve Your Security Posture with Cybersecurity Consulting
Cyber insurance is critical to helping companies recover from cyber attacks. The process of obtaining cyber insurance and keeping premiums down can also help organizations attain a healthy cybersecurity posture.