Is Cyber Insurance A Rip-Off? That Depends!

Do you really need cybersecurity insurance? Well, that depends!

The number of businesses who took out cyber insurance policies in the last few years has sky-rocketed, thanks to a drastic increase in cyber attacks during the pandemic. This also means more claims were made. Thus, rates have increased and insurance providers have become way more selective on who and what gets covered.

With escalating costs, many businesses are now deliberating whether cyber insurance is actually worth it - read on to learn the pro's and con's.

Table of Contents

What is Cyber Insurance, Anyway?

Why Cyber Insurance Policies are Changing

Who Really Needs Cyber Insurance?

What Does Cyber Insurance Cost?

What is NOT Covered by Cyber Insurance?

How to Qualify for Cyber Insurance in 2022

Cyber Insurance Checklist

Is Cyber Security Worth it for My Business?

What is Cyber Insurance, Anyway?

There probably aren't too many business owners out there who have NOT heard of cyber insurance, but put simply:

Cyber security business insurance is a coverage policy for organizations who suffer financial losses resulting from a cyber attack.

Cyber insurance typically covers items such as:

Cost of downtime
Cost of investigation
Legal fees
Cost of data recovery
Cost of identity restoration for affected customers
(credit monitoring, etc.)
Cost of customer notifications regarding breach

A good insurance policy can help cover many of these expenses, with one small caveat:

You must get absolute clarity from your insurer about what they do and do not cover.

And that's where it can get complicated.

Why Cyber Insurance Policies Are Changing

First, let's set the stage.

At the risk of repeating yet more scary statistics on cybercrime here are a few key ones:

Cyber incidents are up 600% due to the COVID-19 pandemic/change in work styles
Over half of all cyber attacks are aimed at small to medium businesses (SMB)
The average cost of a data breach ranges from $120,000 to $1.24 million for an SMB

It's no wonder there has been a mad dash to purchase cyber insurance!

But of course, along with all those purchases came the claims, which have jumped over 100% annually since 2020.

This jump took a toll on insurance providers, who watched their profits decline sharply. To adapt, the cost of cyber insurance policies rose 22% in 2020 and 74% in 2021, according to FitchRatings.

In the first quarter of 2022, some companies saw rate increases of 83.3%! And as cyber liability insurance premiums have climbed, policy limits have shrunk.

Many insurance carriers have attempted to limit exposure by limiting capacity, offering policy limits about half as large of those offered in the 2021 renewal cycle.

And that's not all.

Most insurers have also attempted to limit risk by tightening up on their terms. Additional restrictions are starting to creep in.

As an example, many major carriers have adopted exclusions for catastrophic cyberattacks conducted by "state-backed actors," a very slippery slope.

Of course, in order to qualify in the first place, you must pass a cyber risk assessment as part of the insurer's underwriting process, which has gotten a lot more stringent.

Who Really Needs Cyber Insurance?

There are definitely industries who need cyber insurance more than others, simply because they’re exposed to greater cyber risk and liability.

The organizations that should be particularly interested in purchasing cyber insurance are the ones responsible for collecting and storing personal financial records and personal health records (such as credit card data, patient files, doctor information).

To put it bluntly, if your business handles sensitive personal information, you probably need to prioritize cyber insurance.

Industries that are highly regulated by state, federal and international agencies also require cyber insurance. These industries include hospitality, retail, health care, entertainment, technology and government contractors.

And finally - many companies are simply contractually obligated to have a cyber insurance policy. If you can't win business without it, then clearly you need to jump into the pool.

What Does Cyber Insurance Cost?

There's no easy answer on this one.

Premiums for cyber insurance vary depending on many factors, including the strength of your cybersecurity measures, the types and amount of coverage included in your policy and the size of your business.

The cost per year of cyber insurance can range from as little as few thousand for a small business to tens of thousands of dollars for bigger companies.

In 2021, the average cost of cyber insurance was $1,589 per year, compared with $1,485 in 2020. However, as mentioned above the average cost of premiums has risen dramatically with some policyholders paying over an 80% higher rate in 2022.

For companies where having an extensive cyber insurance policy is critical, it's not uncommon to pay thousands a month for $3M to $5M worth of coverage.

How much does cyber insurance cost?

What Is NOT Covered by Cyber Insurance?

In a recent study of more than 100 CFO's by FM Global, a commercial property insurer, almost half believed they their insurer would cover "most" related loses from a cyber security event.

Almost a third said they expected their carrier to cover "all" related losses.

But here's what a typical cyber insurance policy doesn't cover:

Discredit of the company's brand and reputation - after a breach, customers tend to scatter to the wind
Increased scrutiny from the investment community
Decline in revenue/earnings
Decline in market share
Decline in share price

Note that while insurance will cover lost revenue during the span of the actual disruption, lost revenue related to the after affects is not normally covered.

Cyber insurance may be considered essential to protect you from serious pain, but it DOES NOT relieve your organization from necessary tasks such as implementing the most proactive cybersecurity protection possible.

How To Qualify For Cyber Insurance in 2022

Whether you are getting a cyber insurance policy for the very first time, or renewing an existing, be prepared for a very lengthy questionnaire with a lot of tough questions.

Cyber insurers now want to know if there is an organized and proactive effort at your company regarding cybersecurity risk management.

Most insurers will carry out a cyber insurance risk assessment as part of their underwriting process, in order to determine your premium, coverage limits and whether you even qualify for cyber insurance in the first place.

Every insurer will have different requirements, but following is a short list of the most common security controls you will likely need to have in place.

Cyber Insurance Checklist: Top 10 Essential Security Controls

Multifactor authentication. MFA involves the use of more than one method to verify a user's identity, such as a password plus a code from a smartphone. This has become critical now that most workers are remote and are accessing data from all sorts of locations and devices.
Endpoint Detection and Response. Often referred to as "next-gen antivirus", companies need to make sure employee endpoint devices (wherever they are) are protected with real-time monitoring and rules-based automated response. Traditional anti-virus software can identify malware, but is no longer effective at identifying modern threats.
Secure Remote Access. With more employees working for home, MFA may not be enough. You might want to consider using a VPN or other remote desktop technologies, and block all remote access ports at the firewall or network gateway unless there is a valid business reason for keeping them open.
Secured, Encrypted and Tested Backups. Make sure your company has excellent backups that can't be overwritten by an attacker, even if they get an administrator password. Data must be encrypted and stored in a secure location - most underwriters are defining "secure" as either offline or immutable.
Privileged Access Management. It's convenient for users to remotely log in to computers directly from the internet, but that's a target for attackers, too. You need to make sure that access to highly privileged accounts are protected and managed using an encrypted password vault.
Patch Management. A process for regular software updates to computers, applications and network devices is a must. Hackers take advantage of known weaknesses and use them to spread ransomware.
Email Filtering and Web Security. Automatically interrogating emails for suspicious content (attachments and links) before the designated recipient has a chance to open them can help reduce the risk of falling for a phishing attack.
Management of End-Of-Life Systems. When an organization’s technology is no longer receiving updates or support services from vendors, the end-of-life systems must either be replaced or isolated from the rest of the network.
Incident Response Plan. A formal plan for how to respond if something goes wrong. This documented needs to be tested and updated on a regular basis.
Mandatory Cybersecurity Awareness Training. While technology can help, your employees are your weakest link when it comes to cyber compromise. Security awareness training is a critical component for your overall cyber security profile.

Cyber insurance vs cybersecurity

Is Cyber Insurance Worth It?

The answer is - it depends!

Most organizations should at least consider evaluating their need for cyber insurance. Like all forms of insurance, cyber insurance allows you to offload financial risk.

How big that risk is and how much you want to (or can afford) to pay is up to you to decide.

Ultimately, it’s up to you to determine whether cyber insurance is worth the cost or if you would rather take the risk of covering your own losses in the event of a breach or attack.

While cyber insurance is important, and sometimes a necessity, it should take a back seat to a broader cyber security discussion.

Insurance helps you recover from a situation, filling in the gaps when problems occur that you can’t prevent.

But preventing the problems in the first place is a crucial first step.

Summary: An Ounce of Prevention

Cyber insurance policies don't eliminate the need for organizations to take proactive steps to secure their data.

In fact, insured customers are required to do so or their policies will be voided.

Not completing what the insurer deems "due diligence" has led to many companies being left in the cold when filing claims after an attack.

A proper security risk assessment from a qualified third party is the best way to make sure you're doing all you can to prevent cyber attacks in the first place. You are then able to proactively implement the cyber protection you should have in place anyway, regardless of insurance.

You will also be better prepared to speak to a cyber insurance representative to help you figure out which is the best policy for your company, budget and tolerance for risk.

We help many of our clients not only get prepared, but also assist them in working through this process. Filling out the forms can be daunting, and if you're paying big premiums, you really want to make sure this is done properly from start to finish!