In the world of insurance providers and policies, cyber insurance is a relatively new area. And many security teams are trying to figure that out.
What is it and do they need it? And how much time will they spend researching how to integrate cyber insurance into their strategy?
For small security teams, this is especially challenging as they must contend with limited resources.
Fortunately, there is a new e-book dedicated to helping small security teams better understand cyber insurance policies and their impact on an organization’s cybersecurity measures.
In 1997, the Internet Security Liability (ISL) insurance policy was launched at the International Risk Insurance Management Society convention in Honolulu. Backed by AIG, ISL insurance was designed to protect e-commerce retailers like Amazon that collected sensitive customer data and stored it on internal networks. It is credited as one of the very first cyber insurance policies to be made available to businesses.
Today, a quarter of a century later, the cyber insurance market has grown exponentially and covers a wide range of cyber security incidents. According to the National Association of Insurance Commissioners (NAIC), the cybersecurity insurance market reached $4.1 billion last year, up 29.1% from the previous year. Industry reports predict the market to reach $11.4 billion by the end of this year – and nearly double to $22.3 by 2025.
“The past year has been a stark reminder that hackers are pivoting — and succeeding — in deploying new attack strategies,” writes John Farley, chief executive of Gallagher, a global insurance advisory firm. “There were a wide variety of victims ranging from global software vendors, messaging platforms, the largest US meat supplier and fuel suppliers who supply almost half of the fuel to the eastern seaboard of the United States. United. Threat actors have found this mud system of interdependencies to be fertile hunting grounds.”
Organizations with even the smallest cybersecurity teams are now turning to cyber insurance to protect their businesses against cyberattacks.
But investing in cyber insurance isn’t as easy as adding a new insurance policy.
What is cyber insurance?
Cyber insurance, also known as cyber liability insurance or data breach insurance, can help mitigate the costs of cyberattacks, an expense that is growing at an alarming rate. Although still not a mandatory expense, cyber insurance is quickly rising to the top of priority lists for many organizations managing large amounts of data.
Because a cybersecurity attack can cost a business millions of dollars — IBM reports the average cost of a data breach reached $4.35 million in 2022 — businesses that don’t invest in cyber -insurance put their entire business at risk. A cyber insurance policy doesn’t stop a cyber attack, but it can prevent it from completely devastating a business.
What does cyber insurance cover?
As with any insurance policy, there are different forms of cyber insurance that cover various cybersecurity threats. The market varies widely, with policies often determined by insurers, but the main forms of cyber insurance include:
- Network security systems policies that cover attorney fees, computer forensic services, data restoration, breach notifications and communications, and more in the event of a data breach, malware infection or a ransomware incident.
- Privacy liability policies that cover all costs related to a data breach that exposes personally identifiable information (PII), i.e. legal action, compliance breaches, reputational risk management , etc.
- Network downtime policies that allow a business to cover the costs of data loss or any financial loss incurred from an interruption of services.
- Errors and omissions policies similar to network downtime policies, covering cyberattacks that compromise a company’s ability to provide services or meet contractual obligations.
- Media liability policies that cover all losses resulting from allegations of slander, defamation, disparagement or copy infringement.
This is not a complete list of cyber insurance policies. Specific terms and conditions are the responsibility of insurers, with claims often being disputed as it can be difficult to define a cyberattack that involves sophisticated forms of cybercrime or hard-to-identify social engineering patterns.
What is the impact of existing cybersecurity efforts on cyber insurance policies?
Before obtaining a cyber insurance policy, companies must be approved for coverage. To protect their own costs, insurers often condition cyber insurance on a number of specific cybersecurity measures.
These contingencies typically include a company’s cybersecurity efforts — things like ensuring an organization has written security policies in place, uses multi-factor authentication (MFA), and encrypts its data. Often, cyber insurance providers dictate which cybersecurity tools a company should implement and even which security providers the company chooses to partner with.
Such rules set by the cyber insurance provider have a direct impact on an organization’s cyber security efforts and can create friction between the cyber security teams and the business leaders who purchase the cyber insurance policy. The best way to reduce this friction is to ensure that the cybersecurity team is on board from the start and involved in key decisions that impact the company’s cybersecurity strategy.
Cybersecurity team leaders must understand cyber insurance policies and be able to assess whether a tactic required by an insurance provider weakens or strengthens the company’s existing cybersecurity protections.
If your organization is currently evaluating cyber insurance policies, download Cynet’s insurance guide to better understand what is at stake, both for your cybersecurity team and for your business as a whole.