The FBI found a 300% increase in cybercrime since the start of the pandemic in 2020.
How can you protect yourself against losses in the case of a breach?
In this article, we break down the what, how, and why of cyber insurance for your business. This article is for knowledge only. Always include your legal team in any discussions around cyber insurance.
What Is Cyber Insurance?
Cyber insurance is just what it sounds like: insurance to protect your business from financial losses that may be incurred during cyberattacks such as data breaches, system hacks, ransomware extortion, and other issues.
The Hiscox Cyber Readiness Report™ 2022 found that U.S. businesses are more concerned about cyberattacks than the pandemic or skills shortages. The report also noted that the median cost of an attack in 2022 was $18,000, up $10,000 from last year. Nearly half of businesses in the U.S. have experienced an attack.
The most common port of entry was a corporate server in the cloud.
Regardless of the size of your business, cyber criminals are opportunistic and will attack wherever they perceive an opening to make money. For this reason, cyber insurance may be a necessity to protect your business.
You will need to:
- Understand your business level of risk.
- Know your regulatory responsibilities.
- Determine your budget.
The coverage you need will depend on the particulars of your business. For example, healthcare companies and others that handle sensitive information might be at higher risk for cybercrime. When considering your budget consider:
- Are you prepared to meet the security standards required by the insurance contract?
- How much would it cost to recover from a cyber attack? Remember to consider restoring lost data, repairing damage to business reputation (hiring a PR firm), and the length of recovery.
- The cost of being sued due to a cyber attack, including the costs of hiring a lawyer, potential fines, and settlements.
Work with a broker to assess your business’s risk and recommend the right amount of coverage to fit your needs.
Cyber insurance usually excludes the following:
- Property damage
- Intellectual property (separate coverage)
- Self-inflicted cyber incidents
- Costs of cybersecurity/protective measures
Cyber Insurance Coverage Checklist
As you begin the conversation about whether cyber insurance is right for your company, ask these questions:
- Where is all our sensitive data stored?
- What safeguards are in place to protect the information?
- Have we implemented a Risk Management Program?
- How does Integration Solution impact my security posture?
- If your data is lost in a cloud solution, what is your recovery plan?
- How can I share the responsibility to protect my business and its data with all stakeholders?
- Are your employees educated on cybercrime prevention? Reducing business risk starts with a comprehensive set of internal policies and an aligned cybersecurity education program.
As cybercrime ratchets up, securing coverage is getting more difficult. Meeting insurance carrier requirements is imperative. With cyber-related losses at an all-time high (with ransomware leading the way), cyber insurance carriers are requiring improved cyber hygiene in the form of risk controls.
The most important risk controls include:
- Multifactor Authentication (MFA)
- Endpoint Detection and Response (EDR)
- 24/7 Security Operations Center (SOC) and Monitoring
- Network Backups
- Network Segmentation/Update
Without securing the risk controls that carriers demand, your company will either not be able to obtain cyber insurance or may not be covered in the event of a cyberattack.
For those businesses that have cyber insurance, don’t wait to submit your renewal applications as new controls and technical components are updated daily. It no longer works to say that a company has certain controls in place; the underwriters will ask for proof of everything, such as MFA, as functioning at the time of the attack.
Compliance and Cyber Insurance
Businesses are required to follow privacy regulations set by various regulatory bodies. In addition, companies must adhere to various privacy acts. It’s up to business owners to know their obligations for protecting sensitive personal information. Keep in mind: Insurance policies may not cover businesses not compliant with local policy regulations.
A few of the most well-known privacy acts are the General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA). GDPR and CCPA apply to all companies who store and process data belonging to EU citizens and California residents regardless of where the company is located.
The Cybersecurity Maturity Model Certification (CMMC) is another regulation. CMMC requires formal third-party audits of defense industrial contractors to ensure DoD contractors properly protect sensitive information.
How Sikich Can Help with Cyber Insurance
Given the requirements of a good cyber insurance policy, it’s clear any business will need solid cybersecurity in place to make a successful claim if there is a breach.
Sikich can help you maintain your cyber hygiene. We offer Tech360 Managed Security Services, 24/7 monitoring with Endpoint Detection and Response (EDR) and a Security Operations Center (SOC), multifactor authentication (MFA), network backups, professional IT services, network segmentation, security audits and assessments, security testing and consulting, and forensics and incident response.
Give us a call today to set up a consultation, and watch our recent webinar, Strategic Guidance for Everchanging Cyber Insurance, below.