These days it seems like you can’t blink without news of another breach or hack. Most recently there was the Equifax hack, affecting over 143 million people, and the global Wannacry ransomware attack in May 2017, which infected more than 230,000 computers in over 150 countries. These two attacks hit the news because they were widespread and hit prominent targets, but these kinds of attacks are nondiscriminatory—targeting companies and organizations across all industries and sizes. Despite many beliefs, a 2016 survey found that 62% of cyber breach victims are small or mid-sized businesses. So, we are all targets and must prepare appropriately.
A breach can have devastating effects on an organization’s bottom line. Just two years ago, in 2015, the average cost of a breach was estimated at $3.79 million. However, the average cost of a major cyber attack could soon reach $67.1 billion. You read that correctly – I did say $67.1 billion. It is important to have a process in place to protect not only the data that bad actors seek, but the company assets as well.
This brings us to today’s topic: cyber insurance. A fitting subject to discuss during cybersecurity awareness month.
Cyber Insurance Basics
First, the lingo. Cyber Insurance can sometimes be referred to as cyber risk insurance or cyber liability insurance coverage (CLIC). It is meant to protect businesses financially from internet-based risks. Should a cyber-related security breach occur, cyber insurance will offset the costs involved in recovery. These can include:
- Business losses due to network downtime, data loss recovery and costs involved managing a crisis
- Forensic investigations after a breach to determine what occurred, how to repair the damage and how to prevent the incident in the future
- Data breach notifications to customers and other affected entities, typically required by law
- Legal expenses related to suits over release of confidential information, legal settlements and any regulatory fines
- Extortion fees, such as those that come from ransomware
Many cyber policies offer some combination of first-party and third-party coverage—covering both direct losses to the organization and claims against the organization by others impacted—such as clients or partners.
Purchasing Cyber Insurance
The first question you may ask is: should I get cyber insurance? For many organizations, the answer is yes. Any organization that stores and maintains customer, client, or patient information, collects online information, or uses the cloud should consider getting cyber insurance. For some companies, the cost of a cyber attack may not be a significant dent to the budget. For small businesses, however, a cyber attack can cost an organization $150,000 to $200,000, a cost which can be avoided via a $1 million plan costing $3,000 to $5,000 a year. A smart investment in my book.
So, how do you prepare for cyber insurance? Computer Weekly recommends starting by determining the expenses and types of events you want coverage for. Discuss this with all the relevant people to create a holistic list and make sure to include information from third-party suppliers and partners. Include first-party costs and third-party costs (the costs others impacted by an incident may claim from your organization).
Another important, early step, is to create a cyber risk profile for your organization. A cyber risk profile means that you have assessed your organizations vulnerability to cyber attacks. This may involve engaging threat intelligence services or ethical hackers. For small organizations, a vulnerability assessment tool or penetration tester may be more feasible. Creating a cyber risk profile, in conjunction with training employees in security best practices, will both improve security and help in negotiating the price when purchasing cyber insurance.
What to Look for in Cyber Insurance
Okay. You’re prepared to purchase cyber insurance – but what should you look for in insurers? CIO.com suggests looking for the following:
- A stand-alone policy, which is typically more comprehensive than an extension to an existing policy
- A policy that is customizable to the organization
- Differences in deductible costs among different insurers
- Coverage for attacks in which your organization falls victim but was not a target
- Coverage and limits for first and third-parties–I.e. whether policies cover both
- Coverage for non-malicious actions from an employee resulting in an incident
- Coverage for social engineering and network attacks
- A policy that include time frames under which coverage still applies since advanced persistent threats (APT) can occur over months or sometimes even years
Bolstering Your Cyber Security
Cyber Insurance and beefing up the cyber security at your organization go hand-in-hand. Bolstering your cyber security reduces the likelihood of an attack or breach, lessening the likelihood that you will have to file a claim. This also provides you greater leverage when negotiating your rates for insurance so the tighter your security the better your position. There are a variety of ways you can improve cyber security at your organization (for further reading on this you can check out some articles from Vaporstream’s CEO here and here) including introducing secure methods of communication that can assist during a breach. To learn more about how Vaporstream can help with secure communications, contact us or view us in action.
Contributor: Kristi Perdue Hinkle