Cyber Insurance Basics (with 4 steps to help you reduce costs)

With cybercrime reports doubling and ransomware attacks becoming so common in the last two years, cyber insurance markets are expanding. Latest statistics show that in 2018, business cyber insurance dominated the industry, accounting for 75% of all cyber insurance premiums in the US. Rightly so, because in a business climate like today’s, there is hardly a business that can’t benefit from cyber insurance. 

Whether you’re a small business or big corporation, if your business stores sensitive client, partner, or customer data, and supports electronic transactions, you most definitely need cyber insurance. 

In this article we’re answering some of the most common questions surrounding this complex topic. Keep reading to find out more.

A comprehensive cyber insurance cover addresses the following three types of expenses:

• First-party costs - This covers the expenses organizations would have to pay to minimize the damages caused by a cyber incident/data breach. Examples include PR services to manage company reputation, notifying affected parties, incident response and recovery services. 
• Third-party costs - This covers the costs of liability claims, and fines or penalties imposed by regulatory authorities. Examples include legal fees to defend a lawsuit against the company for failure to protect client data. 
• Cyber crime costs - Financial losses resulting directly from cybercrimes come under this group. For example, ransom fees arising from a ransomware attack.

The purpose of first-party coverage is to reduce the financial impact on the company that purchased the insurance. It usually covers the following costs:

• Alerting affected parties
• Providing assistance and credit monitoring
• Implementing PR campaigns to manage company reputation
• Recovery and remediation

Common insurable events that come under first-party coverage include:

• Destruction of data by a malicious party
• Your hard disk gets infected by malware/spyware/virus
• You fall victim to a DoS attack
• Your data is held hostage for ransom
• Your computer hardware is damaged in a natural calamity
  

If your company holds critical client data or customer information online, it is imperative that you have first-party coverage.

Third-party coverage provides cyber liability coverage for firms that are responsible for a client's online security. This can cover legal fees if and when a client sues your company for experiencing a data breach. Third-party insurance usually covers the following costs:

• Lawyers’ fees
• Settlements/Judgements
• Miscellaneous court costs such as witness fees, and docket fees

The legal costs resulting from a data breach can be devastating. A third-party coverage ensures that your business can survive the aftermath of a cybercrime.

If your business is responsible for securing customers’ online data through your services (IT consultants, Software developers, App developers, Network and security consultants, Website designers, Web hosting businesses), you must have third-party coverage.

When evaluating the strength of a cyber policy, consider coverage that addresses the following issues:

• Cyber Extortion
• Social Engineering 
• Business Interruption 
• Virus Transmission
• Liability Costs
  

A typical cyber insurance may not cover the following expenses:

Technology upgrades - If you want to improve your internal technology and upgrade your systems after a cyber incident, your cyber insurance may not cover the costs.

Lost profits in the future - Loss of possible future profits due to damages from a data breach are not covered by cyber insurance.

Loss in valuation - A decrease in the company valuation caused by theft of intellectual property also would not come under cyber insurance coverage.

Dishonest conduct - If you withhold information from the insurance company while buying your insurance, your losses will not be assessed by the insurance company. 

Unauthorized data collection - Your insurance policy will not cover the losses incurred due to the illegitimate collection of data. 

Cyber Liability Insurance policies also generally exclude costs arising from immoral or obscene services, contractual liability, cyber terrorism, trading in virtual currencies, religious or political activities.

When it comes to protecting businesses from cyberattacks, the terms data breach insurance and cyber insurance are often used synonymously. However, are they the same? Let’s take a closer look at the distinctions between the two.

What do cyber liability and data breach mean?

Cyber liability factors in when your business is accused of inflicting damage to an outside party as a direct outcome of a cyber incident. A data breach occurs when you lose information for which you are responsible.

Data breach insurance covers first-party costs resulting from a data breach. This includes expenses associated with theft of company documents, investigation of the cyber incident, damaged equipment, notifying parties affected by the breach, minimizing damage and providing them assistance and credit monitoring. 

Cyber insurance on the other hand, provides third-party and first party-coverages to businesses that have suffered a data breach. This means that in addition to covering losses related to the breach of your network, this insurance also covers the charges that arise due to accusations made against your business for failure to protect client data. 

Essentially, the two differ in the extent of what they cover. While cyber liability insurance protects you both financially and legally in the event of a data breach, a data breach insurance protects only your financial interests.

One thing is certain: cyber insurance is expensive. And insurance plans are only getting more outrageously costly as cybercrimes and threats continue to evolve. This is one of the most common reasons why many businesses don’t have cyber insurance. 

So, how much does cyber insurance actually cost?

According to a popular insurance directory in the US, the average annual premium for a coverage of $1 million is anywhere between $1,400-$1,500. However, you may need to pay more depending on your organization's unique requirements. For instance, the premium cost for $6 million in coverage will cost you $50,000 whereas a lower coverage of $3 million will cost $25,000 in premiums.

The higher your coverage limit, the more money you'll need to spend.

 
The cost of your insurance policy also depends on a number of other key factors, some of which include - industry, organization size, data size and sensitivity, cybersecurity measures, annual revenue, and your policy terms. 

Make sure to contact an experienced insurance provider if you have questions about your policy or how much coverage you require.

A thorough incident response plan can help you get to the bottom of a security breach and ensure that your business can keep moving forward. 

Cyber Liability Insurance Australia

Cyber Liability Insurance, often referred to as Cyber Insurance, has become a critical component of a comprehensive risk management strategy. It's the safety net that shields businesses from the financial and reputational fallout of cyber incidents. From multinational corporations to small and medium-sized enterprises, organizations across Australia are recognizing the significance of this specialized insurance coverage.

Australia has recently become a global hotspot for cyberattacks and data breaches, affecting companies of all sizes and industries alike. Over 76,000 cybercrime reports were submitted through ReportCyber during the financial year 2021-22, an increase of nearly 13% from the previous financial year. One cybercrime report is filed every 7 minutes, compared to one every 8 minutes in 2020-21. The severity of cyber incidents across Australia is also increasing, with cyber extortion and ransomware attacks at the forefront.

In such a challenging environment, cyber insurance is a valuable tool that can help you recover from a cyberattack and mitigate its financial impact. However, despite the widespread impact of cyber incidents, cyber insurance in Australia is not yet fully understood and isn't widely adopted by businesses.

The biggest example is the Medibank breach. Medibank revealed that they didn't have cyber insurance after a data breach exposed the personal information and health records of 3.9 million customers. Medibank took a half-year loss of $26 million with the full-year loss expected to be between $40 and $45 million. The company attributed this high cost to not having a cyber insurance policy. 

The small number of insurers in Australia combined with high insurance premiums is a key reason why cyber insurance adoption is low in Australia. According to the Insurance Council of Australia, if proper cyber risk insurance is not accessible for organizations, many may be unable or unwilling to pursue innovative practises. This will have a negative impact on Australia's economic productivity.

Cyber Insurance for Critical Infrastructure and Industrial Sectors

Critical infrastructure forms the foundation of our society and economy. It is the infrastructure that is essential for a fully functional society, from electricity and water to transportation and communication. That's why they're such a big target for cybercriminals. Moreover, as critical infrastrucuture becomes more and more digitized, it becomes more vulnerable to attacks. And the impact of these attacks has several far-reaching consequences including the potential for major disruption to society.

In recent times, the attacks on SolarWinds and Colonial Pipeline have demonstrated the effect cyberattacks can have on critical infrastructure. The SolarWinds attack exposed more than 18,000 government and private clients' data and the Colonial Pipeline attack resulted in nearly 11,000 gas stations running out of fuel.

While a cyber insurance policy won't guarantee that an attack won't happen, it can ensure better preparedness in the event that it does. It can help critical infrastructure companies to manage their risk effectively and recover more quickly from a cyberattack.

Two of the most popular targets among critical infrastructure are the healthcare and education sectors. We're exploring these two sectors in the next sections.

Education Sector

Cybersecurity is a critical concern in the educational sector where innovation and digital transformation are shaping the future. Educational institutions house vast amounts of sensitive data, from student records to research findings. This digital treasure trove presents a tempting target for cyber threats.

Moreover, since the start of the pandemic, educational institutions have been accelerating their digital transformation and adding more and more online services and platforms to deliver content and instructions remotely. This has increased the number of possible entry points for cyberattackers and made it more difficult to detect and protect against cyberthreats.

2021 saw the highest number of reported cyberattacks on educational institutions till date. And with the rapid adoption of digital education, ransomware attacks on the education sector have also increased by 84%. 

Being an industry with a high volume of sensitive data, educational institutions must prioritize data protection and cybersecurity from the very beginning of their digital transformation journey.

A cyber insurance policy can help educational institutions mitigate some of the biggest risks of breaches such as data theft, ransom costs, business interruption, and reputation loss. 

Healthcare Sector

In the healthcare sector, the convergence of patient care and digital innovation introduces a complex web of cybersecurity challenges. Cyberattacks against healthcare organizations can jeopardize patient data confidentiality, halt critical services, and even impact patient safety. From ransomware locking access to vital medical records to unauthorized breaches exposing sensitive health information, the threats are diverse and severe.

The healthcare sector continues to have the highest average cost of a data breach reaching $11 million in 2023. This is due to the type of data that healthcare organizations collect and the need for quick response times. In such cases, the cost of a data breach is often higher than the cost of a cyber insurance policy. 

A cyber insurance policy for healthcare organizations can cover a variety of losses including data losses, incident response, extortion incidents, business interruption, regulatory penalties, and legal expenses. Plus, in order to apply for a cyber insurance policy, healthcare organizations must bolster their cyber defenses and ensure that they meet the requirements of the insurer. This also helps reduce the impact of a cyberattack by improving the overall security posture of the organization. 

Conclusion

Today, cyberthreats are more prevalent than ever. And while there are numerous best practices that can help defend your business against cyber attacks, there is no guarantee that you can avoid them completely. In the event of a cyber attack, an insurance coverage can significantly reduce the financial strain on your company.

Ready to Protect Your Business?

At Threat Intelligence, we enable organizations to automatically identify, protect, detect, respond and recover against relentless cyber threats with our innovative security products and highly-skilled services. Explore our solutions at www.threatintelligence.com.