Cybersecurity breaches have become a predictable part of the business landscape. Every year, companies lose somewhere around $450 billion—more than is spent recovering from hurricanes—from malicious actors stealing information and breaking into digital systems. When a business is hacked, reputational damage alone can be cataclysmic; loss of assets and legal liability can put a company out of business.
The scramble to defend against the ever-present danger of hacking has led to the emergence of cybersecurity insurance, a young area of the insurance market that is already worth $3.5 billion. If you’re thinking about taking the smart step of investing in cybersecurity insurance for your own business, here are some basics to get you oriented.
Cybersecurity insurance is not directly preventative.
Hacks are some of the most expensive lessons in risk management a business can get. The cost of a data breach at an enterprise is around $1.3 billion in 2017, up 11% from 2016. The cost of losing client data is around $200 per record, and double that for medical records. These costs account for lawsuits, recovery efforts, foregone revenue due to a loss of reputation, and more. Cybersecurity insurance is designed to help cover these costs, not to prevent them from being incurred.
This speaks to the more general truth that cybersecurity isn’t a passive assurance to be purchased from any company or consultant. It’s a practice of constant vigilance. Insurance can defray some of the costs of a breach, but only tight security and good practices can prevent you from getting hacked. As the old phrase goes, cybersecurity is baked in, not bolted on.
Two kinds of cybersecurity policies exist: First-party and Third-party.
First-party cybersecurity insurance covers the costs associated with being the victim of a hack: everything from notifying clients of the breach to weathering the storm of lost revenue. For most non-IT businesses, First-party cybersecurity insurance is enough.
Third-party cybersecurity insurance helps cover the risks of being blamed for a breach. This is especially applicable if your company conducts assessments of digital security. It can also apply when a gap in your own security ends up passing a virus on to someone else.
There is no standard cybersecurity insurance policy.
As insurance brokers are eager to point out, cybersecurity insurance is sold à la carte, meaning the policies are highly custom collections of modular (and often complex) coverage terms. Premiums and payouts depend on your company’s industry, data risks and exposures, current practices, financial health, and many other factors. Because policies are so bespoke, it’s wise to shop for a policy based on need, not on cost. Ideally, the cost of cybersecurity insurance will align with your business’s risk. To pay less, get safer.
Expect to overpay until insurers get more data.
In 2013, Target was the victim of one of the most costly cyber crimes ever committed. Target had a patchwork of cyber insurance at the time of the hack, but it only covered the first $100 million ensuing the hack. Actual costs ended up exceeding $450 million. The mismatch was due to one of the biggest challenges still facing the burgeoning field of cybersecurity insurance: actuarially identifying and pricing out risk factors.
The market is getting better at pricing cybersecurity risk, but historical data remains scarce compared to what insurers have available for pricing other coverage. After all, not only has cybercrime not existed for very long, but statistical figures regarding its impact aren’t often available to insurers. Until more information is modeled and tested, insurance companies will overcharge for cybersecurity insurance just to be conservative.
Your old insurance probably doesn’t cover cyber crime.
There’s a better chance your company’s general liability insurance policy was originally drafted on a typewriter than that it covers a data breach. Many businesses, however, assume (or hope) that their existing insurance covers cybersecurity. The confusion arises from the typical GL policy’s promise to cover “property damage caused by your business.” Unfortunately, that refers to physical property, not data or electronic systems.
Let the sad story of P.F. Chang’s 2014 lawsuit against Traveler’s Insurance be a warning. Your general liability or property insurance is almost certainly not intended—or priced—to cover cybersecurity risk.
Get ready for good news and bad news.
If you’re about to buy cybersecurity insurance, the good news is that you’re protecting your business from the high cost of a hack. Smart move.
The bad news is that you’re almost assured to find a multitude of expensive and time-consuming vulnerabilities you had no idea you would have to address. Thanks to the astronomical growth of internet-connected devices in our homes and offices, also known as the Internet of Things, we are perpetually surrounded by potential attack vectors. Executives at BlackBerry recently discovered their office’s tea kettle could be used to gain access to their WiFi, putting everything available on that network at risk. And the IoT risk doesn’t even touch the epidemic of poor password practices, phishing, or the cat-and-mouse game of evading more sophisticated threats.
That’s why the true benefit of cybersecurity insurance might be its ability to quantify the true cost of digital security. As the market matures, your business will be able to point to the real cost savings of being safe enough to drive down premiums. That’s a healthy motivation to get safer, and a solid contingency plan, all in one policy.