Your business has invested heavily in cybersecurity efforts to safeguard the organization against a range of threats. These investments are largely seen as a way to reduce the financial risks to the business—reduce being the key word. All the technology solutions you implement and the user awareness training you do are not sufficient to completely eliminate the risk from cyber threats. The goal is to bring the risk down to a level that your organization can tolerate.
Increasingly, enterprises are purchasing cyber insurance to offset financial risk in the event of a significant data breach or business disruption caused by incidents such as a denial of service attack, a ransomware attack, or even an outage of Internet infrastructure.
Who really needs cyber insurance? The short answer to that question is: everyone. Every type of commercial entity – meaning municipalities, non-profit organizations, educational institutions, and corporations – needs cyber insurance if they collect, process or store employees’ or customers’ personal or financial data, or if they have proprietary intellectual property.
Possession of this information makes these entities targets, pure and simple. You see the metrics on how often attacks are directed toward your own company. All it takes is one successful attack to cause a costly data breach.
Kaspersky Lab reports the average cost of a data breach in North America in 2017 is $1.3 million for enterprises. Some breaches – think Equifax, Anthem, Target Corporation, Home Depot – are orders of magnitude higher in their total costs. The Target breach alone has already resulted in $450 million in losses (only $100 million of which was covered by insurance) and might ultimately reach $1 billion when all is said and done.
A well-crafted cyber insurance policy can transfer risk and provide a safety net to reduce liability costs and help sustain your business if a serious cyber event should happen.
Reasons to Consider Cyber Insurance
There are numerous reasons to consider acquiring cyber insurance. First and foremost, standard business liability insurance policies don’t cover cyber liability, and that probably won’t change any time soon. A separate policy or policies are required to address your specific cyber risks.
Next, insurance puts a monetary value on your organization’s cyber risk. This metric is useful when discussing security budgets and risk tolerance levels with senior management.
The policy underwriting process can help your organization identify cybersecurity gaps and opportunities for improvement. During the underwriting process, your company must be able to adequately describe and show that you maintain your administrative, technical and physical controls (i.e., your cybersecurity posture). The insurance carrier may provide a third-party assessment of that posture in order to identify areas of improvement or adjustment that might help to boost your cybersecurity posture and bring down your insurance costs.
In addition, a cyber insurance policy could bring supplemental value through the inclusion of risk mitigation tools as well as significant incident response assistance following a cyber incident. A carrier might require that you have specific incident response vendors in place before an event ever happens.
Your company might have a business relationship that requires that you have a cyber insurance policy; for example, if you process sensitive data for another company. In that sense, your company is a third-party risk to your client, which is also trying to reduce its risk of doing business with you. By the same token, if your company uses a third party to process or store your data – and this includes a cloud service provider – then you are legally responsible for safeguarding that data. Having cyber liability insurance might protect you if your third-party host suffers a breach. Note that third-party liability is sometimes an exclusion that needs to be negotiated into your policy agreement.
Numerous information security and data privacy laws impose hefty fines for non-compliance and outright violations. Such fines can put a significant burden on your organization. For example, the European Union’s General Data Protection Regulation (GDPR) can impose fines of up to €20 million or 4% of annual turnover (sales) if non-compliance of this privacy directive can be proven. PCI DSS states that merchants that are at fault for payment card breaches can be fined $50 to $90 per cardholder data compromised. Regulatory fines can add millions or even tens of millions of dollars to the cost of a breach.
Eschew coverage at your own peril
In general, without cyber liability coverage, your organization is solely responsible for the financial costs pertaining to any data breaches or business disruptions due to cyber events, including loss of business, notifications to customers, a forensic investigation, regulatory fines, and damage to reputation and brand. Additionally, if any of your customers decide to sue you for jeopardizing their data, you could be responsible for all of the court fees and settlements.
For many companies, those costs are simply beyond the tolerance level.