No business is immune to cybersecurity risk, and the cost of the average data breach is steadily rising. It's no wonder, then, that we're seeing a rise in the popularity of cybersecurity insurance. Here, we'll explain what you need to know about this type of insurance and share key ways to help keep your premiums affordable.
Like other forms of insurance, with cybersecurity policies you pay a premium for coverage in case something bad, like a data breach, happens to your company. Sometimes called cyber liability or data breach insurance, these standalone policies are meant to help companies recover from data loss due to a security breach, network outage, service interruption or other cyber event.
The Department of Homeland Security's Cybersecurity Institute is encouraging a "robust cybersecurity insurance market" as a way to "help reduce the number of successful cyber attacks by: (1) promoting the adoption of preventative measures in return for more coverage; and (2) encouraging the implementation of best practices by basing premiums on an insured's level of self-protection."
Well, in the 2018 Cost of a Data Breach Study by Ponemon, the global average cost of a data breach was "up 6.4 percent over the previous year to $3.86 million. The average cost for each lost or stolen record containing sensitive and confidential information also increased by 4.8 percent year over year to $148."
Businesses big and small can fall victim to cyber criminals, whether it's due to hacking, malware, crypto-mining or some other nefarious act. When something bad happens there are many negative impacts for the business:
It depends on the type of policy you get and your insurance carrier. The primary options are between first- and third-party policies. First-party coverage protects against losses and can include reparations for cyber extortion, lost business opportunities, damage to or loss of digital assets.
Third-party coverage provides protection for companies that manage systems, network or software for others' data. These plans typically cover loss of personally identifiable information (PII) and customer notification costs.
Few of these policies, though, cover physical damage or bodily harm that could result from a successful cyber attack against critical infrastructure.
It can get pricey. Perceived risk is high, so insurance carriers charge hefty premiums. At the same time, it's more difficult for their underwriters to accurately assess risk and damage costs. That's because there is a shortage of objective data on data breach costs.
The premiums are also high because so many data breaches do end up in large payouts. Financial and health-care institutions typically face even steeper premiums as they collect and store more sensitive data, which is a prime target for the bad actors in our rogue's gallery.
For tips to lower your cyber insurance premiums, read on.
70% of executives surveyed for "Cyber Threats: Measuring Awareness, Assessing Preparation" said their companies carried cyber liability insurance, but only 21% had ever filed a claim."
If you have not already done so (cue: shame) you need to perform a risk assessment to determine what assets might be impacted by a cyber attack. This analysis should consider the cyber criminal's desire for:
Ultimately, it will be important for you and your carrier to customize an insurance policy to your particular industry, business risks, and identified vulnerabilities. This is not a one-size-fits-all scenario. For example, PCI penalties can be "more devastating" than breach-related fines. Or, social engineering attacks may be excluded. Read the fine print carefully.
While it's pretty straightforward that you can get a safe driving deduction on vehicle insurance or cut the cost of healthcare premiums by signing a non-smoking certification, there is no widely advertised fee reduction structure for cyber insurance. Yet, implementing cybersecurity best practices and remaining compliant with industry standards will lower your premiums with many carriers.
The actual cost savings from implementing the below tips will vary depending on your industry, company size, annual revenue, and the insurance carrier, among other things.
By conducting a penetration test at least once per year, you'll be more likely to uncover vulnerabilities that could lead to a breach. In the eyes of insurers, this lowers your risk profile.
Work with a trusted third-party security partner like RedTeam Security to assess your vulnerabilities and outline a path to remediation.
Some insurers won't write you a policy at all if you are not following password best practices. Strong passwords are 8 characters or longer, do not contain words that are found in the dictionary and include a combination of lowercase and uppercase letters, numbers and symbols.
Additionally, you and everyone on your team should use unique passwords for every service. Consider implementing two-factor authentication in addition to the use of passwords.
Encrypt any and all sensitive data, whether at rest or in transit. Keep your encryption key secure and carefully control which parties have access to it.
One of the key determining factors in the cost of your cyber insurance policy is the number of records you access, store and transfer on a normal basis. One easy way to keep your insurance premium down is to tightly control the volume of records you deal with.
Just like bundling your home and auto coverage can save you money, working with the carrier that is already covering your property or general business liability may net you a discount.
Download our convenient checklist, which contains 5 MORE ways to lower your cybersecurity insurance premiums, by clicking here.
Cyber insurance policies can provide some peace of mind. Yet, any thorough risk-management strategy will benefit from penetration testing and expert, outside insight into your company's particular risk profile and vulnerabilities. RedTeam Security Consulting experts can assess your risk, identify issues, and provide remediation advice. Contact us today!