Why Investing in Cyber Risk Insurance Pays Off
Until recently, many businesses didn’t think twice about insuring their digital assets — perhaps because the dangers of data felt ephemeral and less worrisome than natural disaster, negligence, product liability and other risks.
But businesses are now reconsidering the inherent risks their digital operations face. To enhance security, they’re viewing cyber risk insurance as a critical investment. More than 60 insurers offer stand-alone cyberinsurance policies, and the U.S. market was estimated at more than $3.25 billion in gross written premiums in 2016, according to the Insurance Information Institute.
Enterprises recognize that all it takes is one mouse click on a fraudulent phishing email to cripple operations and damage reputations, and they no longer want to roll the dice on paying the high costs of cybercrime — especially when the average breach costs $7 million, CIO Today reports.
Is Cyber Risk Insurance the Right Investment?
In the U.K., the anxiety generated from what felt like inevitable cyberattacks fueled a 50 percent increase in insurance adoption last year, leading famed insurer Lloyds to introduce 15 types of cyberinsurance to the market in preparation for rising demand in 2017, according to Cyber Business Review.
This fear incentive shouldn’t come as a surprise. Most businesses rely on cyberspace’s vast interconnectivity and thus increase their exposure to all types of cyberattacks and data breaches. It’s no longer a question of whether the business will be hit but rather how and when.
Of course, the inevitably of a breach or attack doesn’t mean a business needs to immediately purchase maximum coverage from all 15 of Lloyds’ insurance plans, especially if the organization already has effective risk management plans in place and is confident about minimizing damage. But as the much-publicized account breaches at Yahoo demonstrated, it’s difficult to minimize risk, especially when it’s hard to detect. Because of the complexities, your business probably should consider at least minimal insurance coverage.
Striving to Stay Undefeated
Achieving ironclad security is everyone’s dream, but it’s a challenge, to say the least. First, consider that not every commercial general liability insurance policy covers cyber risk. That’s a big consideration if your business stores — on site or in the cloud — customers’ personal and financial information along with your own proprietary data. Chances are all that data is accessible through a network that also has devices connecting to it. Because of this connectivity, your business probably can’t completely offset the cost of an attack or breach, even if it comes way under the $7 million average, so it’s worth weighing the expense of that event against that of specialized cyberinsurance.
Also, just as consumers demand transparency on how third parties handle personal data, don’t be surprised if they also expect businesses to have cyber risk insurance before releasing personal information. Recognizing there’s a shift underfoot, some tech companies have started offering their own cyberinsurance guarantees, as noted by SC Media.
What to Look for in a Cyber Risk Insurance Policy
If your business decides cyberinsurance is a critical expenditure, look for a policy or group of policies that cover some of the common reimbursable expenses, which include:
- A forensics investigation that determines what occurred, how to repair damage and how to prevent similar breaches.
- Monetary losses caused by network downtime, business interruption and data loss recovery.
- Crisis management costs that might include repairing reputation damage, data breach notifications to the public and credit monitoring for customers affected by a breach.
- Legal expenses from the release of confidential information, intellectual property and regulatory fines. This can also include the costs of extortion.
Keep in mind that cyber risk remains difficult for insurance underwriters to quantify because of the lack of actuarial data, according to the National Association of Insurance Commissioners. Underwriters instead rely on the qualitative assessments of a company’s risk management procedures and risk culture. Because the industry is still maturing, cyberinsurance policies have to be customized for each business and can be costly.
It’s up to your business to decide whether to purchase cyber risk insurance, but recent events and constantly evolving threats suggest the cost may be worth it.