Life, home and auto insurance have been around for decades. Even a gecko can explain what these policies cover. Cyber security insurance, which is relatively new, helps an organization or company recover from a cyber crime. Because it’s not as established, what it covers can vary from insurer to insurer.
When buying cyber security insurance, you’re smart to ask a lot of questions so you know exactly what you’re getting for your money.
Do I Need Cyber Security Insurance?
Yes, you need cyber security insurance if your organization has assets that could be compromised electronically. These kinds of assets are things like money, intellectual property or data that’s classified, important or irreplaceable. Cyber security insurance is there to cover you in case these assets are lost or stolen.
Say you have a bank account that allows a vendor to withdraw funds each month. That automation is all well and good until the vendor gets hacked and a request comes into your bank account from the hacker. It looks legitimate to the bank, which then pays it out of your account. The hacker lines his pockets and your company is left holding the (empty) bag.
Now imagine hackers making their way into a database you maintain with consumer medical or financial information. If that database is breached, your company or organization must alert the authorities and consumers--sometimes on a national or international scale.
“But it’s not fair! It’s not our fault!” We hear your cries and feel your pain. But just like when someone smashes your car window to steal your briefcase, the consequences are yours to deal with and you’ll be happy to have insurance to help.
What Does Cyber Security Insurance Cover?
A good cyber security insurance policy will cover everything it costs to get you back up and running; and the costs of forensics for tracking the origin of a breach; money spent to notify authorities and users; and any ransom paid to retrieve your data. It could also cover:
- Fines you could be required to pay If certain types of information are stolen.
- “Reputational repair,” such as public relations services to help you get back into your clients’ and customers’ good graces after an incident.
- Attorneys to advocate on your behalf.
- Negotiators for dealing with ransom requests.
Who offers cyber security insurance?
All the major carriers have cyber security insurance offerings, so be sure to look at several providers to compare cost and coverage. Your IT service provider may have brokers to recommend. You can also ask your IT company to review your current policy to identify any concerns.
If your current provider claims to have you covered, but has never assessed your security risk, the coverage might not be sufficient.
How much does cyber security insurance cost?
The cost of a policy depends on the organization’s size and potential risks. In 2020, a company with under $10 million in annual revenue should expect to pay a few thousand dollars a year for a cyber security insurance rider. Organizations dealing with medical or classified information could pay more.
Premiums have been increasing drastically because of the rising costs of ransom attacks and recovery. Still, given a policy cost of a few thousand dollars and a $5,000 to $10,000 deductible, with the average cost of a ransomware attack pegged at $84,000, the policy would easily pay for itself with just one incident.
How much cyber security insurance is enough?
In our current climate, it’s not an option not to carry cyber security insurance. Your task is to determine how much risk you’re willing to take and how much you want to spend. Just be aware that it’s very easy to spend too little and not have adequate coverage.
What if we don’t have cyber security insurance?
Unfortunately for uninsured companies, a cyber security breach can be an event that will affect the organization financially immediately or for years to come. According to insurance carrier, Hiscox, 60 percent of businesses that are victimized by cyber crime go out of business within six months.
What do we do if we’ve been breached?
You should call your IT company or notify your IT department immediately. And you should call your cyber security insurance company at the same time. In some cases if the breach is large enough the authorities must be contacted but that should be discussed with your legal counsel first. Keep in mind, your insurance company’s goal is to get you up and running with as little cost as possible. The authorities may be more concerned with identifying the attacker, which could possibly lead to delays for your company.