According to IBM and the Ponemon Institute’s 2020 “Cost of a Data Breach” report, the average total cost of cybersecurity breaches in the United States of America between August 2019 and April 2020 was $8,640,000. This astonishing figure looks at the hard dollar costs, in addition to:

  • Brand reputation
  • Strained company culture/employee turnover
  • Legal battles associated with the breach; however, these costs are not compiled solely from the breach itself but also the ripple effect, which came with them.

Cybersecurity breaches are not new, but they are happening more frequently and becoming more costly for companies everywhere. The COVID-19 pandemic pushed many businesses to work with online platforms and leverage cloud data storage which, in turn, expanded these organizations’ attack surfaces, making them more vulnerable to ransomware attacks. 

As a result, the desire to mitigate the risk of a data breach is spreading throughout the entire C-Suite, giving rise to a new kind of insurance: Cyber Liability Insurance.

 

The Rising Need for Cyber Liability Insurance

What is cyber insurance? Cyber insurance, also known as cyber-liability insurance, is an insurance policy that helps protect organizations from the fallout of cyberattacks. 

A cyber insurance plan includes more than just financial protection. It can also help to minimize business disruption amidst a cyber incident. Companies that are hit with a ransomware attack and have no insurance protection are often unable to recover - whether this is due to a lack of funds to recover, a soiled brand reputation, or information loss that is detrimental. By implementing cyber insurance into your arsenal, you are more likely to recover both financially and market-wise in case of an attack.

 

History of Cyber Insurance

 

Types of Cyber Liability Insurance

There are two categories of financial protection in cyber insurance, first-party and third-party:

First-party cyber liability insurance 

  • What it is: First-party cyber insurance assists in your organization’s internal financial recovery after a breach as well as getting your own network and systems back in order. 
  • Who it’s for: First-party cyber insurance is best for anyone who utilizes technology throughout their company and digitally stores any data. 

Third-party cyber liability insurance

  • What it is: Third-party cyber insurance provides financial help in the event that clients, customers, and partners affected by the cyberattack on your network are now pressing charges against your organization.
  • Who it’s for: Third-party cyber insurance is best for any company that holds, transfers, or has access to sensitive customer data. Breaches that encroach on client information are likely to face more litigation from outside parties.

 

What kind of companies need cyber liability insurance?

Virtually every business in 2021 relies on technology to generate revenue, process transactions, and/or store data. That said, whether or not your company needs to have cyber insurance is a complicated question to answer. 

Companies that store any kind of sensitive data or personally identifiable information (PII) should already have an incident response plan in place. In these instances, the added layer of protection cyber insurance provides could mitigate significant financial risk, as the following line items can become quite costly in the event of a breach:

  • Legal Fees - In the event of a breach, you’ll want to enlist a law firm to advise on your legal obligations based on the nature of the breach.
  • Digital Forensics and Incident Response (DFIR) Vendor - In order to identify the source of the breach and the scope that it reached. 
  • Public relations specialists - A breach deals a significant blow to your brand’s reputation. A PR specialist will provide notification to customers and mitigate the reputational damage done as a result of the breach.
  • Additional Third-Party Costs - This could include costs associated with dark web monitoring for your current customer base and other related costs.

 

What is required in order for my organization to obtain cyber insurance?

The process of obtaining cyber insurance is similar to any other insurance - The insurer wants to understand the risks your company may face and the precautions you are taking to avoid them. 

An important step within this process is assessing your company/industry and its cyber risks. In order to understand and better prepare many insurance companies will measure your cyber risk during the appraisal process. Cowbell Cyber offers a cyber risk evaluation that gives insight into your attack surface and where you are most vulnerable; therefore, giving a better perception of the insurance your business will require.

When applying for insurance, they will need you to know and understand the health of your company's cyber hygiene, attack surface, and cybersecurity infrastructure.

When applying for cyber insurance, you will need to answer questions around:

  • IT and Network Security - Your IT team will have to provide detailed information about the types of technology your organization uses, the outside vendors and cloud providers that touch your networks, and details on your monitoring capabilities. This includes a thorough review of your incident response plan as well that should outline your course of action in case of a breach (Source: Woodruff-Sawyer)

  • Financial Information - Your finance team will need to provide information on your revenue streams, customers, demographics, and other organizational issues. It’s important to keep financial stakeholders in the loop throughout the cyber insurance selection process, as they will also need to provide input into your desired program structure as you evaluate the different levels of risk transfer (premium, limits, deductibles, and scope of coverage). (Source: Woodruff Sawyer)

  • Legal and Contractual Obligations - Your legal team will need to provide information on your contractual protections, such as what your customers are demanding from you, and what you are demanding of your vendors in your contracts. Underwriters are very focused on how successful companies are in limiting their liability, and how aggressively they are seeking indemnity from vendors. Legal also can provide information on your privacy policies, relationships with privacy counsel, and any breach response planning that has happened to this point. (Source: Woodruff Sawyer)

  • An Incident Response Plan - Many cybersecurity insurance companies require that you provide a complete IR plan and evidence that your organization has implemented the correct cybersecurity tools to eliminate known risks. Without covering your bases first, no insurance company will want to take you on as a client. Layer your incident response plan with a DFIR Team, a stand-alone cybersecurity insurance policy, and cybersecurity awareness training.

 

What does a data breach look like without Cyber Insurance? 

Many business owners hear the term breach and assume that this deals solely with the finances of the company. However, what many don’t acknowledge is that without cyber insurance, companies that are breached face much more than financial discourse or a loss of money. 

In a recent breach, the cellular provider T-Mobile was breached and lost thousands of customers’ sensitive information to hackers. They are now facing a class-action lawsuit due to a lack of proper cybersecurity that could cost them thousands on top of the breach.

In addition, many companies face challenges around rebuilding their brand for years after a breach, with some unable to ever fully recover:

  • Code Spaces - The organization was unable to continue operations after a breach, as it had suffered debilitating damages to both its finances and reputation.
  • Nirvanix -  It only took six weeks for the vendor to transform from business as usual to demanding customers remove their data quickly and with little notice.
  • MyBizHomepage - After the company spent over $1 million in an attempt to resolve the breach, the company’s board decided to take the site down because it had been rendered useless

Read more about the impacts of these ransomware attacks here

 

How could cyber insurance change the outcome of a breach?

Cyber Insurance can recover your organization in a way that you would not be able to do alone and therefore should always be applied to any IR plan.

Cyber Insurance is not only able to support you financially by covering ransoms and replacing lost funds, but many cyber insurance plans are able to handle customer-facing situations as well. This includes letting customers know about the event and handling any legal battles that may arise from it. 

  • What first-party insurance can cover:
    • Cyber extortion payments
    • Hiring an expert to investigate the breach and assist with regulatory compliance
    • Notifying affected customers
    • Customer credit and fraud monitoring services
    • Crisis management and public relations
    • Business interruption expenses, such as the cost of hiring additional staff, renting equipment, or purchasing third-party services
  • What third-party insurance can cover:
    • Legal defense costs
    • Settlements if you and the client settle out of court
    • Judgments you're legally obligated to pay after a data breach
    • Additional court costs

 

How to evaluate a Cyber Insurance Plan

When determining an insurer, it is important to make sure they are the best fit for your organization, taking into account:

  • Size of your organization 
  • Strength of your cybersecurity 
  • The amount of data your organization holds
  • The frequency in which your industry faces breaches 

The next step in acquiring insurance will be going over exclusions, policies, and the agreement plan if there is a breach. When given multiple quotes, take into consideration: 

  • Exclusions in the policy that pertain to your business practices.
  • What territory does the policy cover (region, nation, or globe)?
  • Does the policy contain broad or specific triggers for coverage?
  • Does the policy contain vendor coverage?

Find out more on choosing the Right Cyber Insurance Plan

Cyber liability insurance plans can be vital to an organization, and just like home insurance, they are plans meant to protect the things you cannot afford to lose. Cyber Insurance is a growing market as more and more businesses go online; therefore having a team at the ready for your legal, financial, and brand support could save your business after a breach. 

 

Why the time is now for CISO's to advocate for cybersecurity

 

LEARN MORE ON HOW TO BRING UP CYBER INSURANCE YOUR ORGANIZATION IN OUR FREE EBOOK: WHY THE TIME IS NOW FOR CISOS TO ADVOCATE FOR CYBERSECURITY