The cost of cybercrime, and why
you need cyber liability insurance
Cyber liability insurance protects businesses from losses that result from cyber attacks and data breaches. Policies cover the costs of investigations, lawsuits, and other obligations following an attack. This insurance is essential for any business operating in today.
Cyber liability insurance should not be considered optional.
Why do we say this? Because the direct costs of a data breach will be significant, but the indirect costs can quickly become devastating. Still, many companies forego coverage due to the perceived high cost of policies, confusion about what they cover, and a belief that their organization is immune to cyber attacks.
Cyber liability insurance is specialized. We’ve put together this guide to help you understand the basics and make the wise choice for your business.
According to recent cybersecurity reports by IBM, Gartner, Verizon, and others:
More than half of businesses experience a cybersecurity attack or data breach in any 12 month period.
Cisco found that 61% of businesses admit to suffering a data breach in 2020.
The Ponemon Institute found 65% of businesses in the US suffered a cyber attack in the preceding 12 months, but only 15% of information assets were protected by insurance.
With the number and frequency of cyber attacks increasing it is vital to have proper safeguards in place. Cyber liability insurance protects your business against cybersecurity threats by helping you recover if the worst case happens.
To understand the need for cyber liability insurance, it is important to understand the evolving nature of cybercrime. As large firms invest more to protect themselves, criminals increasingly attack them through smaller businesses in their supply chains. This indirect attack method puts SMBs at disproportionately greater risk.
43%
of online attacks are now aimed at small businesses.
– Verizon Data Breach Investigations Report
There are many ways in which cyber criminals gain access to your information.
Phishing, compromised accounts, and employee errors are all risk factors. In today’s remote workforce there is more room for error than ever, with the risk of unsecured Wi-Fi, lost devices, or misconfigured systems.
Phishing and business email compromise attacks (BEC) are two of the most common types of cybercrime. In a BEC scam, criminals ‘spoof’ or impersonate a known source and then send an email message making seemingly legitimate requests. These requests can deliver malware, prompt employees to leak account credentials, or even transfer money.
Cyber attacks garner the most attention, but only 43% of cyber insurance claims are related to hacks, malware, and viruses. The remaining 57 % of claims are filed for high-liability situations such as staff mistakes, rogue employees, or stolen devices.
On its own, cyber liability insurance will not fix holes in your security processes or technology. Cyber liability insurance will not train your employees to spot a phishing email or deter criminals from attacking. What cyber liability insurance will do is help your business recover from an incident more readily and with less long-term impact.
Recovering from a cybersecurity incident is costly, and not just financially.
Cybercrime expenses are on the rise. Not only must you recover from lost IP the financial demands of attackers, there is loss of reputation, staff dissatisfaction, and other hidden costs.
McAfee estimates the global cost of cybercrime is increasing exponentially, doubling in the five years between 2013 and 2018, then doubling again by 2020.
Their estimates show the world economy lost nearly a trillion dollars in 2021 to cybercrime; this rate of growth could see losses exceed $10 trillion annually by 2025.
Cybercrime does not discriminate when it comes to company size.
More than half of all cyberattacks are committed against SMBs, and 60% of them go out of business within six months.
The average cost of a data
breach in 2020 was
$3.86m
globally
$8.64m
in the US
$200,000
average cost of a cyber
incident for a SMB
A comprehensive cyber liability policy is necessary to fully protect your business. A comprehensive policy will cover the following:
INCIDENT EXPENSES
Legal, computer forensics, and other incident response expenses that provide assistance and determine the cause of a malicious incident.
CYBER EXTORTION
Response to extortion attempts, including any forensic expenses, and the remediation of extortion including facilitation and reimbursement of payment
BUSINESS INTERRUPTION
Lost revenue reimbursement as a result of a breach or outage of systems.
DIGITAL ASSET RESTORATION
Extra expense that results from recreating or restoring data.
REPUTATIONAL LOSS
Responding to adverse media reports following a breach, indemnifying insureds for lost revenues as a result.
SOCIAL ENGINEERING
Reimbursement in the event of a transfer of funds due to deceptive communications directing them to do so.
PCI-DSS FINES AND PENALTIES
If a breach occurs and compliance is in question, the insurance policy will respond to the investigation and any fines and penalties that result.
REGULATORY PROCEEDINGS
Costs to defend against an investigation, and provide indemnification for fines and penalties, where insurable by law
Ensure that your coverage protects you against the following key threats:
- Data breaches (such as incidents involving theft of personal information)
- Cyber attacks (breaches of your network)
- Cyber attacks directed toward data you host with third-parties
- Global cyber threats (not just attacks originating in the US)
Other beneficial policy coverage:
- Your insurance provider will defend you in a lawsuit or regulatory investigation (try to find “duty to defend” in your policy)
- Coverage in excess of any other applicable insurance policies you hold
- A breach hotline that’s available 24/7 in a worst-case scenario
In the past, getting approved for cyber liability insurance used to be easy, as the security questions were vague or limited in scope:
Security Applications are getting much more detailed and stringent, going as far as requiring newer technologies like EPP and EDR.
3rd party security assessments are now standard during the underwriting process, and the outcome will impact eligibility and/or policy rates. Most policies require proof of internal assessments and corresponding actions:
Many insurers are requiring controls in place that limit the impact of a security/breach incident.
These include having plans for incident response, disaster recovery, and business continuity. You may also be asked about specific policies, procedures, and training:
Finally, it’s believed that soon insurers will require businesses to adhere to a recognized cybersecurity framework, such as CIS Critical Security Controls, in order to receive coverage. In other words, just having a firewall isn’t enough. These industry-standard frameworks should be formalized into your business to ensure long-term compliance with evolving policy requirements. The below is a snapshot from a recent insurance application for an Umbrella client:
If all of this seems overwhelming, don’t worry – there are clear paths to qualifying for cyber liability insurance. It will require an investment in your security, but it may be the wisest investment you make. At Umbrella, we handle the cyber insurance eligibility for our clients, so make sure your cybersecurity provider does, too.