Is Cyber Insurance Worth It?—What You Must Know First

Whether you own a small business or you are a member of a global enterprise you may be wondering whether or not cyber insurance is worth the investment. 

In this article I will cover the benefits of cyber insurance, how it differs from standard liability insurance, trends in the cyber insurance industry, and many other burning questions you’re likely to have when deciding if cyber insurance is right for your business.

Disclaimer: The contents of this article are provided for general reference and do not constitute legal or professional advice. You must consult insurance companies and legal counsel to understand the cyber insurance and liability requirements of your business.

What Is Cyber Insurance?

A cyber insurance policy is a type of business insurance that is designed to protect your business in the event of a cyber incident. 

Generally speaking, there are two key categories of cyber insurance policies:

• First Party Coverage: These policies cover cyber attacks or data breaches within your own network
• Third Party Coverage: These policies cover costs related to lawsuits and other liabilities that are related to security failures that were made possible by your business.

Much like traditional insurance policies, cyber insurance policies are designed as a last resort to cover costs associated with a worst-case scenario. When a cyber event occurs they will help cover part of the costs of remediating cyber security incidents.

Cyber insurance typically covers costs of one or more of the following:

• Costs associated with business interruption 
• Legal fees and regulatory investigations
• Cyber extortion from a ransomware attack (though nowadays insurance carriers are less likely to cover the costs of the ransom—more on that later.)
• Credit monitoring services for data subjects that had sensitive information leaked
• Lost income and related financial losses

What coverage is offered varies greatly depending on the specific cyber policy limit, the context of the cyber event, the covered business, and the insurance company. 

Cyber Liability Insurance vs Technology E&O

Technology errors and omissions insurance (Tech E&O) and cyber liability insurance both cover part of the costs associated with data breaches. 

The key difference is that a Tech E&O policy protects your company when a client is harmed, whereas cyber insurance covers the costs to your business and its customers as a result of data breaches and cyberattacks.

Many businesses that offer managed IT services (MSPs) will use a Tech E&O policy to protect themselves in the event that a security incident results in cyber exposures to their clients.

Cyber insurance expert Joseph Brunsman recommends that MSPs avoid purchasing separate cyber insurance and E&O policies; according to Joseph they should combine the two into a single Tech E&O policy. 

That said, coming into 2022 the mass-scale business interruption caused by ransomware and the rapid transition to remote workforces has the insurance coverage options for MSPs severely dwindling—more on that later.

Is a Cyber Insurance Policy Worth It?

Now that you have an understanding of what cyber insurance is, there’s an obvious unanswered question—Is it worth getting cyber insurance?

If you’re having doubts about the value of an insurance policy to provide coverage for cyber incidents, you’re not alone. 

According to a 2019 survey by Spiceworks 41% of IT pros stated that their business hasn’t purchased cyber insurance because it’s simply not a priority at their organization. A further 33% flat out stated that they’re not sold on the benefits, and 34% didn’t bother because it wasn’t required by regulations.

This section will cover the key benefits of this niche business insurance to help you decide if some form of cyber risk insurance is worth the cost for your company. 

Is Cyber Insurance Mandatory?

If you’re one of the many questioning the value of cyber insurance you might simply want to know if you’re required to have some form of cyber security insurance.

The short answer? No, not all businesses are required to have a cyber insurance policy.

That said, depending on the sensitive data you’re responsible for protecting you will most likely need to strongly consider being covered by cyber insurance. It’s also in your best interest to take a proactive stance on cybersecurity, including getting insured against your most likely cyber risks.

If the only sensitive data you need to be concerned with is intellectual property, you may be less pressed to get covered than a business that handles sensitive customer information.

Even then, we live in an increasingly connected world that is slowly beginning to understand the potentially global implications of a network security failure. It’s incredibly likely that one day data breach insurance will be as mandatory as workers’ compensation insurance is.

Why Should I Get Cyber Insurance?

Lets face it; no organization is 100% safe from a cyber incident. As a matter of a fact it’s almost never a matter of IF you’ll suffer a breach, but WHEN. All it takes is a simple W-2 form phishing attack or a disgruntled employee with a flash drive to have data stolen or disclosed by employees

What makes the difference is how prepared you are to address it.

If you collect and maintain a certain level of important information that could result in legal issues if it were compromised, you’ll need to strongly consider getting  insured with a dedicated cyber liability policy. 

The costs associated with meeting the mandatory data breach reporting requirements of GDPR, CCPA, PIPEDA, and similar data security and privacy regulations alone make cyber coverage a priority for many businesses.

There’s also the costs of lawsuits, which are always a risk following a data breach. According to the 2019 Cyber Claims Study from NetDiligence the average cost for legal defense was $740,000, while the average legal settlement was $2 million. Regardless of your annual revenue, having an insurance policy is going to help you recover.

Depending on your industry you may even lose business due to a lack of insurance. Some businesses will go so far as to require any third parties they do business with to have some form of coverage against cyber threats. 

For example, Spiceworks user Juanoflo says they “request COI (certificates of insurance) from every vendor that comes to our facility and any vendor that interacts or provides guidance on any system we use here.”

There’s also the risk of losing money to social engineering: Depending on the amount lost, falling victim to a funds transfer fraud could be detrimental to your business.

Truthfully, small businesses and large enterprises alike will benefit from some degree of coverage. How much coverage your business requires is going to vary greatly depending on your most likely cyber threats and the implications of compromised data.

How Much Does Cyber Insurance Cost?

While there’s no guaranteed set cost of cyber liability insurance, there are some estimates to get you started. 

According to data from AdvisorSmith for companies with $1 million in revenue, for $1 million in cyber liability coverage, with $10,000 of retention:

• Cost by Industry: The average annual cost of cyber insurance is as low as $909 for the Transportation & Logistics industry, and as high as $2,429 for Financial Services companies. 
• Cost by State: California is the cheapest at $1,430.18 and Arkansas is the highest at $1,646.50.

According to buzz within the cyber insurance space Managed Services Providers that are fortunate enough to get any sort of coverage will be facing significant insurance costs in 2022. A user of the MSP subreddit noted an annual cost of $2000 in 2020, $4000 in 2021 and a demand for $20k in 2022 for their insurance policy. 

That said, their specific carrier plans to stop offering insurance to MSPs altogether so the agonizing $20k tab is likely more of a scare tactic than a typical cost for cyber insurance. To get an accurate cyber liability insurance quote your best bet is to ask for one from a licensed agent.

What Does Cyber Insurance Cover?

Cyber insurance coverage varies greatly depending on the specific cyber insurance providers, the current underwriting guidelines, and the cyber risk profile of each business. When choosing the right policy for your business you need to have your legal department look into your options carefully to ensure you’re adequately covered.

That said, the Spiceworks study from before provides some insights.

According to the survey a cyber insurance policy will typically offer general cyber liability coverage, though other offerings such as covering the loss or damage to electronic data, legal/investigation fees, loss of income, cyber extortion losses, data breach notification costs, and the costs associated with a damaged reputation may also be covered.

As for how much privacy liability coverage is available, the Spiceworks study also provides some insights. As you can see here the majority of cyber insurance plans have a coverage limit between $1-5 million, though there are some offering a staggering $20 million or greater.

Other items covered by cyber policies

• Network Security Coverage: Failures such as data breaches, business email compromise, and ransomware
• Privacy Liability: Covers the costs of regulatory investigation and remediation following the leak of sensitive personal information
• Technology Errors and Omissions (E&O): Third-party liability coverage for cyber risks introduced by your business to another business. 
• Business Interruption: The costs associated with interruption to standard operations such as lost productivity from limited access to an integral computer system and the time investment for remediation and data recovery.

Do These Insurance Policies Even Pay Out?

A word of warning: While all of this sounds well and good, there have been cases where insurance companies have refused to pay out. 

• In 2017 Rhode Island law firm Moses Afonso Ryan filed a lawsuit against its insurer after they refused to pay for lost productivity due to a ransomware attack, though they did provide the policy maximum of $20,000 for losses caused by computer viruses, which are covered under a computers and media endorsement.
• In 2017 the nation-state NotPetya malware attack caused an estimated $10 billion USD in damages when it infected hundreds of organizations across the world. Some insurers invoked their “war exclusions” to avoid paying out on any related claims.
• In 2021 Lloyd’s of London stated that they would not pay for “acts of cyber-war” or nation-state retaliation attacks.

As with any other form of insurance there’s bound to be providers that will do all they can to minimize their payouts. Be certain to vet your provider carefully and collect as much information as you can about what is and is not covered by your policy.

Does Standard Business Liability Insurance Cover the Costs of a Data Breach?

No, not always! It’s crucial that your business understands what is covered by its current policies and where a cyber policy can fill in the gaps. 

There’s a concept known as “Silent Cyber” whereby many significant cyber security events are not expressly covered within traditional policies. In 2019 the prolific UK insurance market Lloyd’s of London helped make this distinction clearer by mandating that all property and casualty (P&C) policies implicitly state whether or not coverage is provided for losses caused by a cyber event.

Since there is such a wide variety of cyber risks to account for it is essential to consult with your current insurance provider to have them be explicitly clear about what cyber risks are covered and which ones are not. 

For example, if you try to resolve claims related to social engineering attacks it’s entirely possible that your coverage will be denied due to “human error”, though truthfully it’s difficult to concretely discern what isn’t human error; be certain to get the distinction in writing from your insurance provider.

Trends In Cyber Insurance Coverage

Policy Rates Are Climbing Dramatically—Or Not Being Offered at All!

“The damage caused by ransomware gangs has increased so much over the last two years that average cybersecurity insurance policy coverage amounts are plummeting, premiums are rising (doubling in many cases), deductibles are increasing, and exclusionary policy ‘outs’ are increasing.” – Roger Grimes, KnowBe4

Thanks to significant spikes in ransomware, business email compromise, wire fraud, and ACH fraud, the average cyber insurance quote for small businesses and enterprises alike is only going to continue increasing from 2022 onwards.

The cyber liability insurance industry as a whole has caught on to the fact that large-scale cyber security incidents such as the WannaCry ransomware (that caused an estimated $4 billion in damages) put their businesses at risk of insolvency from an unanticipated spike in claims.

As mentioned before this is particularly true for IT Managed Services Providers. The user of the MSP subreddit that noted an annual cost of $2000 in 2020, $4000 in 2021 and a demand for $20k in 2022 may not be an outlier.

In terms of community discussion, cyber insurance expert Joseph Brunsman (/u/Joe_Cyber on Reddit) offers the following insights and predictions:

• Tech E&O and cyber insurance policies are both up 40-50% for those with optimal risks and up 50-100% for those with less optimal risks
• Semper gumby is going to be the operative phrase here. Cyber insurers are facing ever increasing demand, decreasing capacity, and a lack of profitability. This means more quotes, each requiring greater scrutiny and additional controls, are being dealt with by fewer underwriters.
• Cyber insurance policy providers are increasing their demand for security controls from their clients, and what they want to see varies week by week. Your business needs to have an adequate IT security budget and infrastructure to meet the demands.

Are you ready for your next IT security audit? Check out these tips to assess the cyber risk of your company.

Insurance Providers Aren’t Keen to Pay Ransomware Demands

For a while there was a disturbing trend of companies relying on their cyber insurance provider to pay the ransomware demands of cyber criminals—despite the FBI’s recommendations against the practice. 

This led to some unscrupulous companies misusing their providers rather than proactively hardening their own security posture to prevent the attacks in the first place.

Thankfully legislation is catching up and it’s steadily becoming more common for ransomware payments to be illegal.

“Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC)

Of the companies that have recently offered some form of ransom coverage, AdvisorSmith notes that many policies “provide very limited coverage for ransomware or cyber extortion attacks, with coverage sublimits as low as $25,000, even when the cyber liability policy has a much higher total limit.”

Cybersecurity Insurance Firms Are Acting Like MSSPs

Many of the few insurance companies still offering cyber insurance have realized that managing their client’s cyber risk is in both of their best interests. 

While this will often present itself as a list of required security controls such as ongoing cyber security awareness training and ongoing audits, several insurance companies have started acting as Managed Security Service Providers (MSSPs) to their clients. 

Rather than simply requiring particular security controls they have begun proactively offering security services themselves, contracting out managed security providers, or only offering policies to clients that adopt particular security solutions providers.

These advanced insurance providers will help you evaluate your cyber risk, make recommendations for strengthening your security posture, help with patch management, and even monitor the logs of security tools for high-risk or anomalous activity.

How CurrentWare’s Endpoint Security Solutions Can Help

Whether you are a small business or a global enterprise, you simply cannot get insured without sufficient security controls. CurrentWare’s endpoint security solutions will help mitigate many common cyber attack risks so you can get insured and continue to offer your clients peace of mind.

With the CurrentWare Suite, you can…

• Monitor employee internet and application use for high-risk or anomalous behavior
• Protect intellectual property and other sensitive data against theft to portable storage devices
• Block high-risk websites and apps such as unsanctioned cloud storage and known malicious sites

With these critical security controls in place, you can reduce your cybersecurity insurance premiums by addressing a multitude of security vulnerabilities.

Learn more about CurrentWare’s endpoint security solutions

Conclusion & More Resources

Having a sufficient cyber liability insurance policy is an essential part of being prepared to respond to a cyber attack. 

Alongside proactive security controls these policies provide your business with the capabilities it needs to respond to incidents caused by cyber criminals, third parties, and insider threats.

If you would like to improve your security posture you can get started today with a free trial of CurrentWare’s endpoint security software solutions.

More Resources

• How to Keep Data Safe When Offboarding Employees (CurrentWare)
• What Every CISO Needs to Know About Cyber Insurance (Symantec)
• Internet Use Policy Template (CurrentWare)
• Dear MSPs: Here is Your Most Common Insurance Mistake (Joseph Brunsman)
• Removable Media Policy Template (CurrentWare)
• The MOST Important Insurance Lesson I Can Teach You (Joseph Brunsman)