No matter its size, any business is vulnerable to a cyber attack.
In fact, 43% of breaches occur at companies with 250 employees or less.
Of those organizations, 61% go out of business within the first year after the attack.
One way to protect your business in the event of a cyber attack is to invest in cyber security insurance, a critical policy that can help you stay afloat.
Continue reading to learn why you need cyber security insurance, what types of incidents and recovery efforts are covered, and how to get insured.
What is cyber security insurance?
Cyber security insurance is a policy businesses take out to protect themselves against losses due to a cyber crime or incident.
This is an additional policy and does not replace anything already in place.
Like regular insurance, you must pay a premium; your overall risk level determines the cost.
Then, in the event of a data breach, ransomware attack, or other cyber crisis, you’ll receive financial coverage and assistance during the identification and recovery process.
Why do I need cyber security insurance?
In today’s technological landscape, almost every business needs cyber security insurance.
“We tell everyone that they need it because everyone is susceptible to a potential breach,” says Jon Sharp, President of Hardenbergh Insurance Group. “Oftentimes, small businesses might think, ‘Well, we’re too small. No one’s going to try to get our info.’ In fact, it’s the opposite.”
In some cases, smaller companies might not be talking about proactive ways to protect their organization or educating their employees to recognize scams.
The difference between traditional insurance and cyber security insurance
Consider these scenarios to understand why you would need cyber security insurance.
Scenario 1: An individual enters your business’s retail location and holds up the cash. The cashier gives the individual all of the money in the drawer, a total of $5,000.
Scenario 2: A user hacks your computer system and demands $5,000 if you want your system unlocked.
While your regular insurance policy would likely cover a claim in the first scenario, it would not cover an event like the second scenario.
That’s where cyber security insurance comes into play.
If you have protection in place for your physical location, it only makes sense to protect your computer systems.
Is cyber security insurance required for certain industries?
Keep in mind that every business needs cyber insurance in today’s world.
However, Sharp shared that businesses in the following industries are at greater risk due to the sensitive nature of their data:
- Healthcare
- Education
- Any company that accepts electronic payment
If you store sensitive data in an electronic format, then you need a cyber insurance policy in place.
Sensitive data can include credit card information, dates of birth, Social Security numbers, and more.
“Anyone who houses or deals with that information needs it, and from my perspective, really all businesses are doing that,” Sharp says.
Even if you don’t think you house sensitive information, you most likely have data that is valuable to someone.
What does cyber security insurance cover?
Although the items covered can vary from company to company, Sharp shared a list of what is commonly covered under a cyber insurance policy.
Data Breaches
Within this type of attack, there are specific laws to follow and notifications to make based on how extensive the breach was. For example, some breaches require credit monitoring for affected individuals over a certain period. This type of policy covers that cost, along with the notifications to anyone affected by the breach.
Business Interruption Loss
If your systems are targeted and shut down for several days, you most likely won’t be able to run your business and make a profit. This coverage will pay you for that loss of business income. A policy like this is vital for small businesses that cannot afford much downtime.
Cyber Extortion
If hackers lock your computer or systems, they may demand a certain sum of money or bitcoin. This coverage will pay for you to unlock your systems and retrieve your data.
Forensic Support
When a breach occurs, you need professionals to evaluate the extent of the damage. This policy covers the cost of the research to examine your systems to detect what information was stolen.
Legal Support
When recovering from a cyber attack, it’s necessary to have attorneys work with you to determine the types of notifications you need to make. This support is covered in cyber insurance policies as well.
Requirements for cyber security insurance
While there are no specific prerequisites to obtain cyber insurance, the controls you have in place will affect the cost of your premium.
One way you can assess your current control activities is to undergo an accredited audit, such as a SOC 2. An audit can help identify gaps in your security posture so you can take steps to resolve them.
Audits can also help you provide documentation about the control activities you have in place.
How much does cyber security insurance cost?
The cost of your premium depends on your risk profile and the control activities you have in place.
The riskier you are, the more you’re going to have to pay.
If you have better security procedures, you’ll lower your risk of an attack and lower your premium as a result.
How to obtain cyber security insurance
Obtaining cyber insurance is very similar to getting traditional insurance.
To determine your risk level, you must fill out a questionnaire that provides a snapshot of your security posture.
Potential items assessed in these questionnaires include:
- Organization financials
- Designees for responsibility (Security Officer)
- How controls are tested and how often
- Common technical controls (anti-virus software, VPNs, MFA, etc.)
- Disaster Recovery/Incident Response plans
- Training and policy documentation
- Types of data being housed
- Website controls
- Previous loss situations
Ensure that you communicate your policies and procedures correctly on these questionnaires and provide documentation as needed.
What happens if a breach occurs?
In the event of a breach, you’ll want to notify your insurance carrier first.
You can then connect with attorneys, who will assess what state laws you’ll need to follow. Behind the scenes, the forensics team will investigate the situation and discover what information was actually stolen.
These actions may occur within the first 24-48 hours as you work to get your systems up and running again.
Keep in mind that the full recovery process can be very extensive.
“It sometimes takes up to months to really understand all that was breached and what actions you need to take on behalf of the people who did experience the breach,” Sharp says.
Steps you can take now to improve your security posture
From a risk management perspective, there are several actions you can take now to protect your business from cyber threats. Sharp suggests implementing the following items:
- Multi-Factor Authentication (MFA)
- Protected backups of your servers, both on and offsite
- Secure remote access to your business systems
- Increased safety awareness with staff trainings
For more information on proactive steps you can take to protect your business, review our list of SMB Cyber Security Musts for 2022.
Start securing your business today
It’s more important than ever to protect your business on all fronts.
In 2021, the costs of data breaches increased from $3.86 million to $4.24 million, the highest amount in 17 years.
As cyber attacks become increasingly frequent and expensive, it’s essential to take advantage of preventative measures like cyber security insurance.
Plus, moving through the process to get insured can help you discover and resolve security vulnerabilities in your environment.
Take action today to protect your business tomorrow.