Would it surprise you to learn that in 2022 there were 38% more cyberattacks than there were in 2021? What’s worse, experts predict the trend to continue, with cyberattacks not only becoming more frequent but more sophisticated—and costly—as well. And while attackers are targeting companies across a number of industries and regions, the United States saw the largest single-nation increase (57%) in attacks.
A majority of modern companies understand the serious threat posed by cyberattacks. Many are even aware that it’s more a matter of when they might be targeted as opposed to if they will be attacked.
And yet research shows that 1 in 10 U.S.-based companies have no cyber insurance to protect their data, systems, and other assets. As alarming as that is, there are reasons why businesses—especially small businesses—are currently unprotected against attacks, and understanding these reasons can help providers better justify the value of coverage.
Small businesses might not think they’re likely to be targeted, for example. Or, they might not think there’s room for it in their budget. This might say just as much about their understanding of cyber insurance’s purpose and advantages as it does about their budget itself, though. Finally, some companies realize the importance of coverage from a high level but simply feel overwhelmed by the prospect of understanding how it all works.
In this article, we’re going to look at cybersecurity insurance in a way that can help providers to convey the value of coverage. We’ll be especially focused on small and mid-sized companies, where the “sticker shock” of cyber insurance premiums can—but really shouldn’t—deter them from obtaining the coverage they need to protect their systems and assets, as well as their customers’ data. First, though, let’s define exactly what we mean by the terms “cybersecurity” and “cyber insurance”.
While they’re often discussed in tandem and are closely related to each other, “cybersecurity” and “cyber insurance” aren’t exactly the same thing. Here are a couple of quick definitions that can help focus clients as you explore their cyber insurance needs with them:
Cybersecurity describes the proactive, real-time measures an organization takes to protect their (and their customers’) data as well as other assets. With effective cybersecurity practices in place, companies are able to minimize the risk of cyberattacks.
Cyber insurance, by contrast, refers to a specific type of insurance coverage that relates to how an organization can mitigate the effects of an attack and cover the expenses related to attack recovery.
Because cybercriminals are constantly devising new, more sophisticated methods of attack, cybersecurity is an ever-evolving term. That being said, the five biggest cybersecurity threats facing businesses today include a combination of outside attacks and internal vulnerabilities.
Phishing attacks, where a cybercriminal poses as a trustworthy business contact in an attempt to steal passwords and access sensitive data. “Phishers” might fool recipients by sending legitimate-looking hyperlinks or files that, once opened, compromise an organization’s cybersecurity. Phishing attacks account for as much as 90% of data breaches experienced by companies.
Malware attacks, where malicious code (a trojan or virus, for example) is deployed, allowing cyber attackers to access company networks and access, corrupt, or destroy sensitive data.
Ransomware, an increasingly sophisticated—and costly—type of attack, in which cyber criminals steal company or customer data, encrypt it, and demand a ransom in exchange for returning that data.
Weak passwords that attackers can easily guess or otherwise compromise. Especially in smaller organizations, there is a tendency to keep passwords simple or to re-use them across different systems and platforms. Not only do these practices make it easier for criminals to get their foot in the door, they can do increased damage when one compromised password opens multiple doors, so to speak.
Insider threats, a category that includes any cybersecurity threat that arises from within an organization. Whether insider threats are unintentional (the result of ignorance or poor security practices) or intentional and malicious, they can wreak havoc on a small company, eroding trust from within.
When clients wonder whether cybersecurity insurance is “worth it,” they’re rarely unconvinced of the importance of coverage. What they’re really asking, most likely, is for a detailed accounting of the benefits of cybersecurity insurance and for a clear picture of how those benefits justify the cost.
Let’s take a look at how you can work through the conversation when dealing with a client who’s not yet convinced or ready to buy. We’ll organize this content according to a rough 3-step process for helping them understand…
The need for cybersecurity insurance, including the cost and risk associated with not being properly covered.
The advantages of cyber insurance—and disadvantages of “not taking action” for small businesses.
The costs, including how rates/premiums are calculated—and the value they provide.
There’s a misconception that cyber insurance is only needed by enterprise-level organizations—in reality, virtually every company stands to benefit from some level of coverage. As noted by the Consumer Financial Protection Bureau (CFPB), this includes any companies that “collect and store purchase information, maintain records of Social Security numbers, or have credentialing or educational data.”
Further underscoring the importance of cybersecurity insurance is the fact that small businesses are increasingly finding themselves the target of attacks.
Ultimately, cybersecurity coverage is important for any company that…
Draws in high or increasing revenue.
Deals with a large or growing customer base.
Collects and stores a significant amount of customer data.
Has valuable digital assets and business systems to protect.
Generally speaking, cyber insurance policies are meant to cover legal as well as recovery costs associated with certain types of cyberattacks. What, exactly, is covered by a given policy depends on what type of coverage it offers.
Two of the most common types of cyber insurance are data breach coverage and cyber liability insurance.
Data breach coverage relates to customers’ Personally Identifiable Information (PII) or data governed by Payment Card Industry (PCI) standards. In the event of a malicious breach or unintentionally compromised information, data breach coverage can help organizations cover various costs, like notifying affected parties of the breach, strengthening the organization’s reputation and commitment to cybersecurity, or even offering complimentary credit monitoring services to affected customers. Depending on the specific policy, data breach coverage might also be able to cover costs related to lost business income or extortion costs (related to ransomware).
Cyber liability insurance often includes key elements of data breach coverage, but with a wider potential scope that often focuses on litigation related to a data breach or similar cyberattack. For example, cyber liability insurance might enable an organization to retain legal services, establish and maintain regulatory compliance, cover lawsuit payouts, and so on.
As clients learn more about their cyber insurance options, making it clear what cyber insurance doesn’t cover is just as important as what it does cover. That way, organizations can be aware of outstanding needs or considerations, and evaluate different options for covering such expenses. Some of the main things not typically covered in a cyber insurance policy include…
While lost income is typically covered, loss of potential/future profits is not.
While certain types of assets are covered in the event they are compromised or otherwise lost, that coverage does not extend to the loss of intellectual property (IP) value.
While coverage can be applied to things like ransomware payments (extortion), if an organization or employee falls victim to social engineering—like opening a phishing-type email and voluntarily wiring money to a cyber criminal—they may not be able to recoup those losses.
As of 2021, cyber insurance policies often include cyber war and cyber operation exclusion clauses. These basically state that if a business experiences damages from a widespread attack from an outside nation-state—and is essentially considered an act of war—then those losses are not covered by their policies.
The first step toward helping a client better understand the full scope of their cyber insurance needs—including what expenses are (and are not) covered is taking Trava’s free Cyber Risk Assessment.
Once that’s been covered, the next step is to convey the key advantages of cyber security insurance.
The primary advantage of cyber insurance is that it provides vital support to an organization’s ability to bounce back from a cyberattack and keep their customers’ data safe. More specifically, cyber insurance enables companies of all sizes to…
Recover costs related to data recovery, litigation, and related consequences of a data breach.
Be reimbursed for costs related to business disruption and downtime, including coverage for lost income.
Erect proactive defenses against future malware infections, identity theft, and even cyber extortion (in the instance of ransomware).
Fund forensic investigation efforts to better understand organizational vulnerabilities, system weaknesses, and priorities for enhancing cybersecurity protocols.
It can sometimes be difficult to help smaller businesses understand the cybersecurity landscape, or to help them see that they, too, need coverage. When working with small businesses, it’s important to dispel common myths about cyber insurance—such as the idea that small businesses aren’t likely to be targets of a data breach or cyberattack.
Small businesses need cyber insurance for the same reasons as their mid- and enterprise-sized counterparts—to keep their systems, and their customers’ sensitive information, protected against data breaches and cyberattacks.
For too long, small businesses were under the impression that they were in the clear, even as they inevitably heard about major data breaches in the news on a regular basis. As described by FBI Supervisory Special Agent Michael Sohn, cybercriminals have taken notice of the vast discrepancy between the cybersecurity posture of enterprise-level and small businesses. As the larger organizations beefed up their cybersecurity, cybercriminals began to pivot, “evolving and targeting the soft targets, which are the small and medium businesses.”
With that in mind, there are plenty of compelling reasons for small businesses to have cyber insurance coverage, including…
Many small organizations don’t have a full understanding of the threat level they face, or where their main cybersecurity vulnerabilities lie. This is a dangerous sort of complacency, one that has prompted the FBI to urge more small businesses to take cybersecurity measures more seriously, and to procure cyber insurance.
Comprehensive employee training often isn’t sufficient enough to ensure protection against all types of cybersecurity threats. According to a recent IBM report, nearly a quarter (21%) of data breaches were the result of unintentional negligence on the part of employees or contractors.
The cost of a data breach is high—not just financially, but reputationally as well. Once sensitive data has been compromised, it can be difficult and expensive to recover that data and develop stricter cybersecurity policies. Unsurprisingly, customers don’t appreciate having their data compromised, and recent data shows that 83% “will stop spending with a business for several months in the immediate aftermath of a security breach” (and 21% will never do business with the company again).
Even once the advantages of cybersecurity insurance have been made clear, clients will likely want to determine whether their budget can cover the premiums. In many cases, helping them understand the reasons behind the cost—and the costs of potential inaction—can be highly persuasive.
Cyber insurance rates are increasing largely due to the greater frequency, sophistication, and cost of modern cyberattacks. And the rising rates are significant, with cyber insurance premiums increasing by 91% in 2021 and 65% in 2022.
As mentioned earlier, increases in cyber insurance premiums largely relate to the larger cybersecurity landscape, including the “bad actor sophistication, a propensity to pay in ransomware cases, and a broad swath of geopolitical uncertainty,” each of which Harvard Business Review indicates are “conditions that hackers have found favorable.”
Fortunately for companies just looking to procure cyber insurance, premium increases did slow from 2021 to 2022. As CNBC notes, this is largely due to “the increase in security-related losses and rising demand for coverage.”
As cyber insurance providers discuss coverage with potential clients, it’s important to acknowledge that while cyber insurance costs are on the rise, so, too, are the potential costs of inaction. In other words, yes these policies cost more—but the attacks they’re designed to protect against are also wreaking more havoc when their attempts to compromise data and systems succeed.
A company’s annual cyber insurance cost for the coverage is likely to fall within the range of $500 to $5,000 on average, according to Security.org. That’s obviously a pretty considerable range but the general cost can be difficult to pin down due to the sheer number of variables that factor into the equation. These include factors such as the business size, industry, and annual revenue.
Just as no two organizations are identical, there is no established formula for calculating cyber insurance premiums. Ultimately, these costs will depend on a wide array of factors, with a couple of the most prominent being the amount of sensitive data and customer information being handled and the strength and scope of currently implemented cybersecurity measures. Other factors that impact policy costs include the company’s:
Annual revenue
Business type
Claims history
Company size
Coverage level
Deductibles
Industry
Location
When working with client organizations that classify as small businesses, providers must emphasize the advantages in a way that justifies the cost. For example, the discussion could be re-framed to focus on whether they can afford to forgo this essential coverage, helping them to understand the potential catastrophe that could result from inaction. Helping these clients find the best cyber insurance for their small business means validating and prioritizing their needs, and working to justify the cost as a necessary expense.
Of course, when it comes to cyber security insurance for a small business, cost is always going to be a factor. Fortunately, there are steps a small business can take to reduce costs and make cyber insurance more affordable, such as:
Developing effective employee training around cybersecurity best practices, including identifying and minimizing risks.
Performing (or hiring a third party to perform) penetration testing to routinely monitor systems for vulnerabilities.
Implementing stronger internal practices such as strict policies for using secure passwords and/or multi-factor authentication.
Encrypting all sensitive, personal data and ensuring that access is restricted to those who need it.
Ultimately, the more intimately a small business understands its overall cybersecurity posture, the easier it will be for them to understand the essential value of cyber insurance. A great starting point is to complete a cybersecurity risk assessment, which takes a structured look at an organization’s vulnerabilities and opportunities as they relate to network and application security, sensitive customer data, and more.