The internet is a dangerous place to depend on when it comes to your business, finances, or livelihood in general. Yet in our hyper-connected world, we all rely on it more than we would like.
We give our data to companies and services. We pay bills and buy things online. We put our entire identities on the web, do our best to protect our identities and secure our data, and cross our fingers that the next massive data breach won’t affect our businesses or any of the services we’ve trusted with valued personal or financial information.
The thing is, security isn’t getting any easier. Our digital landscape is rife with phishing, all kinds of malware including ransomware, brute-force botnets perpetrating massive DDoS attacks, and plenty more nasty hacks and potential attack vectors. Cybercriminals are only getting smarter in 2018, and are already beginning to use artificial intelligence (AI) and machine learning (ML) to more effectively target businesses and individuals.
As the Equifax breach taught virtually every adult in the United States, sometimes your data can be compromised by a service you didn’t even know had your personally identifiable information (PII). The recently disclosed Meltdown and Spectre vulnerabilities serve as yet another reminder that your computers and smart devices may be compromised without you even knowing it. At this point, there’s no guarantee that any of your data is 100 percent safe.
What you can do, either as a business or an individual, is to cover potential losses with cyber insurance. There are plenty of benefits and drawbacks to buying cyber-liability coverage (which we’ll get into below), but if you already have insurance policies for your house, car, health, pet, and life, why not cover your online data and digital identity as well?
1What Is Cyber Insurance?
Cyber insurance has been around for more than a decade. Market research firm Progressive Markets projects the global cyber insurance market to hit more than $29 billion by 2025, while PwC estimates it will reach $7.5 billion as soon as 2020.
Cyber insurance is a sub-category of general insurance that covers businesses and individuals against internet-based liability and risks. There are generally two levels of cyber liability coverage: first-party and third-party. First-party coverage encompasses direct losses to an organization or individual, whereas third-party coverage extends to claims and legal action taken by customers or partners.
Coverage differs by provider, but common coverage areas include data breaches, identity theft, and personal data theft. There are also the hefty legal fees, fines, and costs associated with recovering compromised data, repairing systems, restoring the personal identities of affected customers, and notifying customers of breaches. Coverage may also extend to scenarios like business interruption, extortion, or forensic investigation, meaning the costs associated with uncovering the cause and impact of an attack. The core idea behind cyber insurance is to help you recover from a data breach or identity theft by mitigating all the costs that crop up in the aftermath.
2Business or Personal
It’s important to distinguish between cyber insurance policies aimed at individuals and those covering an entire company. Most providers cater more toward business policies, but a number also offer personal plans, which are primarily focused on identity theft coverage. This means factors like income protection and expense reimbursement associated with recovering your identity, restoring your credit history, and legal action against identity thieves. Other personal cyber insurance plans can extend to issues like computer virus coverage or physical computer damage.
For businesses, cyber insurance policies can get a lot more complicated. Plans range from those catering to small to midsize businesses (SMBs) to coverage for large corporations and enterprises. Coverage starts with the data you collect and store on customers, be it credit card of bank account numbers, Social Security or drivers’ license numbers, or simply addresses and phone numbers. A basic coverage plan for a smaller business might cover breach notifications, credit and fraud monitoring services, the costs associated with hiring a PR firm, and the cost of restoring and recreating data.
Corporate cyber liability plans have heavier duty coverage. Beyond risk management for data loss mitigation and prevention, incident response, as well as third-party legal and regulatory costs, this means the policies need to scale. This is particularly important when it comes to data breach notifications in the wake of scandals like Uber’s 2016 breach, which it waited to disclose for a year. This led the US Senate to introduce the Data Security and Breach Notification Act, which would require companies to report data breaches within 30 days. The requirements are even more stringent for businesses operating in Europe, where the General Data Protection Regulation (GDPR) going into effect this year requires customer notification within 72 hours.
3How to Get Coverage
There’s a laundry list of cyber insurance plans out there offered by traditional providers and security-specific companies. Here’s a breakdown of some of the most popular plans and providers out there, and what the liability coverage entails:
- ABA Insurance: First- and third-party coverage protecting businesses from computer, network, and internet-based risks.
- AIG: According to credit rating agency Fitch’s latest “Cyber Insurance Market Share and Performance” report, insurance giant AIG is one of the top three cyber insurers on the market. AIG offers a number of different cyber insurance plans including personal identity coverage and its CyberEdge plan for businesses covering first- and third-party recovery, loss prevention, extortion, and more. There’s also a CyberEdge Plus plan that covers bodily injury or property damage associated with a cyberattack, as well as business interruption costs and product liability.
- AXIS Capital: Business cyber liability coverage including not only the basics—data breaches, extortion and loss, data recovery, third-party defense, etc—but also factors such as intellectual property infringement, employee fraud, DDoS attacks, and introduction of malicious code into a company’s system.
- BCS: BCS Insurance offers cyber and privacy loss protection plans through Blue Cross and Blue Shield for data and network breaches, data loss caused by an outsourcer or vendor, and third-party legal protection plus administrative features overseeing breach notifications and incident response.
- Chubb: Another top insurer according to Fitch, Chubb offers a wide array of cyber insurance products and services including loss mitigation and incident response, and customizable risk management policies covering privacy, network breaches, media, and claims related to errors and omissions.
- CNA: CNA’s NetProtect Cyber Liability insurance covers first- and third-party factors including network extortion, business interruption expenses, electronic theft, and liability pertaining to media, privacy, network security, and breach notification laws and defense.
- Data Breach Insurance: This provider’s CyberCruiseControl process encompasses cyber threat identification, protection, control, and a number of insurance policies such as breach, cybercrime, and intellectual property insurance.
- Insureon: Small business insurer Insureon offers a wide array of cyber liability insurance covering both first-party response and third-party defense.
- Liberty Mutual: Offers identity fraud expense coverage as well as data theft and cyber coverage add-ons to its general liability insurance for business owners.
- Nationwide: Nationwide offers three cyber insurance plans: data compromise protection, identify theft protection, and its CyberOne protection plan. CyberOne covers full data restoration and recreation, lost business expenses, plus data breach notifications and damaged system repairs.
- RSA Broker: Not to be confused with the security conference, RSA Broker offers a cyber risk policy covering 24/7 incident response, IT forensics, PR and legal advice, defense costs and penalties, extortion, business interruption, and data loss and liability for businesses.
- Travelers: Travelers Insurance offers a number of different plans and related services. The plans include a CyberEssentials package for SMBs, CyberFirst plans for tech companies and public entities, and CyberRisk plans for larger businesses. The insurer also has so-called “cyber coaches” plus an online academy and risk hub, and offers pre-breach services such as assessments and training through a partnership with Symantec.
- XL Group: XL’s cyber and technology insurance covers privacy and security liability, data breach response and crisis management, business interruption expenses, data recovery costs, cyber extortion, and any fines and penalties from legal or regulatory action.
4Buying Factors to Consider
There are a host of factors to consider when buying a policy. Whether you go through a broker or buy direct from an insurance provider, cyber insurance is like any other coverage: there are plenty of hidden fees and conditions to be aware of before you lock yourself into a contract.
A good starting point is a cyber insurance buyers’ guide. It’s important to know when your coverage will trigger and when it won’t (for instance most plans don’t cover terrorism-related cyberattacks), whether the plan suits your specific data risk and coverage needs, and what claims are excluded.
Insurers also go through a detailed underwriting process to evaluate the risk and potential exposure of customers. For businesses in particular, it’s important to do your due diligence beforehand and get your security ducks in a row. Does your company have a CISO? What security software and incident response systems do you have in place? What types of customer data are you collecting and how are you encrypting and protecting it? Cyber insurance premiums can get quite pricey, and will be even more expensive the more risk factors you have. Check out this cyber insurance premium calculator for a rough estimate depending on your business type and size, or you can request a quote from a provider directly.
5Is It Worth It?
One key fact to remember is that cyber insurance is not a replacement for cybersecurity. It’s not a tech solution. Cyber insurance coverage is your personal or professional fail-safe for if and when a breach or cyberattack occurs, and you’re left with mountain of costs to restore your business, deal with customer lawsuits, or reclaim your digital and financial identity.
You should still have a comprehensive suite of security tools in place, including antivirus and ransomware protection, as well as encryption software. Oh, and don’t forget about password managers and two-factor authentication (2FA) to protect against identity theft.
As for whether buying cyber insurance is worth it or not, it’s all about peace of mind. Do potentially high premiums for insurance you may not need offset the risk of having your identity stolen or your company’s infrastructure breached and data stolen? If you choose the right policy that protects exactly the coverage areas and attack vectors you need, it may be worth the money as cybersecurity incidents increase in frequency and severity across the web. At the same time, it’s worth asking whether insurers can even afford the skyrocketing risk. As breaches and identity thefts continue and providers are saddled with the cleanup costs, is cyber insurance yet another bubble waiting to burst?