- Many companies don't have cyber insurance because of costs, but the market is growing.
- Cyber insurance can help companies recover financially from cyberattacks and data breaches.
- This story is part of "Security Playbook," a series detailing cybersecurity advice and strategies.
Cyberattacks happen every day, and any company that relies on technology to conduct business is at risk. But one way leaders can minimize the impact of losses from a cybersecurity incident is by getting cyber insurance.
"All companies can benefit from having cyber insurance," said Shruti Engstrom, the senior vice president of errors and omissions/cyber at the risk-mitigation company Aon. "This is a risk that's here to stay."
Cyber insurance helps organizations recover the costs of a cybersecurity incident, the global average of which IBM estimates is about $4.9 million. Engstrom told Business Insider that these expenses might include shutting down production lines, computer systems, or other operations, as well as the fallout of customer information being released.
"If something bad happens — there's a data breach or ransomware attack — and it costs you a lot of money, you have coverage to help with that," Josephine Wolff, an associate professor of cybersecurity policy at Tufts University, said.
The cyber-insurance market is growing, Wolff said, but many companies still lack coverage. Here's what business leaders should know about cyber insurance.
The benefits of cyber insurance
Cyber insurance can minimize the financial blow of a cyberattack, but it's not just about the money, said Stephen Boyer, a cofounder and the chief innovation officer at Bitsight, a cyber-risk-management company. Insurance also gives companies access to incident-response expertise, such as cybersecurity tools, legal assistance, and ransomware negotiation.
"If a company experiences a cybersecurity incident and has insurance, it can tap into a world of expertise that it may not otherwise know existed," Engstrom said.
Cyber insurance is available as a stand-alone policy or incorporated into other business coverage. When a company purchases the insurance, it undergoes an application and underwriting process, which helps leaders assess the health of their cybersecurity measures and ability to protect their firm from bad actors, Engstrom said.
A better understanding of a company's risk is an important benefit of cyber insurance, Boyer said. But not enough companies, especially smaller ones, are getting the insurance, he added.
One reason is the cost: The Cyber Readiness Institute estimates that cyber insurance can cost businesses $500 to $5,000 a year. But cyberattacks can be much more costly to an organization's bottom line and its reputation, Boyer said.
What cyber insurance does and doesn't cover
Many policies offer first- and third-party coverage, and most companies need both, Engstrom said.
While all policies are different, first-party insurance typically covers losses incurred because of a cyberattack. According to the Federal Trade Commission, it can also cover costs such as legal counsel, forensic-investigation services, recovery of stolen data, communication with customers, fees and penalties to regulatory bodies, crisis management, public relations, and lost income.
Some policies also cover ransomware negotiation and payments to hackers. However, Wolff said this is a controversial aspect of cyber insurance, as many believe it incentivizes criminals to continue launching attacks.
Engstrom said third-party insurance covers legal fees and settlement costs when a customer, a vendor, or another third party seeks legal damages as a result of a cybersecurity incident.
"Companies that are at risk of a cybersecurity incident are almost always at risk of a related third-party conflict," she added.
Boyer told BI that cyber insurance usually doesn't cover losses related to intellectual property or preexisting cybersecurity incidents. Acts of war or attacks related to terrorism, which typically affect high-level companies and organizations, are also not covered, Wolff said.
Additionally, according to IBM, attacks caused by network failures, negligent or malicious employees, or social engineering, such as phishing scams, might not be covered.
Engstrom said the policies also typically don't cover the cost of hiring more security or IT staff or upgrading cybersecurity systems to prevent attacks.
"Many don't realize that these long-term structural and preventative improvements are not covered under most cybersecurity-insurance policies," she added.
What to look for in a cyber-insurance policy
Policies differ depending on the insurer, Wolff said, and companies can sometimes negotiate their coverage. So it's crucial to ask a lot of questions before signing on.
"One really important thing to go through with your carrier is the specific exclusions in your policy," she added. "The more you can get into the specifics of that, the less likely you are to be taken by surprise when you're trying to file a claim."
Basically, make sure the policy adequately covers your level of risk, Engstrom said.
Wolff suggested discussing how pricing is determined and which cybersecurity measures insurers require companies to have — some might offer lower pricing for companies with upgraded cybersecurity infrastructure.
Some insurance companies also offer training or support to educate an organization's staff on cybersecurity best practices, Engstrom added.
She said to also find out about the claims process: "If a company experiences a cybersecurity incident, they must understand how their insurer steps in and what kind of support is provided. Leaders need to know that their insurance company is there for them every step of the way."
Ultimately, companies should understand their cyber risks and know what protection they need when purchasing insurance, Boyer said.
"What are you trying to protect, and what's the risk transfer?" he said. "It obviously depends on your business — some businesses are just more exposed to this sort of risk and could really have some sort of payout."
