As IT Service Providers, we work with clients to make it as hard as possible for threat actors to attack them. However, we are very clear that there is no 100% guarantee that a business will not be a victim of an attack. All it takes is a click on a malicious link, a missed patch, or an open port that was forgotten. Our best recommendation to our clients is to assume that there will be a breach and have a strategy that includes prevention, detection, and response.
For this article, we will focus on one of the areas that is very important to responding to a cyber event but that many businesses may not think about or understand.
Why do businesses need cybersecurity insurance?
We want to preface the following information by stating that we are not insurance experts, brokers or resellers. We are, as IT Providers, often asked to help our clients respond to insurance questionnaires as well as to help them improve their security postures to help them in their applications for cybersecurity insurance. In doing so, we thought we could share some things we have learned that may be of use to SMBs. The biggest reason businesses need cyber insurance is to cover the expenses of a breach. At first glance, most businesses will think of the cost of a ransomware payment for example. But there is much more to consider when it comes to responding and recovering to an attack which businesses need to be prepared for. Here is a list of some of the expenses related to a breach:
- Public relations
- Forensic investigation
- Notification to affected clients, partners, employees etc.
- Identity theft restoring
- Reputation management
- Getting the business operational
- Credit monitoring
Cyber insurance can include not only the breach recovery costs such as the ones mentioned above which are known as first-party coverage but also the costs of, and potential damages from lawsuits whether they are class actions or brought by organizations with which you do business known as third-party liability.
Cyber criminals do not discriminate based on size of business. If they can find your network, they can attack. For this reason, every business, no matter what size, needs to be prepared and look at cyber insurance.
Every business is unique and has different data which entails different risk. The number of clients a business has, the data that is collected from these clients and the sensitivity of the data collected are all factors that influence the risk levels of the business. The risk level will influence the requirements from insurers as well as the type of cyber insurance coverage and premiums businesses can apply for.
We are all a little tired of hearing about the COVID-19 pandemic and how it has changed everything. However, the fact is that it has. The work from home movement, in particular, has increased the number of attack vectors which has led to increased ransomware incidents and an increase in the amount of ransom dollars requested. One cyber insurance provider reported that in the first half of 2021, the average ransom demand made to its clients was $1.2M.
The types of security controls in place or that may be lacking will have a direct effect on the pricing of cyber insurance policies. Different underwriters may look for different controls, but examples are multifactor authentication (MFA), or data encryption, password management, next-generation anti-virus (EDR) to name a few.
With the skyrocketing number of cyber claims over the last several years, insurance companies are becoming much more stringent about the security controls they require to obtain or renew cyber insurance. MFA and employee cybersecurity awareness training and testing programs are two security controls that we see often. The requirements are still a moving target as insurance companies become much more educated and as the cybercriminals become even more sophisticated so it’s important to make sure the business has the baseline controls and stays current on what the insurance companies are requiring.
Cyber insurance and security controls are not cheap. However, when you consider the costs of a breach, which at best could leave a business inoperable for a period of time resulting in financial losses and at worst, could bankrupt a business, the investment is worth the money. Again, all businesses should assume a breach and be prepared.
Cybersecurity insurance is evolving, almost as quickly as the cybersecurity landscape itself. It is important that businesses understand the changes and how they can impact their cyber policy. We recommend speaking with an experienced cyber insurance broker or insurance provider who can work with you to provide the right cyber policy for your business needs.
Once again, MicroAge is not an insurance expert. We can however help you improve your security posture. Contact us today.