The likelihood of your business suffering a cybersecurity attack increases daily. Cyber criminals are getting smarter, innovating faster, and attacking more viciously. A cyberattack could result in your data being held ransom, stolen, resold over and over, or even posted publicly...all with a goal towards getting you to pay a steep ransom. Even worse, paying the ransom (which the FBI recommends against) does not guarantee that the attackers will not return for a repeat attack. And on top of all that, an attack could subject you to huge fines and even criminal penalties. To protect yourself, you not only need to install proper cybersecurity hardware, software, policies and staff, you need a good -- actually a GREAT -- cybersecurity insurance policy. But the costs of getting covered are increasing, the qualifications for a cybersecurity insurance policy are becoming more strict, and the benefits and payouts of policies are decreasing.
What is Cybersecurity Insurance
A Cybersecurity Insurance Policy, also called a CyberInsurance Policy, is a specialized type of business liability insurance that provides coverage to an organization in the event of data breaches, hacks, ransomware and other cyber attacks. These attacks and events can damage your business in many ways, including…
- Data Exfiltration -- copying or moving your data off of your network and to other systems, where they will likely be used to create further crimes. For example, customer data can be stolen and then used for massive identity theft crimes.
- Data Theft -- including intellectual property.
- Ransomware -- a type of malware that causes your data and/or your software to become encrypted in such a way that it becomes unusable. The criminals will hold your data hostage and sell you a decryption key which is supposed to allow you to recover your data. Unfortunately, sometimes decryption keys are not sent or do not work.
- Phishing -- Phishing is a method of delivering ransomware and other types of malware, as well as a method of stealing login credentials for valuable company resources, including HR systems, bank accounts, email accounts, email servers, workstations, network servers and more.
- Remote Control -- Software can be installed on your computers to give outsiders complete control over individual computers or entire networks.
What Does Cybersecurity Insurance Cover?
Cybersecurity insurance can cover some or all of the damage caused by these and similar attacks, depending on the policy and the circumstances, possibly including items such as:
- Repairing damaged networks or computer systems.
- Restoring or rebuilding lost data.
- Notifying those affected by breaches.
- Helping to protect the identities and credit of third parties whose information was breached or compromised.
- Credit Monitoring and Identity Restoration for affected parties.
- Liability to the affected third parties.
- Public relations expertise for reputation management.
- In some cases, cybersecurity insurance may also cover the ransom required to recover data.
“Not all policies are created equal,” says Santa Clarita business insurance broker Jon Gardner. “I would recommend that anyone purchasing cybersecurity insurance look beyond the price and review each line of coverage with their broker and their cybersecurity professional to determine what is and what is not covered. The lowest cost policy may not provide all the coverage that is needed.”
Is Cybersecurity Insurance Only Available To Large Companies?
Many people assume that cybersecurity insurance policies are only available for medium and large companies. However, small businesses are also targets of cyber-crime, especially since they often do not have the level of security needed to prevent such an attack. According to Verizon's 2020 Data Breach Investigations Report, 43% of cyberattacks targeted small businesses.
That means small businesses need coverage, too. It’s part of any good cybersecurity plan.
Does My General Business Liability Policy Cover Cybersecurity Issues?
You may be wondering whether your general business liability insurance covers these things, and the answer is generally no. Since these are new and unique risks that businesses face, they are generally specifically excluded as covered items from general business insurance.
But Cybersecurity insurance doesn’t cover all expenses related to cyber attacks. These policies are unlikely to cover the following:
- Downtime that results from attack
- Business interruption
- Hardware and software upgrades
- Lost reputation
- Government Fines and Penalties
- Indirect costs, such as losses that result from the theft of company secrets
- Business Email Compromise (BEC)
That last item -- Business Email Compromise -- may be a surprise to you. BEC is where Fraudulent emails are sent to colleagues asking for access to certain resources, including online resources and financial accounts. The result can be loss of data, copying of proprietary company information, or wire transfers to offshore accounts. Despite the severity and high costs of these attacks, they are usually not covered by cybersecurity insurance policies.
Cybersecurity Insurance in 2021
According to CSOonline.com, cybersecurity insurance is getting more expensive, harder to get, and it’s covering less and less. That’s because of several trends, including the rise in the incidence of cyberthreats, the severity of cyberthreats, and the availability of methods to prevent attacks from being successful.
Cyber Threats Increase
As we have reported many times in this column, the incidence and risk of cyber attacks are increasing continually. The FBI reported that cybercrime was up in 2020. The rise included a 5% increase in Business Email Compromise (up to 1.8 Billion dollars in damage), a 20% increase in Ransomware attacks, and a doubling of Phishing attacks -- with California leading the country in both the number of Cybersecurity incidents and the total amount of damages.
Severity of Cyber Attacks Increase
The CSOonline article goes on to say that the potential damage caused by breaches can increase. “These notably manifested in the growth of multi-extortion attacks, whereby cybercriminals not only encrypt an organization’s data and hold it for ransom, but also copy and threaten to release (the data) to the public, thus raising the stakes.”
The severity of the attacks has the effect of increasing the ransom demanded by the attackers.
Cyber Attacks Are (mostly) Preventable
The irony is that organizations don’t do all they can do to protect themselves. As we wrote in April 2021, Cybersecurity is not taken as seriously as it should be. While no one can absolutely guarantee that an organization won’t suffer a cyber attack (as evidenced by recent hacks of branches of the US Treasury Department and the United Nations), many organizations think that installing off-the-shelf antivirus software will keep their businesses safe.
So while doing nothing can be expensive, doing a great deal more doesn’t cost as much as you might think. In our article about how much should good cybersecurity cost, we wrote about how cybersecurity can cost anywhere from 4% of total revenue down to a small fraction of a percent of revenue for larger companies.
Applying for Cybersecurity Insurance Gets Tougher
Insurance companies are cracking down on qualifications to secure coverage. Gone are the days when nothing more than a cleared check is all that’s needed to qualify for a multi-million dollar policy. Insurance companies are now surveying (in detail) their prospective clients about their cybersecurity configurations, policies and technologies -- a technical third degree.
A recent cybersecurity application sent to us by a client seeking new cybersecurity insurance coverage included such questions as:
- Have you implemented any of the following to protect against phishing messages: SPF, DKIM, DMARC
- Do you enforce Multi-Factor Authentication (MFA) for email?
- Do you use MFA for cloud provider services (AWS, Azure, Google Cloud)
- Do you use Endpoint Detection and Response Tools?
- Do you actively monitor all administrator access for unusual behavior patterns? If “Yes”, What is the name of your Monitoring Tool?
- How frequently do you install critical and high severity patches across your enterprise?
- Do you use endpoint application isolation and containment technology on all endpoints?
- Do you use a Security Operations Center (SOC)?
- Do you use a Security Information and Event MAnagement (SIEM) System?
The list goes on. And if you are a regular reader of this column, all of the technologies mentioned involve technologies that Digital Uppercut has been writing about for the last 3 years, and recommending to our clients for far longer.
How We Help Clients Apply For Cybersecurity Insurance
Applying for cybersecurity insurance can be difficult, if not confusing and frustrating. That’s why one of the services we provide to our clients is to fill out cybersecurity surveys like the one referenced above. We’ll explain the questions on the application, answer the questions as appropriate, and make recommendations to their cybersecurity to make the application more likely to be accepted.
And since the cybersecurity insurance companies are looking to reduce their risk when they issue you a policy, that means that your risk of becoming a victim to a cyber attack can be reduced as well.
Call Digital Uppercut
If you don’t have cybersecurity insurance yet, it’s time to get it NOW, before something bad happens. If you have a policy now and would like to keep premiums down, let us help by examining and improving your current cybersecurity configuration. And if all you have are questions, that’s OK, too. Just use the online contact form or call us at 818-913-1335.