Many customers are asking, “Where can I buy cyber insurance?” or “Is there insurance for cyber attacks?” which shows there are a lot of questions about cybersecurity insurance. To provide some answers, we asked insurance brokers from New Mexico and Orange County to show us what the process for purchasing cyber insurance looks like. Though cyber insurance is not as standardized as car insurance, the process of buying is pretty familiar.
There’re 3 steps when purchasing cyber insurance: 1) work with an IT security professional and insurance broker to help determine the amount of coverage needed, 2) have your insurance broker obtain at least 3 quotes, and 3) have an IT professional determine that your technology meets the requirements of your policy.
We highlight some important things to keep in mind while you go through each step in this process below.
Nickie Tran, President of IQ Risk Insurance Services, says the very first thing a company needs to do is complete a cyber liability application. This acts as a mini risk assessment of the security you have in place and sets the groundwork for the next steps.
Step 1 - Determine How Much Coverage You Need
Some people ask if cyber liability insurance is for small businesses too, and the answer is yes! The real question is how much coverage do you need? There are two areas to consider when determining how much coverage you should get: 1) first-party (direct) costs and 2) third-party costs. Let’s start with the first-party costs.
First-party costs you could incur should you be attacked and breached:
The cost of hiring IT Security Professionals – these experts will probably need to do the following
Basic forensics to determine how your network was breached
Clean your system to make sure you are not still infected
Aid in recovering data that may have been lost or compromised
You may need to purchase new technology hardware, software, or services to prevent another attack
According to Kosh’s in-house security team, cleaning up after a cyber attack can take anywhere from 1 day to 2 weeks depending on the severity of the attack, the initial setup of the technology, and the industry. At a rate of at least $150 per hour that works out to $1,200 to $12,000 just for the IT cleanup.
The cost of downtime is typically one of the largest expenses of a breach. In the Hiscox study, they found that 19% of businesses that were breached lost customers and almost 18% said they had great difficulty attracting new customers (pg 10 Hiscox Cyber Readiness Report 2021).
How much would it cost your company to be down per day?
Fines from government agencies (usually for data leaks of personal data)
Equifax had to pay over $575 million in fines
Third-party costs you could incur might include:
Being sued for damages due to a data leak
Ex. You leaked someone’s username and password they used to log into your site. Those credentials were then used by cyber criminals to access that person’s bank account and make fraudulent purchases.
Being sued for damages because your system infected another system
Ex. Your employee clicked on a phishing email that released a virus on your network. That virus then traveled through your company’s email list and infected other companies.
Representation for these third-party claims
Representation during negotiations with the cybercriminal
It’s pretty tricky to determine how much these first-party and third-party costs might be in the event of a breach, but it’s good to know what liabilities you have out there. If you’re in a highly regulated industry like healthcare or financials, then fines and third-party costs can really add up quickly. But even if you just have an email list and a website, significant costs are floating around.
Here is a free calculator that can help you ballpark the amount of cyber liability coverage you need.
Though determining these potential costs for your specific company is important, we do have some average costs we can look at for guidance.
The range of costs per attack varies widely – from tens of thousands to millions. Here is some data from Hiscox Insurance and IBM that shows just how hard it is to calculate these costs.
This chart shows a couple of cost estimates per cyber-attack per employee for companies of different sizes.
Number of Employees
Hiscox Study Median
Hiscox Study 95th Percentile
IBM Study Average
How much are cyber insurance premiums?
As a rough guide, you can expect your annual premiums to be 0.1-0.5% of the amount covered. So, for $1 million in coverage expect to pay around $1,000 to $5,000 per year with a deductible ranging from $10,000 to $50,000.
Step 2 – Receive and Review Quotes
Once you have determined a dollar amount range that you would like covered, it’s time to get some quotes. There are many cyber insurance companies to choose from so this is where your insurance broker comes in. Your broker can reach out to their network and get quotes for you.
When reviewing quotes, Nickie Tran, a cyber insurance broker, says that one of the many benefits of working with a broker and IT company is that the policies being quoted have already been tailored. She says, "we work together with the business and IT security professionals to determine what kind of coverage is best and get quotes that meet those needs.”
Step 3 – Get Technology and Security Requirements in Place
Now that you have selected your policy, it’s time to make sure your technology meets the standards and expectations laid out in your cyber insurance policy. Typically, this requires you to work with your IT provider to put in place a wide range of technical safety measures, security documentation and training, and internal security practices.
To help guide you in implementing this step, Kosh has put together a useful PDF checklist of typical items cyber insurance policies require.
Use this checklist as a generic guide, but always defer to the official requirements of your insurance provider. Here is an article we wrote specifically on Cyber Insurance Requirements: https://www.koshsolutions.com/post/what-are-the-requirements-for-cyber-insurance
Can companies add cyber insurance to their property insurance?
According to Nickie Tran, some policies allow the insured to add on a Data Breach Endorsement. But she cautions that Data Breach Endorsements only cover data breaches, period. They do not cover the many other types of cyber incidents such as ransomware, cybercrime, and fraudulent transfers. Endorsements are typically sub-limited – as low as $50k or $100k for a Data Breach Endorsement on a Business Owner Policy (BOP), which is insufficient to cover most incidents.
The information contained in this communication is intended for limited use for informational purposes only. It is not considered professional advice, and instead, is general information that may or may not apply to specific situations. Each case is unique and should be evaluated on its own by a professional qualified to provide advice specifically intended to protect your individual situation. Kosh is not liable for improper use of this information.