How to Buy Cyber Insurance?

Updated: Sep 6

Many customers are asking, “Where can I buy cyber insurance?” or “Is there insurance for cyber attacks?” which shows there are a lot of questions about cybersecurity insurance. To provide some answers, we asked insurance brokers from New Mexico and Orange County to show us what the process for purchasing cyber insurance looks like. Though cyber insurance is not as standardized as car insurance, the process of buying is pretty familiar.


There’re 3 steps when purchasing cyber insurance: 1) work with an IT security professional and insurance broker to help determine the amount of coverage needed, 2) have your insurance broker obtain at least 3 quotes, and 3) have an IT professional determine that your technology meets the requirements of your policy.


We highlight some important things to keep in mind while you go through each step in this process below.

 

Related Articles:

 

Prerequisite

Nickie Tran, President of IQ Risk Insurance Services, says the very first thing a company needs to do is complete a cyber liability application. This acts as a mini risk assessment of the security you have in place and sets the groundwork for the next steps.


Step 1 - Determine How Much Coverage You Need

Some people ask if cyber liability insurance is for small businesses too, and the answer is yes! The real question is how much coverage do you need? There are two areas to consider when determining how much coverage you should get: 1) first-party (direct) costs and 2) third-party costs. Let’s start with the first-party costs.


First-party costs you could incur should you be attacked and breached:

  • The cost of hiring IT Security Professionals – these experts will probably need to do the following

  • Basic forensics to determine how your network was breached

  • Clean your system to make sure you are not still infected

  • Aid in recovering data that may have been lost or compromised

  • You may need to purchase new technology hardware, software, or services to prevent another attack

According to Kosh’s in-house security team, cleaning up after a cyber attack can take anywhere from 1 day to 2 weeks depending on the severity of the attack, the initial setup of the technology, and the industry. At a rate of at least $150 per hour that works out to $1,200 to $12,000 just for the IT cleanup.

  • The cost of downtime is typically one of the largest expenses of a breach. In the Hiscox study, they found that 19% of businesses that were breached lost customers and almost 18% said they had great difficulty attracting new customers (pg 10 Hiscox Cyber Readiness Report 2021).

  • How much would it cost your company to be down per day?

  • Reputational cost

  • Lost opportunities

  • Customer churn

  • Fines

  • Fines from government agencies (usually for data leaks of personal data)

  • Equifax had to pay over $575 million in fines

Hiscox Cyber Readiness Report 2021
.pdf
Download PDF • 787KB

Third-party costs you could incur might include:

  • Being sued for damages due to a data leak

  • Ex. You leaked someone’s username and password they used to log into your site. Those credentials were then used by cyber criminals to access that person’s bank account and make fraudulent purchases.

  • Being sued for damages because your system infected another system

  • Ex. Your employee clicked on a phishing email that released a virus on your network. That virus then traveled through your company’s email list and infected other companies.

  • Legal costs

  • Representation for these third-party claims

  • Representation during negotiations with the cybercriminal

It’s pretty tricky to determine how much these first-party and third-party costs might be in the event of a breach, but it’s good to know what liabilities you have out there. If you’re in a highly regulated industry like healthcare or financials, then fines and third-party costs can really add up quickly. But even if you just have an email list and a website, significant costs are floating around.


 

Here is a free calculator that can help you ballpark the amount of cyber liability coverage you need.


 

Though determining these potential costs for your specific company is important, we do have some average costs we can look at for guidance.


The range of costs per attack varies widely – from tens of thousands to millions. Here is some data from Hiscox Insurance and IBM that shows just how hard it is to calculate these costs.


This chart shows a couple of cost estimates per cyber-attack per employee for companies of different sizes.

Number of Employees

10-49

50-249

250-999

1,000-5,000

5,000-25,000

Hiscox Study Median

$400

$67

$28

$24

$20

Hiscox Study 95th Percentile

$9,500

$793

$611

$462

$355

IBM Study Average

no data

$5,960

$3,506

$1,363

$355

How much are cyber insurance premiums?

As a rough guide, you can expect your annual premiums to be 0.1-0.5% of the amount covered. So, for $1 million in coverage expect to pay around $1,000 to $5,000 per year with a deductible ranging from $10,000 to $50,000.


Step 2 – Receive and Review Quotes

Once you have determined a dollar amount range that you would like covered, it’s time to get some quotes. There are many cyber insurance companies to choose from so this is where your insurance broker comes in. Your broker can reach out to their network and get quotes for you.


When reviewing quotes, Nickie Tran, a cyber insurance broker, says that one of the many benefits of working with a broker and IT company is that the policies being quoted have already been tailored. She says, "we work together with the business and IT security professionals to determine what kind of coverage is best and get quotes that meet those needs.”


Step 3 – Get Technology and Security Requirements in Place

Now that you have selected your policy, it’s time to make sure your technology meets the standards and expectations laid out in your cyber insurance policy. Typically, this requires you to work with your IT provider to put in place a wide range of technical safety measures, security documentation and training, and internal security practices.


To help guide you in implementing this step, Kosh has put together a useful PDF checklist of typical items cyber insurance policies require.



Use this checklist as a generic guide, but always defer to the official requirements of your insurance provider. Here is an article we wrote specifically on Cyber Insurance Requirements: https://www.koshsolutions.com/post/what-are-the-requirements-for-cyber-insurance


Can companies add cyber insurance to their property insurance?

According to Nickie Tran, some policies allow the insured to add on a Data Breach Endorsement. But she cautions that Data Breach Endorsements only cover data breaches, period. They do not cover the many other types of cyber incidents such as ransomware, cybercrime, and fraudulent transfers. Endorsements are typically sub-limited – as low as $50k or $100k for a Data Breach Endorsement on a Business Owner Policy (BOP), which is insufficient to cover most incidents.


 

Disclaimer

The information contained in this communication is intended for limited use for informational purposes only. It is not considered professional advice, and instead, is general information that may or may not apply to specific situations. Each case is unique and should be evaluated on its own by a professional qualified to provide advice specifically intended to protect your individual situation. Kosh is not liable for improper use of this information.