Many businesses of all sizes and in most verticals (industries) are asking themselves if cyber insurance is something they need to get covered. Kosh Solutions, a managed service provider with cyber security expertise, breaks down a few fundamental points to keep in mind when weighing this decision. But deep down, if you're asking this question, you probably already know the answer!
Cyber insurance is as necessary as any property and liability insurance to protect the business from disaster. Fires happen far less frequently than cyber attacks and most businesses have fire insurance. Cyber insurance is a useful risk mitigation tool for any business.
There are a couple principles about cyber insurance that every business owner or decision maker should understand when considering cyber insurance:
Hackers aren’t targeting you, they’re targeting everybody.
Costs associated with a breach are difficult to predict.
Related articles:
Hackers are not specifically targeting your business
The majority of cyber-attacks are more akin to a virus that goes out searching indiscriminately for vulnerabilities rather than a hyper-focused attack. Many business owners think, “why would hackers attack me? I don’t have a big online presence or bags of money.” The thing to understand is that hackers are not attacking you they’re attacking everybody! This is why according to Verizon’s 2021 Data Breach Investigations Report (2021 Data Breach Investigations Report | Verizon), 61% of all Small and Medium Businesses reported at least one cyber attack during the previous year!
However, there are certain geographies and business verticals that get hit more frequently. California’s healthcare industry accounted for 12% of all U.S. ransomware attacks (Title (hhs.gov)).
The fact that hackers are just spraying attacks at an ever-increasing rate means it’s not if, it’s when you get hit.
What is the cost of a cyber-attack?
According to Nickie Tran, President of IQ Risk Insurance Services, the number one concern of businesses considering cyber insurance is the cost. Since this is a major concern, it’s a good idea to explain what goes into the costs of cyber insurance.
In general, the costs of the insurance reflects the potential costs (risk exposure) to the insurer. There are two types of costs that affect your business in the event of a cyber-attack:
the direct cost to your business and
third-party costs that come back to you.
Use the cybersecurity breach calculator below to see what a breach may cost you.
Examples of direct costs:
Cost for forensic and cyber security services: this is to clean and secure your system and determine what caused the breach.
Legal representation: these are the lawyers that usually quarterback your response to the breach.
Business interruption: this is the cost of downtime - lost revenue.
Reputational damage: this can cause large customer turnover among other consequences.
Data loss/recovery: the cost to have professional IT try to recover your files from backups or you have to try and rebuild data manually.
Examples of third-party costs:
Legal defense for non-justified third parties filing claims against you: these are parties that are wrongfully claiming to have been injured due to your data breach.
Reputational damage of a third-party: these parties claim they have experienced reputational damage due to your data breach.
Data privacy fines: these are levied by government entities.
According to a 2021 study done by Hiscox Insurance (see the entire PDF report below) companies were paying a very wide range for each cyber-attack.
| 10-49 Employees | 50-249 Employees |
Median Cost | $12,000 | $10,000 |
95th Percentile Cost | $285,000 | $119,000 |
It’s important to note that while the median cost looks “manageable”, by definition, half of the businesses had to pay more than that median cost. It’s also interesting that the larger organizations, the 50-249 employee range, paid less per cyber-attack than the 10-49 employee sized companies. This can be attributed in part to better IT resources that were able to mitigate and respond to the cyber-attack.
The costs can be difficult to quantify, but rest assured it’s not cheap! In the same study, 17% of companies said, “the impact was serious enough to ‘materially threaten the solvency or viability of the company.’”
When is cyber insurance not necessary?
There are a few instances where cyber insurance may not be necessary, but they are becoming few and far between. In order to not recommend cyber insurance, a business would have to meet the following requirements:
No website
No online banking of any sort
Does not process payments online
Does not collect any customer data in a digital format
Basically, if you only deal in cash and never touch a computer, you can probably forgo cyber insurance. For better or for worse, modern business and life are dependent on technology. There’s no getting away from the need for cyber insurance.
Does your company need cyber insurance?
Nickie Tran, based out of Orange County, says,
“All businesses. Small or larger. Should have insurance. Small businesses are easy targets since they typically have less security in place than larger business.”
She goes on to layout 4 common misconceptions about cyber insurance:
Small businesses don’t get targeted by cybercriminals – they are very much targets whether directly or indirectly.
“I have P&C insurance, so I’m covered.” – Property and Casualty policies do not automatically cover cyber events.
“Cyber insurance never pays claims.” – Cyber insurance pays claims, but this is where having a trusted IT professional and insurance broker on your side can help you understand how to meet the requirements of your policy.
“I don’t need to buy cyber insurance because my digital infrastructure is in the cloud.” – Just flat out wrong. If you think this, then you need to speak with a cyber security professional.
Based on our extensive experience, we have put together a few materials that have helped our customers navigate the business decision to add or pass on cyber insurance.
Answer the following 3 questions honestly (don’t worry, it’s not a test!)
Does your organization have local and remote backups?
Does your organization use Multi-Factor Authentication (MFA)?
Do you offer regular cyber security training for all employees?
If you answered “no” or “I’m not sure” to any of those three questions, you should begin a conversation with an IT professional about cyber security and cyber insurance today.
Want to see a little further into the process of getting your company protected? Go to the following page for FREE access to Kosh Solutions’ Cyber Security Insurance Checklist. This is the same form we use when evaluating our customers. It’s got a ton of value!
Disclaimer
The information contained in this communication is intended for limited use for informational purposes only. It is not considered professional advice, and instead, is general information that may or may not apply to specific situations. Each case is unique and should be evaluated on its own by a professional qualified to provide advice specifically intended to protect your individual situation. Kosh is not liable for improper use of this information.