Cybersecurity coverage has quickly become an essential component of any company's liability insurance plan. As data breaches become more frequent and government fines get more severe, organizations have come to realize they need to fully protect themselves from the risk of a costly data breach.
Although cybersecurity continues to keep pace with advances in hacking technology, the cost of successful data breaches has been on the rise. According to IBM's 2022 Cost of a Data Breach report, the average cost of a data breach in 2022 was $4.35 million, a 12.7% increase since 2020.* So it's critical for organizations to increase both cybersecurity measures and total coverage.
While this seems straightforward, it's much harder to pin down the kinds of risks organizations are most exposed to, and how much coverage they'll actually need. Luckily, most insurance companies that work in the cybersecurity coverage field allow you to work with their agents to design custom-fit plans for an organization's unique needs.
Cost efficiency is the name of the game here — paying for too much coverage or not buying enough are both unpleasant outcomes.
"With the pressure from underwriters to raise their security standards, insured organizations will need to spend more on technology." — RPS U.S. Cyber Market Outlook
Understanding the Most Important Factors for Cybersecurity Coverage
While there's much to consider when looking at cybersecurity coverage, we can group considerations into a few key categories: relative risk, organizational scale
Risk Relative to Field of Operation
Hackers go after all kinds of secure or valuable information. The field where your organization operates largely dictates the types of attacks you'll face.
For example, healthcare-based organizations face a very different set of cybersecurity threats than a tech company might. As a rule, the more personal information your company stores, the higher the risk.
Because most medical companies store vast quantities of extremely personal patient data, it's easy for a single data breach to compromise thousands of extremely important files. On the other hand, tech companies that provide internet services or provide server space for clients are extremely vulnerable to ransomware attacks that can take control of critical functions and hold them hostage.
It's important to understand and be honest about the types of risk your company or clients face when attempting to design an effective insurance plan. This type of big-picture thinking is usually done at the beginning of the process. The goal here is to avoid selling a client a type of coverage that might be best suited for an entirely different type of organization.
Organizational Scale
The size of the organization in question is essential in the process of deciding what kind of cybersecurity coverage the organization should use.
Cyberattacks get very expensive very quickly — globally, the cost per record of a data breach in 2022 was $164, according to the IBM report.* So it's important to make sure that the total cost of the event won't exceed the occurrence limit of the policy which takes a good amount of investigation and effort. For example, when working with a small company, you need to take into account how many personal records are stored.
The scale of this roughly estimated cost will determine the amount of total coverage you need. Because most cybersecurity policies don't change on a day-to-day or week-to-week basis, it can be useful to give your company room to grow in your policy, so you only have to review it once a year.
Most small businesses that are exposed to this kind of risk opt for a policy that protects them from up to $1 million in total damages for each occurrence. While this seems like a lot, these attacks can easily cost at least that much per occurrence. The median cost of this type of plan is somewhere between $1,700 and $3,000 a year, making it quite affordable — especially considering the potential risks.
Given the pressures on smaller IT departments to keep pace, these companies should consider outsourcing their network security to a third-party provider.
Types of Insurance
There are two main types of cybersecurity insurance, and it's important to have a basic idea of what they are before shopping around or talking with prospective clients. Knowing which types of insurance go best with which types of businesses helps make the process go smoothly.
While both types of coverage defend against data breaches, an organization's relationship with their clients or customers will determine which will work best.
First-party coverage primarily defends an organization against breaches that occur on your own systems or networks. In other words, first-party coverage only covers an attack that takes place on your home soil.
This type of policy will help an organization stay within federal regulations governing response to cyberattacks or breaches, such as investigating the attack, paying ransomware-attack ransoms, contacting customers or individuals who have had their personal information stolen and contracting credit monitoring services for individuals who have been compromised. This type of policy is commonly used by organizations who deal first-hand with a large amount of user data.
Third-party coverage primarily protects your business against lawsuits filed by organizations you've contracted with that claim that your involvement with their company might have had something to do with the breach. Large companies often file lawsuits in the wake of a damaging data breach, naming all companies or parties that worked within a hacked system. Even if you had nothing to do with letting a hacker or bug into a system, you could still be liable.
Third-party cybersecurity insurance will help people pay for the costs of being grouped into such a lawsuit, often turning what could have been a major damaging event into not that big of a deal. These policies are often used by smaller organizations that don't personally store a lot of customer data, but work with multiple larger organizations that do.
Plenty of organizations would benefit from both types of insurance, but certainly not all need to carry both. That's why it's critical to understand the type of coverage each kind of organization will need as you begin constructing a plan for cost effective cybersecurity insurance.
Source
*"Cost of a Data Breach Report 2022," IBM Corporation, Jul 2022. PDF file.
