There are over 33 million small or medium-sized businesses (SMBs) in the U.S. – making up over 99% of all U.S. companies – and recovering from a cyberattack can be costly to these businesses.
Proactively investing in cyber insurance can help protect your business from higher costs related to losses from a cyberattack. Downtime due to a ransomware attack, for example, is 22 days. As this is over half a month, an easy way to understand the cost of disruption to operations is to cut monthly revenue in half or even by three-forths. Not to mention the other costs related to recovery, notification, reputational damage, and more.
If you are a SMB exploring cyber insurance for the first time, or perhaps you want to ensure that your current policy meets your needs, here’s some information that could help when it comes to making decisions about cyber insurance.
First and foremost, you want to be sure you have the right stakeholders involved. This includes personnel with appropriate knowledge who can accurately complete information for insurance applications and underwriting.
Often, organizations will have one individual, who may not have full knowledge of information security and technology controls, frameworks, current gaps, etc., fill out the insurance form. This may lead to inaccurate information being shared with carriers and, when it comes time to use the coverage, it may be void.
If you look at the Marriott breach, which occurred in 2018, it has since been determined that although the hotel chain claimed the data was encrypted, that was not the case. Investigators are now trying to establish whether Marriott made material misrepresentations to the underwriters to obtain coverage, which would violate its contract with the carrier. This could be a $28 million and counting mistake (the amount the hotel chain has reported in related expenses since March 2019) if they are found guilty.
The Federal Trade Commission (FTC) and the National Association of Insurance Commissioners (NAIC) developed some general tips to consider when obtaining or renewing insurance coverage.
1) Types of incidents:Make sure your policy includes coverage for:
- Data breaches
- Cyberattacks on your network and against the vendors and third parties that may be holding your data
- Terrorist attacks
- Breaches or attacks that happen anywhere in the world, if applicable for where you are doing business or storing, processing, or transmitting data
2) Type of coverage:
Another consideration is first-party coverage and third-party coverage and whether you need both.
- First-party coverage protects your data, such as employee and customer information. This coverage typically includes business costs related to lost revenue, recovery efforts, notification efforts, legal counsel, forensic services, public relations, and more.
- Third-party coverage helps protect your business from liability if another entity brings a claim against you. This coverage would help with payments to customers affected, litigation, claims, accounting costs, and more.
3) Coverage vs. limits:
Many people think if they have a $1 million policy, it covers any and all events up to that amount; however, oftentimes this is the aggregate limit and there are many sub-limits you may be held to, causing issues for companies (e.g., social engineering attacks may be capped at a much smaller portion of the overall policy amount).
4) Legal Support:
It is also important to understand if your insurance provider will defend you in a lawsuit or regulatory investigation, provide coverage more than other insurance plans you may have, and if they offer a 24/7/365 breach hotline.
Remember that each business has different needs depending on size, industry, data types, and other factors. While this general information can help guide you, please work directly with your insurance provider and industry experts to ensure your policy is the best fit for your company and its associated risk.