Cyber insurance is intended to protect your business from internet-based risks and reimburse you for expenses incurred from experiencing a cyber incident. According to a recent Harvard Business Review study, ransomware attacks increased by 150% in 2020 and the average payout increased 82% between 2020 and 2021. Soberingly, current statistics indicate that 60% of small companies will close their doors within 6-months of a data breach or cyberattack. The need for cyber insurance is becoming increasingly clear for many small- to medium-sized businesses. It’s not a matter of if you’ll experience a cyber incident, it’s a matter of when.
At the same time, it’s becoming a very challenging market for insurance carriers. In August of 2021, cyber insurance provider American International Group Inc. announced that they would be offering reduced payouts and tighter terms and conditions to make a claim. In turn, as insurance renewals approach, you may be faced with major rate increases, higher deductibles, or the inability to renew altogether. This leaves you with one of two choices if you have not already proactively established a robust cybersecurity program: pay exorbitant premiums or leave your enterprise exposed.
We sat down with Mark Spaak, vCISO and senior manager of security solutions, and Paul Kennedy, vCISO and senior manager of IT Security Solutions, to discuss what is changing in the cyber insurance market and how business owners can prepare. Here’s what we learned:
- How much risk is left on the table? Depending on your industry, your cyber insurance needs will vary. Healthcare and financial organizations are among the industries seeing the highest cost per record during a data breach. According to IBM’s 2019 Ponemon study, the healthcare industry had an average cost per record of $429, the financial industry had an average cost per record of $210, and the average cost per record among all industries was $161. It’s important to understand the information in your possession, the length of time required to retain that information, and whether you’d face regulatory fines if a breach occurred. Manufacturers and similar organizations who have very little regulated data should still consider downtime costs related to a security breach as companies on average experience 23 days of downtime following a successful ransomware attack. If you’re unable to produce and ship your product for up to three weeks, those costs will add up quickly. Having a solid scope of your cybersecurity needs and preventative controls in place will leave less risk for the insurer to procure, and ultimately result in lower insurance costs for your organization.
- The insurers have become the regulators. Given the volatile environment of cybersecurity today, many insurers are adjusting their approach. You will likely be asked to fill out a three- to five-page attestation statement disclosing the current state of your security controls before you’ll even receive a quote. Furthermore, insurers may run their own vulnerability and penetration assessment of your organization. The controls you have in place and what the scans find could dramatically change the policy coverage and terms they’ll offer you. It’s important to do your own penetration testing or to team up with a partner IT firm to be prepared for these additional procedures.
- Plan, don’t predict. Whether you’re applying for cyber insurance or renewing, give yourself enough time to work through the process. For organizations renewing, start having conversations with your insurer at least 60 days prior to the renewal date. This will give you time to work through the added procedures that insurers are implementing and shop around the insurance market if needed.
If there is one takeaway, it’s to be prepared. Work with your IT team to ask these questions: What are my organizations risks and cyber insurance needs? What additional steps will my insurer require for me to obtain cyber insurance? How much time do I need to work with my insurer on my policy or to shop around the market for a new provider?
