Statistics show that the fallout from successful cybersecurity incidents has both financial and business-related consequences. A data breach costs the average enterprises approximately $60,000, and in extreme situations, small and medium-sized businesses may go out of business within 6 months from the date the incident occurred. Thus, to determine whether the financial cost of successful hacking attempts, businesses have turned to insurance to deal with extensive losses.
Today, cyber insurance or cyber-liability insurance is popular among enterprises with online operations. Cyber insurance is defined as insurance policies a business takes to protect itself from the fallout of a successful hacking or cybersecurity incident. The policy is a contract between the enterprise and an insurer providing financial security against cyber-related incidents. The insurance policy ensures a business receives the financial support it requires to successfully apply mitigation techniques to deal with network and IT infrastructure security incidents.
"Organizations should also consider having a third-party Security Operations Center (SOC) like Lumifi Cyber, as it often qualifies them for a discount on their policy," said Director of Product Management Mike Heller. "Many insurance companies will consider the use of a qualified outsourced SOC as means to transfer risk and provide a discount for those services."
Insurance coverage and what it covers are determined by the contract signed between the insurer and the business owner. The average cyber insurance policy is designed to provide cover for cybersecurity failures. Cybersecurity failures in this context would refer to data recovery initiatives, IT forensics, and the cost of the legal fallout from security incidents regardless of an in-house error that led to a successful system breach.
The mitigation process needed to deal with breaches differs according to the severity of the incident. In many cases, where Ransomware or business email compromise hacking techniques are used, a team of external experts may be required to handle the mitigation task to regain stolen data. In terms of BEC, security agencies may be involved with tracking the hackers behind a successful incident. The mitigation process for the above examples is expensive. Thus, insurers generally provide added paperwork for more complicated security breaches.
Cyber insurance policies sometimes cover the amount lost from a BEC hacking attempt depending on the amount lost. Coverage for BEC fraud is generally provided as a specific policy outside the standard cybersecurity insurance coverage framework. The need for exclusivity where BEC fraud is involved is once again due to the large sums, which can run onto six figures, associated with BEC scams.
Insurance companies also take diverse approaches to deal with successful Ransomware attacks. After evaluating the effect of the Ransomware attack, the insurer may determine that paying the requested ransom fee may be a more effective method of getting back sensitive data. Insurers may also choose to involve law enforcement, which comes at a cost, or bring in experts they have worked with in previous cases to deal with the situation.
Cybersecurity incidents can be broad and far-reaching as they can affect both online and offline business operations. Thus, in some cases, cybersecurity insurances provide limited coverage compared to the amount of risk an enterprise’s IT infrastructure and business has been exposed to. For example, a successful Ransomware attack that becomes public can affect the finances, reputation, and intellectual property of an enterprise. Standard cybersecurity insurance policies may cover the financial cost of dealing with the attack but not the reputational damage or intellectual property is stolen or distributed on the dark web.
The limited nature of cybersecurity insurance means an enterprise that never recovers its goodwill may still go out of business despite deploying mitigation techniques to limit the damage. Losing customers is a fallout no insurance can cover as customers feel safer taking their business elsewhere.
Another grey area to be considered is cybersecurity incidents that are perpetrated by hacking farms backed by other nations. For example, the NotPetya malware attack, linked to the Russian military and similar attempts from North Korea, can be classified as acts of war by insurers. This grey area must be analyzed, and a coverage decision was taken before any insurance policy is signed. Using the NotPetya incident as an example, some insurers paid damages to mitigate risks while others stuck to the ‘act of war’ narrative, leaving the payment decision to the courts.
The grey areas within cybersecurity insurance are reasons why enterprises must thoroughly evaluate cyber insurance policies before choosing to go with an insurer.
Statistics put the average cost of cybersecurity insurance in the US at approximately $1,485 per annum. This average cost does not apply to every enterprise because more comprehensive cybersecurity insurance which focuses on peculiar security incidents costs more. Insurance enterprises also evaluate the cybersecurity threat levels of a business to determine the cost of purchasing an insurance plan. Thus, enterprises susceptible to cybersecurity incidents due to the nature of the business they run are subject to more expensive insurance coverage.
The choice of purchasing insurance policies against successful Ransomware attacks or BEC fraud also comes at a cost. The value of data a company stores within its IT systems plays an essential role in deciding how much an insurer will be willing to charge for providing a policy plan against such security incidents.
Although cybersecurity insurance provides some help against hacking attempts, it is not a substitute for maintaining a functional security operation center and implementing compliance policies. As stated earlier, insurance may cover financial losses, but an insurance plan cannot repair hits to an enterprise’s reputation.