In 2021, IBM’s Cost of Data Breach Report 2021 reported the following:
2021 had the highest average cost of data breaches in the 17-year history of the report. The cost of a data breach rose from 3.86 million to 4.24 million in just one year.
The increase in cost was linked to an increase in remote work due to the pandemic. In breaches where remote work was a factor, the cost of the breach rose 1.07 million.
The most common entry point for hackers was compromised credentials, which was responsible for 20% of breaches.
However, in companies which chose a more comprehensive IT security model that restricts controls to networks, applications, and environment—the average cost was 1.76 million lower. And organizations with more modern, cloud-based strategies contained their breaches an average of 77 days faster than those without.
As cyber-attacks continue to surge—including the recent devastation of the log4j vulnerability—the need for organizations to select cyber insurance grows more urgent every day.
The concept of cyber insurance is both relatively new and ever-evolving. Generally, though, cybersecurity insurance helps recoup losses, pay for investigations, cover legal costs, and gives you the resources to get your organization back in business following a cyber-attack.
Any business that deals with sensitive information—including credit card numbers, medical information, social security numbers, or any other personal information—should have cybersecurity insurance in order to protect customer information, industry relations, and business reputation.
Choosing the right policy depends on the size of your organization as well as the threat level to your industry. In order to be approved for cybersecurity insurance, the provider will conduct a physical evaluation of your standing cybersecurity in order to assess its strength. They will look at aspects such as:
- The location of your office / how many remote workers you have
- The size of your organization
- Your industry
- Your current cybersecurity strategy
- Any previous security incidents and their impact
To prepare yourself for such an evaluation (and to strengthen your current cybersecurity strategy), you should invest in a network assessment—a detailed report and analysis of your existing IT infrastructure, including how it is managed, what your cybersecurity looks like, how your company’s processes and policies function, and how the network performs. Although previously just recommended to those seeking cyber insurance, a Cybersecurity Assessment is now becoming a requirement in many policies.
There are two typical types of insurance. These are:
- First party insurance, which will cover damages and losses due to a cyberattack or data breach, and
- Third party insurance, which protects customers or partners who might be affected by a cyberattack or data breach.
You can purchase cyber insurance as a stand-alone policy, but some business insurance offers cyber insurance as an add-on to your current policy. When assessing which policy is right for your organization, consider the following aspects:
Cost of insurance
Much like health insurance, cyber insurance has a monthly payment and deductible. In order to assess if the policy makes sense or you, you should consider the costs of a potential breach. If you do have an attack, how much will you have to pay out of pocket? How does this compare to the monthly payment, and how does that payment fit into your budget?
Generally, a cybersecurity insurance policy can and will include coverage for the following:
- Damage to your IT infrastructure as a direct result of a cybercrime, including:
- Payment of ransomware
- ID restoration and credit monitoring
- Data restoration
- PR expenses
- Legal expenses, including any incurred due to breach of contract with a client
- Payment of ransomware
- Business interruptions as the direct result of a breach
- Replacement hardware damaged by malware
How threats are assessed
As with any insurance, you should look closely at how cybersecurity threats are assessed. Employees can often be the cause of breaches, and some policies might not cover accidental actions caused by falling for social engineering attacks, such as convincing phishing emails.
Additionally, sometimes there are large breaches that affect many people from many different industries. Some insurance policies will only cover targeted attacks where your organization was specifically sought out for a breach.