Cyber insurance is a type of insurance that shields businesses from liability and financial losses brought on by cyber incidents. One way to mitigate the financial impact of cyber disasters is to transfer some of the associated financial risks to insurance. It covers the costs related to a variety of cybersecurity incidents, including ransomware and data breaches.
How to choose?
There are several types of cyber insurance, and choice will depend on what kind of coverage is needed. In other words, the best insurance for a company is the one that fits its needs. The following points describe how coverage is generally classified:
- First-party coverage typically includes expenses related to an incident itself, such as investigation costs, notification expenses, and credit monitoring for affected individuals.
- Third-party coverage typically covers legal costs and damages resulting from lawsuits related to cyber incidents.
It is also important to know that liability costs can vary depending on the affected company and rapidly impact the well-being of a company : legal obligations and guidelines such as NIS 2 will hold companies accountable for data leaks and fines can go up to 10 million euros (or 2% of the turnover, whichever is highest).
Other types of cyber insurance may also include coverage for business interruption, extortion, and reputational harm. It is important to consult with an insurance professional to determine the specific coverage that best suits the company’s needs and to see what risks are included in their offer.
It’s not possible to do an exhaustive list of what may or may not be included in the insurance coverage. Nevertheless, the following points mention a few examples of what is typically not covered:
- After a cyberattack, future profit losses are usually not covered. Cyber insurance will not make up for lost revenue if a cyberattack results in a loss of clients.
- The majority of cyber liability insurance plans do not provide coverage for a decline in the value of companies. For instance, cybercrime has the potential to steal a company’s intellectual property, resulting in the company’s value decreasing without that knowledge, but insurance won’t pay for that value loss.
- An upgrade to a security system is not covered by cyber insurance. Insurance will not pay for changes to improve the security system to stop similar attacks in the future
What solution do insurance company provide?
It is important to note that every company will seek for a different coverage, depending on the budget they can allocate to it but also their operationnal needs.
Knowing the extent of an insurance’s coverage is as much as important as knowing how they will respond to an incident. The response will depend on the nature of the incident, dealing with a regulatory fine and with ransomware will not be resolved the same way. This is why insurance will typically work with what’s under the following scope: liability, financial losses, and emergency incident response.
Disaster response and recovery have not received the same priority from many organizations as IT security and defense. After a cyber incident, the first 48 hours are critical. Often, an organisation’s response is more significant than the incident itself. A late or inadequate response can have disastrous effects and adversely harm an organization’s standing. Therefore, immediate incident response and crisis management are fundamental elements of first-party coverage for all insurance companies. Depending on the coverage, the insurance company will either pay for a small part of the direct costs linked to the incident, or have an entire team of specialists at disposal when needed.
Another point that should be considered is to check with an insurance company has already worked with. The size and industry of a company often define specific needs in terms of security services.
Most importantly, it is key keeping in mind that cyber insurance does not replace security policies and should only be seen as a financial safety net.
How much does it cost?
Cyber insurance rates are determined based on organisation-specific factors, such as yearly revenue, sector, kind and quantity of data, and IT security policy. To put things in perspective, in 2023, over 70% of companies with 500+ employees reported at least one cyber attack on their systems; with such a massive offensive field, the insurance has to know if the companies they work with have decent defensive lines in order to minimize their costs. As a result, it is important to identify what an organisation has put in place in terms of cybersecurity policies and systems and so is key ensuring that all basic measures are installed, used, and documented: antivirus, firewalls, backups, MFA, etc.
All insurers will make companies go through a survey to ensure eligibility for the insurance, and it will determine the subscription fee. A company that does not comply with legal guidelines and overall best practices in the domain will pay a higher premium than others.
Conducting regular risk assessments, educating your employees on cyber-related topics, and preparing an incident response strategy will not only reduce the chance to get security incidents but are also good ways to reduce insurance costs.
Better safe than sorry
As already mentioned, cyber insurance does not define one cybersecurity strategy and should only be seen as a complementary measure. A strong resilience plan is necessary for organisations to prepare for and effectively respond to disruptions, whether they are due to cyber attacks, natural disasters, or other unforeseen events. The Belgian Economy Federal Public Service (FPS Economy), in collaboration with Headmind Partners, is offering SMEs a unique opportunity to take part in cybersecurity awareness workshops for free. These crisis exercise or escape game workshops aim at enabling SMEs to learn how to protect themselves from cyber attacks in a realistic role-play simulation that lays the solid foundations for continuous improvement.
Read more here: https://cyber4sme.be/en/accueil-en/