Cyber insurance. You know you need it, but you’re overwhelmed by the types of coverage, the number of providers and the cost of insurance premiums.
In fairness to you, your feelings of overwhelm are warranted. The cyber insurance market has exploded in the last few years. Spurred on by the increase in cyber crime, insurance players are scrambling to claim their stake in this burgeoning sector. Index Market Research valued the market at $4.3 billion in 2018. By 2030, it’s expected to reach a huge $22.5 billion.
With so many options out there, we’ve created this handy guide to help you understand the main players in the space. We’ve also included some tips that will help you to bring your premiums down.
Let’s start with the types of cover.
Types of cyber insurance
IBM estimates that the average cost of a data breach in 2020 was $4.24 million per incident – the highest cost in the report’s 17 year history. But the cost of a breach can be broken down into many parts. It’s not just the cost of, say, paying the ransom from a ransomware attack. It’s also the public relations person you hire to help deal with media queries, the GDPR fine you have to pay for losing customer data, the downtime from losing access to your servers…The list goes on!
Because the cost of a data breach has many aspects, cyber insurance has many facets too. There are two main types of cover:
This coverage focuses on protecting you and your business from direct damage caused by a cyber attack. It does not cover damage to third-parties, such as customers whose data was stolen in a breach.
Examples of costs covered include:
- Public relations representation for crisis management
- Informing those who have been impacted
- Forensic analysis of the breach and recommendations for remediation
By contrast, this coverage provides liability protection in case your clients and/or suppliers are impacted by a data breach at your company. If your company processes personally identifiable data on a regular basis, then this coverage – as well as the above – is important for you.
Examples of costs covered include:
- Legal costs in the case of a lawsuit
- Settlement costs
- Regulatory penalties
Most cyber insurance providers offer both first and third party cover. What you choose will depend on how much sensitive data you handle. If you’re in a sector like e-commerce, banking or healthcare, then we highly recommend investing in both first and third party insurance.
Now that we’ve got an understanding of the types of cover, let’s dive into the types of providers out there. Our list can be divided up into three parts: the mainstream guys, the middlemen and the challengers.
The mainstream providers
In the cyber insurance space, a few names pop up again and again. These are the traditional players – companies that have been in the insurance game for a while and expanded their portfolio to include cyber insurance in the last 10 years. They are:
- AXA XL
Note, this list is not expansive (you can find a bigger one here). There are other large players out there too. We recommend talking to your current corporate insurance provider to see what they offer in this space, as they may be able to offer you bolt-on coverage for a lower price, rather than you having to start from scratch with a new provider.
Saying this, this is where we have to explore the fact that not all cyber insurance is created equal, as noted by Dark Reading. By this, we mean that getting coverage for coverage’s sake isn’t enough. You want an insurance plan that will offer real-world protection in the event of an incident.
To ensure this, you’ll need to read the fine print of different policy offers and compare these with your own risk profile. For example, if you have an expansive digital supply chain, then you’ll want to make sure your policy covers security mistakes by third parties. Similarly, if you’re worried about phishing attacks, you’ll again need to check that your policy covers this.
A note on building your risk profile
We understand that building your risk profile won’t necessarily be a walk in the park. Cyber attacks can sometimes seem to come out of nowhere. You may think you know where you’re vulnerable but, in a fast moving landscape, it’s hard to be sure.
To help with this, many leading providers offer cyber insurance risk assessments. These aren’t free, but they do help you to understand where your risk levels are highest. As examples, Chubb and Hiscox have both announced partnerships with risk analytics companies to help organisations understand their cyber exposure.
The not-for-profit cybersecurity organization, the FAIR Institute, also offers guidance on how to determine how much coverage you need. As well as this, we recommend reading the American Academy of Actuaries guide, which offers a crash course in understanding cyber insurance coverage.
The middle men
If you’re hesitant to go straight to one provider, but don’t have the time to research all the options out there yourself, then an insurance broker could be the way to go.
As well as giving you options, brokers can also help you to find the right, tailored deal for your business. A good broker will take the time to understand your business’ unique risks and requirements, and try to find the right deal for you at the price you’re looking for.
While there’s lots of insurance broker companies out there, we recommend going for an organization that specializes in cyber security. That way, they will be able to bring an expert view to your business.
The cybersecurity insurance space is its infancy. There are a lot of challenger companies popping up, who specialize specifically in cyber security coverage, such as At Bay and Coalition. What’s interesting about these startups, too, is that they don’t just provide insurance, they provide security tools, helping organizations to protect themselves in more ways than one.
Some cyber security vendors and managed service providers (MSPs) are also offering non-traditional ways for businesses to find coverage. Vendors like FireEye, Symantec and more have created relationships with brokers and insurance providers to help their clients find reliable cyber insurance.
Don’t forget self insurance
It’s important to remember that cyber insurance doesn’t protect you from a cyber attack. It merely helps you recover from the worst case scenario. But, in an ideal situation, you wouldn’t even have a breach in the first place. This is where robust defenses become important.
Plus, by implementing the right technologies, you’ll bring your insurance premium down, as you’re proving to your insurer that you take a responsible approach to cyber security. There are some critical solutions to deploy here, both to reduce the risk of a breach and reduce the cost of insurance:
- Email security: Protecting sensitive data as it transits through emails, and preventing phishing messages and account takeovers, is critical today. In the remote working world, email and collaboration tools are employees’ main way of communicating with each other. Providers like Material Security and Abnormal Security can help you to take control of your email security.
- Data mapping: Just think of the amount of data your employees produce every day. Data mapping tools, such as those offered by BigID, Varonis and Securiti.AI, are used to create structure and control over this data. They are a must to keep track of, and secure, sensitive information.
- Firewall defenses: While it seems like new security solutions are popping up every day, the basics still count. Firewalls are the first line of defense in any organization’s security strategy and, for insurance, they are a prerequisite. Vendors like CyberStrike, Barracuda and Fortinet are well-known in this area.
- DLP for SaaS applications: Data rarely stays in an office’s four walls anymore. With the proliferation of cloud and chat apps, employees are sharing corporate information across a wealth of channels. To keep your information secure, you need dynamic, cloud-enabled data loss prevention. This can come from a Cloud Access Security Broker (CASB), such as Netskope or Symantec, or a next-generation DLP provider like Polymer.
- Vulnerability management software: Lastly, you want to make sure that your IT infrastructure is up-to-date with the latest patches. We recommend automating this process, using vulnerability management software from vendors such as Kenna Security, to take the hard work out of minimizing your attack surface.
Ultimately, by combining a tailored cyber insurance policy with the best security tools, you can bring down your insurance premium, while also making it way less likely that you will be successfully attacked by a cyber criminal. At the same time, taking these steps will also make you feel more confident that your cybersecurity posture is up to scratch.