Your company getting hacked or suffering a data breach pretty much feels guaranteed at some point—it’s less of an if and more of a when. Thankfully, companies aren’t totally hung out to dry after their customers flee or sue—there’s cyber insurance!
Despite digging into data breaches and the resulting fallout fairly often, I never really hear about cyber insurance. Like I don’t really remember anyone talking about it at conferences, in blog posts, etc. But, clearly, it’s spreading a lot, making it one of the biggest security trends we haven’t written about yet.
According to a recent survey from Marsh and Microsoft, 47% of organizations have cyber insurance, which is up from 34% just two years ago. The larger the company, the more likely it is to have cyber insurance, with 57% of businesses with over $1 billion in annual revenue having it.
So, we thought we should get familiar.
What is cyber insurance?
Hopefully your organization has cybersecurity in place to protect your data, but nothing is infallible, so cyber insurance can help you recover after a breach or hack.
Despite the fact that I hadn’t heard about it before, cyber insurance isn’t a thing. The industry started to see momentum almost 15 years ago. It started out as part of errors and omissions insurance (should you have made any errors due to your company’s performance) for tech companies to protect against things like bringing down another company’s network or early computer viruses. Now cyber insurance is considered its own separate thing from E&O.
Why should a company consider cyber insurance? Well, it can provide much needed funds for thing like post-breach investigations, customer restitution (e.g., credit monitoring), and even paying the ransomware ransom fee (sometimes it’s just easier to pay it). A lot of the big-name insurance companies offer cyber insurance, including Nationwide, Progressive, and Farmers Insurance (though theirs is limited and falls under the name of business general liability).
While more businesses should have cyber insurance, some might sign up in order to appease their clients, which gives them peace of mind should something happen.
If you get it, make sure to understand what’s covered
Like all insurance, the companies providing it will look for any excuse to wriggle out of paying. One example of this is Mondelez, which found itself not covered following the 2017 NotPetya attacks. While what I outlined in the previous section might be things you can get covered, you have to make sure the insurance company you select actually does, especially as some aspects like reputational damage, intellectual property loss and forensics aren’t always covered because it’s harder to determine an exact numerical value.
Another thing to note when signing up for cyber insurance is that your organization actually has the proper cybersecurity in place to try and protect against attacks and to make sure your CISO accurately understands your cyber hygiene. The insurance companies can deny coverage following an attack should something like any submitted self-assessments be poorly done or you don’t have something in place that you claimed you did. Another example is the failure to comply with standards or regulations.
Despite not being , cyber insurance still isn’t completely understood by either companies seeking coverage or those offering it, leading to cheap plans (this is an interesting article about the rise of cyber insurance from my TechTarget colleague Rob Wright). Cyber insurance was a topic of coverage at Black Hat 2019 (I apparently missed all of it), with a product manager from Chubb, an insurance carrier, saying the current market is valued at $4.5 billion, with an annual expected growth of 25%. They added that 90% of cyber insurance claims are paid out from Chubb and that the claims are often maxed out.
One would hope that as more companies consider cyber insurance, whether that’s due to more regulations going into effect or being a potentially juicy target for hackers, that it leads to an increase in adopting security best practices.