In the world of insurance providers and policies, cyber insurance is a fairly new field. And many security teams are trying to wrap their heads around it.
What is it and do they need it? And with what time will they spend researching how to integrate cyber insurance into their strategy?
For small security teams, this is particularly challenging as they contend with limited resources.
Luckily, there's a new eBook dedicated to helping small security teams better understand cyber insurance policies and how they may impact an organization's cybersecurity measures.
In 1997, the "Internet Security Liability" (ISL) insurance policy was launched at the International Risk Insurance Management Society's convention in Honolulu. Underwritten by AIG, ISL insurance was designed to protect ecommerce retailers like Amazon that were collecting sensitive customer data and storing it on internal networks. It is credited as one of the very first cyber insurance policies to be made available to businesses.
Now, a quarter of a century later, the cyber insurance market has grown exponentially and covers a wide range of cybersecurity incidents. According to the National Association of Insurance Commissioners (NAIC), the cybersecurity insurance market hit $4.1 billion last year, up 29.1% over the previous year. Industry reports predict the market will reach $11.4 billion by the end of this year – and nearly double to $22.3 by 2025.
"Last year was a stark reminder that hackers are pivoting — and are succeeding — in deploying new attack strategies," writes John Farley, managing director of Gallagher, a global insurance consultancy. "There were a wide variety of victims that ranged from global software providers, email platforms, the largest U.S. meat supplier and fuel suppliers that provides nearly half the fuel to the east coast of the U.S. Threat actors have found this vase system of interdependencies to be fertile hunting grounds."
Organizations with even the smallest cybersecurity teams are now looking at cyber insurance to protect their businesses from cyber attacks.
But investing in cyber insurance is not as easy as adding a new insurance policy.
What is cyber insurance?
Cyber insurance, also referred to as cyber liability insurance or data breach insurance, can help mitigate the costs of cyber attacks – an expense that is growing at an alarming rate. While still not a mandatory expense, cyber insurance is quickly rising to the top of priority lists for many organizations that manage vast amounts of data.
Because a cybersecurity attack can cost a business millions of dollars – IBM reports the average cost of a data breach reached $4.35 million in 2022 – businesses that do not invest in cyber insurance are putting their entire enterprise at risk. A cyber insurance policy does not stop a cyber attack, but it can prevent it from completely devastating a business.
What does cyber insurance cover?
As with any insurance policy, there are different forms of cyber insurance that cover various cyber security threats. The market varies widely, with policies often determined by insurance providers, but the primary forms of cyber insurance include:
- Network security systems policies which cover the cost of lawyers, IT forensic services, data restoration, breach notifications and communications, and more when a data breach, malware infection or ransomware incident occurs.
- Privacy liability policies which cover any costs related to a data breach that exposes personally identifiable information (PII), i.e. lawsuits, compliance violations, reputational risk management, etc.
- Network business interruption policies that enable a business to cover costs related to data loss or any financial losses incurred by a disruption in services.
- Errors and omissions policies that are similar to network business interruption policies, covering cyber attacks that jeopardize a businesses' ability to deliver services or meet contractual obligations.
- Media liability policies which cover any losses resulting from allegations of slander, libel, disparagement, or copy infringement.
This is not a complete list of cyber insurance policies. Specific terms and conditions are up to insurance providers, with claims often disputed as it can be difficult to define a cyber attack that involves sophisticated forms of cybercrime or social engineering schemes which are difficult to identify.
How do existing cybersecurity efforts impact cyber insurance policies?
Before obtaining a cyber insurance policy, businesses must be approved for coverage. To protect their own costs, insurance providers often make cyber insurance contingent on a number of specific cybersecurity measures.
These contingencies usually include a business' cybersecurity efforts – things like making sure an organization has written security policies in place, uses multi-factor authentication (MFA), and encrypts their data. Often cyber insurance providers dictate which cybersecurity tools a business must implement and even security vendors the business chooses to partner with.
Such rules set by the cyber insurance provider directly impacts an organization's cybersecurity efforts and can create friction between cybersecurity teams and the business leaders purchasing the cyber insurance policy. The best path to reducing this friction is to make sure the cybersecurity team is on board with the process from the start and involved in key decisions that impact the business' cybersecurity strategy.
Cybersecurity team leads need to understand cyber insurance policies and be able to assess whether or not a tactic required by an insurance provider weakens or strengthens the business' existing cybersecurity protections.
If your organization is currently evaluating cyber insurance policies, download Cynet's insurance guide to better understand what's at stake – both for your cybersecurity team and your business at large.