As more regulations requiring businesses to obtain cyber insurance come into place, the more important it becomes for organizations to find the right one. Find out the steps you need to take before getting cyber liability insurance, and how to choose the right policy and provider.
Statistically speaking, you're more likely to experience a cyber attack than a house fire.
A report by the Internet Crime Complaint Center in 2020 found that there were 465,177 reported cyber incidents that year. On the other hand, US fire departments responded to an estimated average of 346,800 home structure fires per year.
Despite this fact, business owners are still more inclined to purchase home insurance over cyber liability insurance. Statista found that in early 2021, less than half (41%) of businesses in the United States and Europe currently have a cyber insurance policy, despite the tremendous risks.
To deliver more in-depth insights, we spoke with Justin Reinmuth, CEO and founder of ITS’s trusted insurance provider, techrug.
"[Business owners] need to understand that cyber liability insurance has to be part of their insurance portfolio," said Reinmuth. "I've had clients now who weren't before that have gone through ransomware attacks, and they didn't have cyber insurance then. And they've told me: 'I will never do that again, it was a nightmare.'"
Cyber liability insurance can be triggered after an incident and help compensate for your losses. It helps mitigate the damage of an attack and gives you a better chance to recover.
At ITS, we've helped hundreds of businesses bolster their cybersecurity efforts. From our experience, cyber insurance is an effective way of proactively protecting your business from the full brunt of a cyber incident. However, while cyber insurance is vital, finding the right one that can provide adequate coverage for your business is equally important.
In this article, we'll help you understand how to find the right cyber insurance for your business. To do that, we'll discuss the following:
- What is cyber insurance?
- What are the two types of coverage?
- What are the steps you need to take before getting cyber insurance?
- What should you look for in a cyber insurance policy?
What is Cyber Insurance?
Cyber insurance is also known as cyber liability insurance. It is a type of insurance designed to protect businesses against business interruption and cyber risks.
While it is most commonly associated with helping organizations maintain their operations during a security breach, policies may offer different coverages. These can include coverage for lost revenue caused by an unintentional computer failure or third-party litigation.
There are many nuances when it comes to cyber insurance coverage, but they generally fall into two main categories, namely:
First-Party Coverage
First-party insurance refers to the coverage of any damage or loss caused by a cyberattack or data breach. It typically includes recovery of lost data, forensic investigation services, and business interruption coverage.
Third-Party Coverage
Third-party insurance, on the other hand, refers to coverage designed to protect customers or partners who might be affected by an attack or breach. Any damage that might require legal fees, settlement costs, or liabilities to be resolved will be covered.
3 Steps to Take Before Getting Cyber Insurance
Like most insurance policies, cyber liability comes with a rigorous application process that can determine whether you can get a policy or not. Taking the following steps beforehand will help get you the coverage your business needs:
1. Ramp Up Your Cybersecurity Measures
Updating your cybersecurity measures to current standards is a must before you even consider getting a policy.
"Security is driving the qualifications for these cyber policies. If you don't have certain security, guess what, you don't get the policy anymore," Reinmuth said.
However, that's not the only benefit up-to-date cybersecurity can offer. Aside from helping protect your business from threats, it can also help you get better rates and coverage on your cyber insurance policy. As Reinmuth explained, "the better security you have in place, chances are, the cheaper your rate is gonna be and the more coverage you'll have."
2. Assess Your Risk Tolerance
This step will require you to take an objective look at your data and systems, then determine which ones are in critical need of protection and coverage. Try asking yourself questions like:
- Do you collect sensitive information?
- Is your customer information safe and secure?
- Which of your data or systems are mission-critical for your business operations?
- Can you not operate without your customer lists?
- Can you not operate with your website?
Answering these types of questions objectively will give you a realistic view regarding which parts of your environment you need to protect at all costs. You have to separate the nice-to-have elements from critical ones to gain a better understanding of your true risk tolerance. From there, you'll know whether your revenue-tied systems will be covered by your policy so you can make an informed decision.
3. Ask IT Experts for Advice
Engage IT experts or your MSP for guidance. They can help you with everything you need to do before meeting with a carrier's underwriter. Taking this extra step can not only help you get the coverage you need, but it might also net you a better premium.
Some carriers might offer you an easier time with the assessment, and it might seem tempting. However, as Reinmuth explained, "the fewer headaches, the less the barrier to entry is; the less the coverage is. The more hoops you gotta jump over, the more work you gotta do, the more you gotta call your IT service provider to do something; the better the policy is written."
What to Look for in a Cyber Insurance Policy and Provider
There are a lot of things you need to consider before choosing an insurance policy and provider. Taking the time to really dive into who the company you're dealing with and the parameters of the policy will work in your best interest. Here are a few things you should look for:
Experienced Carrier
According to Reinmuth, it's important to always look for experienced carriers.
"The longer and the more claims [an insurance carrier] has been through; their incident response tends to be a little bit better when they get into a situation. In other words, they've had more time to work out the problems or the kinks in the system," he said. "If an insurance carrier is pretty good with incident response, wouldn't you want them within hours working on [an incident]?" Reinmuth added.
Ensuring that your carrier has experience handling cyber incidents, can mean the difference when it comes to mitigating damage from an attack. They’ll be able to respond to and address your needs faster, which can buy you time critical during emergencies.
Specialization in Cyber Insurance
Another factor you need to look into is whether the provider specializes in cyber insurance. They will be more likely to know the ins and outs of cyber policies, which can help speed up the application process. Also, they can better guide you if you need a policy for regulatory compliance.
"You gotta get with a trusted agent or agency that does this all day, every day. If you go to someone who does landscaping, bakeries, homes, and autos and ask them to write a cyber policy, it's probably not going to turn out real well. It's a very specialized type of coverage," the techrug CEO explained.
Adequate Coverage
A study conducted by Sophos found that many of their respondents have cybersecurity insurance policies that aren't adequate for the job. In one example, only 64% have insurance that provides coverage for ransomware, one of the most dangerous cyber threats in 2021. It's a dangerous gap, especially considering that the second quarter of the year saw the highest volumes of ransomware attacks ever.
"If [the insurance carrier is] not asking a lot about certain things centered around cybercrime or ransomware, you're probably getting a sub-limited or a small amount of coverage, or you're not getting any coverage at all," Reinmuth said.
Making sure that your business has adequate coverage for your needs is essential when it comes to choosing the right policy. Always ask the insurance carrier about what incidents will trigger the activation of your policy and if there are specific instances that are excluded from your coverage. From there, you can check if the policy will be able to cover your business-critical systems.
Ready for a Security Assessment?
In order to find the right cyber insurance policy for your business, you first need to take a close and objective look at what coverage you need and what security measures you already have in place. That will help you make informed decisions when it comes to choosing the right policy and provider for your organization.
At ITS, we've spent over a decade helping businesses take proactive steps to improve their cybersecurity.
Want to find out where your current cybersecurity stands? Fill out our form for a free security assessment?
