How Much Cyber Insurance Does Your Business Need?
Let's get this out of the way: cyber insurance is expensive. And it's becoming more expensive as time goes by.
The growing severity of cyber incidents like ransomware, which has seen a ransom payout increase of 311% in 2020, has sent premiums soaring. Some insurance carriers increased by as much as 25%, according to a Reuters report.
To better understand the costs of cyber insurance, we spoke with Justin Reinmuth, the CEO and founder of our insurance provider of choice, techrug.
"It's getting more expensive by the month," said Reinmuth. "You're getting fewer players in the market. We're starting to see certain insurance carriers that are just dropping out, and they just won't offer cyber insurance anymore," he added.
While cyber insurance costs are indeed high, the risks of going through a cyber incident without one are even higher. In a report by the National Cyber Security Alliance, 60% of small and mid-sized businesses that experience a cyber attack go out of business within six months.
That's where cyber insurance comes in. It can help offset the impact of an attack and help you recover from major incidents. Something that, according to Reinmuth, makes it worth the cost.
"For everything that it does, you're asking the carrier to come back and protect you for up to a million. I think that for the amount that they are charging, the insurance is extremely broad, and it's still relatively inexpensive," he said.
At ITS, we've helped hundreds of businesses take proactive steps to strengthen their cybersecurity. From our experience, even the most robust cybersecurity measures can be breached, and that's when a cyber insurance policy can be essential. But just how much do you need?
In this article, we'll help you make informed decisions when it comes to buying a cyber insurance policy. To do that, we will answer the following questions:
- Who needs cyber insurance?
- How much cyber insurance do you need?
- What factors affect cyber insurance costs?
Who Needs Cyber Insurance?
In today's cybersecurity climate, it's going to be hard to think of a business that doesn't need cyber liability insurance. Simply put, if your business stores sensitive client, customer, and partner data or conducts any form of electronic transactions, then you can benefit from a cyber policy.
You can fall victim to cybercrime regardless of the size of your organization. It's been reported that almost half of all recorded cyber attacks in recent years were aimed at small businesses. From a threat actor's standpoint, it just makes sense. Small organizations often underestimate the value of their data or don't have enough capital to improve their cybersecurity measures.
How Much Cyber Insurance Do You Need?
In a study conducted by Advisorsmith, the average cost of a cyber liability policy in 2019 for a company with moderate risks was $1,485 per year for $1 million in coverage, with a $10,000 deductible. The exact number, however, will vary wildly depending on each organization's unique circumstances and other key factors.
Figuring out how much coverage an organization would need is a difficult process that's unique to everyone.
"That's a tricky question. No one can answer that question accurately," Reinmuth said.
According to the techrug CEO, asking how much coverage your business needs is similar to asking how much you're willing to pay for ransom if a loved one was kidnapped. "Because at the end of the day, this is kidnapping for ransom, especially when it comes to ransomware," he explained. "Some people might want $200,000; some organizations might want $2 million. It's the same sort of thing; you can't really answer that with certainty."
He further elaborated that computations are made based on several factors that often include your organization's industry, size, and the current level of risk in the market.
"There's no black book that says; per million dollars, this is how much you should pay. Because if you've got someone in a higher hazard industry. They're gonna pay more," Reinmuth stated.
"It's not really up to the client [how much insurance they need]. It's up to the client to ask questions about what certain coverage is due. But basically, the agent should really be driving that based on the [client's] environment, and what insurance agreements and what coverage should be in place," he added.
Reinmuth explained that clients might want higher limits, but it would all depend on the calculations. It's all about risk, how much a carrier is willing to take and how much your business is willing to pay for.
What Factors Affect Cyber Insurance Costs?
There are a lot of factors that insurers need to investigate and calculate to determine the cost of a policy. Let's take a look at some of the most important ones below:
Size and Industry
The size of your organization is a vital part of the insurer's calculations, as the more employees you have, the greater your risk for phishing and social engineering attacks.
However, perhaps a more important factor in determining your policy costs is your industry. Depending on which industry you serve, you could end up paying a lot more for a cyber insurance policy. That is because some industries are more prone to cybercrime than others. Some of these high-risk industries include:
- Energy and Utilities
"If you've got someone in a high-hazard industry, they're gonna pay more, and maybe their cybercrime will be sub-limited. In other words, [insurers will] only offer $100,000 versus someone who's in a non-risky environment. [Businesses in lower-risk industries] might get $500,000 in cybercrime, and they're going to pay two or three times less," Reinmuth explained.
Data Size and Sensitivity
The size and sensitivity of your data are crucial in determining your risk factor. Take, for example, a local business with a limited customer base. These low-risk companies are likely to pay less for their cyber policy than a large retail store that stores customer information and credit card numbers through their website.
On the other hand, an example of a high-risk company would be a healthcare facility or financial institution. Both typically store massive amounts of sensitive personal data like social security numbers, dates of birth, and other private information—a prime target for cybercriminals.
The higher the risk for the data you keep, the more you have to pay to protect it.
Having the right cybersecurity measures in place can affect how much your cyber liability insurance will cost.
"Security is driving the qualifications for these cyber policies. You don't have certain security, guess what, you don't get the policy anymore", Reinmuth stated. "The more security and the better security you have in place, chances are, the cheaper your rate is going to be and the more coverage you'll have," he added.
According to the techrug CEO, that's because the rise of cybercrime in the past few years swamped many insurance carriers with claims. In an attempt to reduce their exposure to risks, many began implementing stricter application processes that included a comprehensive assessment of their clients' cybersecurity.
"Carriers are getting more aggressive on some of that stuff. They want EDR (Endpoint Detection and Response) and active threat hunting in place," Reinmuth remarked. "What we're seeing right now in the cyber industry is that a lot of the carriers are saying: 'Hey, we're really getting nailed with claims. And people aren't doing things right,'" he explained.
From an insurance agent's point of view, the more revenue your business generates, the riskier you are to cover. Unfortunately, that means your cyber insurance will be more expensive. That's because your organization will now be a more attractive target for cybercriminals. Not to mention, any business interruption you might encounter will cost more money.
"If you've got someone who's at $1 million in revenue and another one that's at $100 million in revenue, then you'll need two different business interruption limits. So, you're going to tend to go higher," Reinmuth explained.
Your coverage limits and deductibles can significantly influence your premiums. For one, the larger your coverage limit is, the more you're going to have to spend.
According to Reinmuth, while insurers technically can give their clients any limits they want, it ultimately boils down to whether they're willing to pay for it. He detailed his experience with a client who asked for $10 million coverage limits. "[The premium] ended up being $70,000, and they were like: 'well, we don't want it that bad,'" he said.
He also explained that in some instances, coverage limits are dictated by the insurance carriers. "It could be that a carrier is getting killed with claims, and they've stopped giving limits above 'x' millions of dollars," Reinmuth said.
Deductibles, on the other hand, are the amount of loss that your organization will be responsible for in a cyber incident that is covered by your policy. If you decide to pay lower deductibles, you might pay less in the event of cybercrime. However, you will need to spend more on your premium.
Ready to Protect Your Business From Cyber Attacks?
Cyber insurance might seem expensive, but in the current threat landscape, it can be indispensable. If you are unsure about your policy and how much coverage you need, always consult with an experienced insurance provider.
At ITS, we've spent over a decade helping businesses take proactive steps to bolster their cybersecurity so they can prevent and recover from cyber incidents.
Want to learn where your security efforts currently stand? Fill out our form for a free security assessment.