By Paul Gillin
With cyberattacks growing more common and ferocious, now is a good time to look into cyberinsurance. Be prepared to ask a lot of questions before making a decision. The market for these new-fangled policies is still young, which means coverage and costs differ widely between providers.
Cyberinsurance basically protects your business against catastrophic losses in the event of a security breach. Not surprisingly, its popularity is growing. A survey conducted last year by the Risk and Insurance Management Society found that 80 percent of companies bought a stand-alone cybersecurity policy in 2016, up 29 percent from the year before. Premiums totaled $1.35 billion last year, up 35 percent from 2015.
Insurance can cover a wide variety of costs related to a breach, including investigation expenses, compensating the business for losses due to downtime, business interruption, costs of notifying affected customers and business partners and legal costs related to lawsuits and extortion.
You might find that your existing liability policy contains clauses related to cyberinsurance, but experts generally agree that a stand-alone policy is a better bet. General liability policies may cover only property damage, which is almost irrelevant in a cyberattack. It’s also a good idea to ask if coverage can be retroactive, since it takes more than 200 days for the average business to discover that it has been breached.
Determine what types of attacks are covered. Insurance companies won’t pay out if they believe an insured client hasn’t put appropriate protections in place. Phishing attacks, which are growing quickly and which use social engineering instead of software, may not be covered under those terms. Your ability to prove that you have employee education programs in place can become important in these types of attacks.
Deductibles are all over the map. As with any insurance policy, determine how much cost your company can comfortably absorb before you need insurance. The higher that number, the lower the premium. Ransomware attacks, which tripled last year and now occur once every 40 seconds, generally demand smaller payouts and may come in under the deductible threshold for many policies, making ransomware protection basically pointless.
Ask if coverage also extends to third parties, such as business partners and service providers. You don’t want your business to be left dead in the water because your internet service falls victim to a denial-of-service attack.
Check into coverage limits for legal settlements and related costs, such as providing credit monitoring services for affected customers. Also consider the cost of damaged reputation and the communications expenses that may be necessary to restore customer confidence.
Cyberinsurance isn’t a get-out-of-jail-free card. Most policies will stipulate that you must make a good-faith effort to defend yourself. At a minimum, be ready to show that all employees are aware of good password, authentication and data protection procedures. It’s also helpful if you can show that you have engaged third parties to advise you and performed regular penetration testing and incident response drills. Some insurance companies may request an audit before writing a policy or surprise audits after the fact. Don’t go seeking insurance until you are sure that your own security house is in order.
Finally, shop around. While there are more than 130 insurance organizations writing premiums, their offerings can vary dramatically. Look at not only their coverage but their alliances. This new type of insurance can protect an organization in new and often surprising ways.
Paul Gillin writes, speaks and trains marketers and corporate executives to think like publishers. Gillin specializes in social media for B2B companies. He is a veteran technology journalist with more than 25 years of editorial leadership experience. All opinions expressed are his own. AT&T has sponsored this blog post.
Be one of the first to receive the latest AT&T Cybersecurity Insights report, Mind the Gap: Cybersecurity’s Big Disconnect. You’ll learn more about minimizing gaps in your cybersecurity strategy and how to defend against the growing cyberthreats. Sign up today!