Businesses are relying on digital technology more and more with every passing day. Emerging tech, fast home Internet, changing ideals and COVID have all driven companies to expand their technology footprint considerably more than ever before. This expansion has allowed companies to function in ways that were not possible just 10 years ago. Unfortunately, this expansion has led to new avenues for hackers and adversaries to find their way into businesses, causing damage that can affect companies far worse than they had before. Every company should have a robust security program, documented, implemented, and rigorously tested. They should also have a plan for what happens when it all goes wrong. How do they recover? How do they function without some of their computers, or even without all of them? With these plans in place and tested, a company can put the last piece in place, cyber insurance.
Cyber insurance – very simply defined – is a contract between an insurer and an enterprise to protect against the fiscal impacts of a cyber incident. A cyber incident could be quite a few things besides just the black hoodie-wearing basement hacker attacking your company. It can – but not always – include data leaks (breaches), natural disasters that affect the enterprise’s communications ability, data theft from employees, self-inflicted mistakes (such as an administrator accidentally deleting a website), and much more. What kind of coverage an enterprise gets, and how thorough it is, is dependent on how much they pay, how large a deductible, and how robust their security program is.
Moreover, after (or during) an incident, filing a cybersecurity claim is not a guaranteed reclamation of lost revenue. Just like any insurance claim, it is not just what happened that is a factor so much as how it happened. Typically, insurance companies will want a demonstration of how an incident happened, and what were the contributing factors to the incident. Some insurance firms – in the case of high claims – may have third-party assessors perform an assessment of the security posture of the insured. These results can affect the payout of the insurance claim, or an outright denial if there was a real and severe issue in which the company was negligent.
One client we dealt with had been completely shut down by ransomware. This client did not have a robust security program, but they did have a cyber insurance policy. The ransom for them to get the business back up was approximately $100,000. They were down for three days with annual revenue of about $100 million. Doing very loose math, the cost of their downtime exceeded $750 thousand, not counting any lost business or reputational impact. The company did pay the ransom, which recovered loosely 75% of their data, while every one of their 17 servers had to be rebuilt from scratch. The insurance company ultimately paid them $350,000 against the $1 million+ worth of loss.
What cyber insurance is not, however, is the security program. Cyber insurance is the final piece of a robust security program. Just like auto insurance, cyber insurance is used after the incident happens. When an incident happens, it is on the enterprise to be ready and have a plan to respond to these incidents. Even in the case that cyber insurance pays back in full, it does not account for the stress of employees, reputational loss and the many other intangibles that come from a cyber-related incident. Cybersecurity is a holistic approach, guided by policies and protected by technology and personnel. Cyber insurance is important for the inevitability that an enterprise is the victim of a cyber incident, but it is vital to remember that it is the very last piece of the entire security puzzle.