Cyberinsurance shifts to the mainstream

Is it time for your business to invest in a stand-alone cyberinsurance policy?

by Paul Gillin

With cyberattacks growing more common and ferocious, now is a good time to look into cyberinsurance.

Be prepared to ask a lot of questions before making a decision, though. The market for these new-fangled policies is still young, which means coverage and costs differ widely between providers.

Cyberinsurance basically protects your business against catastrophic losses in the event of a security breach. Not surprisingly, its popularity is growing in the world of cybersecurity.

A survey conducted last year by the Risk and Insurance Management Society found that 80 percent of companies bought a stand-alone cybersecurity policy in 2016, up 29 percent from the year before. Premiums totaled $1.35 billion last year, up 35 percent from 2015.

Insurance can cover a wide variety of costs related to a breach, compensating the business for things such as:   

  • losses due to downtime   
  • business interruption   
  • investigation expenses   
  • costs of notifying affected customers and business partners   
  • legal costs related to lawsuits and extortion

You might find that your existing liability policy contains clauses related to cyberinsurance, but experts generally agree that a stand-alone policy is a better bet. General liability policies may cover only property damage, which is almost irrelevant in a cyberattack. It’s also a good idea to ask if coverage can be retroactive, since it takes more than 200 days for the average business to discover that it has been breached.

Determine what types of attacks are covered. Insurance companies won’t pay out if they believe an insured client hasn’t put appropriate protections in place. Phishing attacks, which are growing quickly and which use social engineering instead of software, may not be covered under those terms. Your ability to prove that you have employee education programs in place can become important in these types of attacks.

Deductibles are all over the map. As with any insurance policy, determine how much cost your company can comfortably absorb before you need insurance. The higher that number, the lower the premium. Ransomware attacks, which tripled last year and now occur once every 40 seconds, generally demand smaller payouts and may come in under the deductible threshold for many policies, making ransomware protection basically pointless.

Ask if coverage also extends to third parties, such as business partners and service providers. You don’t want your business to be left dead in the water because your internet service falls victim to a denial-of-service attack.

Check into coverage limits for legal settlements and related costs, such as providing credit monitoring services for affected customers. Also consider the cost of damaged reputation and the communications expenses that may be necessary to restore customer confidence.

Cyberinsurance isn’t a get-out-of-jail-free card. Most policies will stipulate that you must make a good-faith effort to defend yourself. At a minimum, be ready to show that all employees are aware of good password, authentication and data protection procedures.

It’s also helpful if you can show that you have engaged third parties to advise you and performed regular penetration testing and incident response drills. Some insurance companies may request an audit before writing a policy or surprise audits after the fact. Don’t go seeking insurance until you are sure that your own security house is in order.

Finally, shop around. While there are more than 130 insurance organizations writing premiums, their offerings can vary dramatically. Look at not only their coverage but their alliances. This new type of insurance can protect an organization in new and often surprising ways.

AT&T Cybersecurity Insights report

Learn more about protecting your business in AT&T Cybersecurity Insights, Volume 6: "Mind the Gap: Cybersecurity’s Big Disconnect."

In this invaluable report, you'll read about the troubling disconnects that have emerged between today's cybersecurity threats and organizations' countermeasures, as well as what you can do to help strengthen your defenses and reduce risk.