Though the cyber insurance market in the U.S. is currently valued at more than $7 billion, it is forecast to reach more than $20 billion by 2025.
Considering the increase in cyber-attacks just since the COVID-19 pandemic, it has become increasingly clear that most, if not all, businesses that store customer data or process electronic transactions may be targets of cyberattacks. Yet only 20% of businesses have cyber insurance coverage, according to a survey conducted by Appalachian State University and Selective Insurance.
One obvious hindrance is that business owners don’t always understand how the price of cyber insurance policies is determined and what is covered under their policy.
The amount paid for a cyber insurance premium will vary based on the type of business and by-products offered through individual insurers.
Choosing cyber coverage
According to Insureon, 27% of small business owners pay less than $1,000 per year for cyber liability insurance, and another 36% pay between $1,000 and $2,000 per year. Excluding high and low outliers, the median premium for cyber liability insurance is $140 per month. Cyber liability policies have limits that range from $1 million to $5 million or more.
Premiums are dependent on several factors, including the industry the business engages in, the exposure, the dollar limits selected, the type of coverage provided, as well as the chosen deductibles.
A small business such as a bakery operating on a regional basis with a limited customer base and a smaller revenue will likely pay less for cyber insurance than a national retailer that stores customer credit card information through in-person and online shopping.
Other high-exposure examples include medical clinics and hospitals that store protected personal information (PPI) within their potentially vulnerable databases.
Aspects that impact insurance costs include the limitations, deductibles and exclusions of the business’ specific policy. A business owner should carefully review the policy language since cyber fraud scenarios are constantly changing.
Read the fine print
The latest tale of an organization falling victim to a business email compromise attack on their credit card processor highlights how very specific the scenario needs to be to see a payout. A Texas-based company’s credit card processor was duped to modify disbursement instructions, losing more than $10 million.
A lawsuit following the Texas company’s cyber insurer’s denial of the claim demonstrates how policy language can make or break a cyber claim payout. In this case, the court found that for coverage to apply, the Texas company had to be the victim of the cyberattack per its policy language, rather than the credit card processor.
When a business shops for a cyber policy, insurers will review the following for each business it considers insuring:
Infrastructure security. The insurer’s underwriters will audit a business’ controls and procedures to determine how vulnerable its infrastructure is to breach or attack. If, for example, a business has multiple vendors and a dated security system, the security may be more easily compromised. On the other hand, the more security measures in place, the lower the cyber insurance premium cost.
Training procedures. The risk of a breach or a loss is dependent on the training that the business’ users and information technology staff receive. Personnel should be trained to understand network security risks and, in the event of a cyber-attack, know what to do when one occurs. This is especially important given that phishing scams are the leading threat vector against businesses. Verizon’s 2020 Data Breach Investigations Report shows phishing as the leading threat action, followed by the use of stolen credentials and password dumpers. An insurer’s underwriter examines the mitigation procedures in place in the event of a cyber breach as part of their pricing model.
Loss history. Does the business have a history of breaches or losses? This history provides underwriters an understanding of past exposure and aids in revealing areas within the business that may be vulnerable to security flaws.
Type of data collected and stored. Businesses that store credit card data, financial information, or healthcare data tend to be more heavily targeted by cybercriminals. The type of information that the business collects and stores is used to help determine the risk involved.
Geographic location. The location of the business and its network infrastructure may factor into a business’ risk profile.
Regulatory requirements. Governance policies such as GDPR in Europe, the CCPA in California, and the Biometric Information Protection Act could increase the accountability of a business when handling sensitive data. If a business is found to have sustained a breach or failed to follow stated procedures, significant fines could be imposed.
Working together, small businesses and insurers can minimize the damage and claims that may result in the event of a cyber-attack by ensuring a business has the appropriate policy and coverage in place.
Stu Sjouwerman is the founder and CEO of KnowBe4, developer of security awareness training and simulated phishing platforms, with over 37,000 customers and more than 25 million users. He was co-founder of Sunbelt Software, the anti-malware software company acquired in 2010. He is the author of four books, including, “Cyberheist: The Biggest Financial Threat Facing American Businesses” and be reached at [email protected].