Buying cyber insurance for the first time can be daunting. Not only is there a lot of industry jargon, but understanding your coverages and how your business’s cybersecurity practices factor into the underwriting of your policy can be overwhelming. Here are some of the things that you should keep in mind.
There are plenty of resources around the web to help you understand what cyber insurance is and help you get familiar with some of the terminology. You don’t have to be an expert by any means but knowing enough, so you don’t get lost is helpful.
To help SMBs get familiar with the industry, we’ve put together an original report, the 2020 State of the Cyber Insurance Market for SMBs, with insights from the data we have collected through our experience providing cyber insurance and cybersecurity.
People mainly buy cyber insurance for two reasons: to meet contractual requirements and to have a safety net in place in case of a data breach.
If you’re trying to meet a contractual requirement, you’re probably just looking for a policy that meets your potential customer’s or partner’s requirements and comparing prices. Cyber insurance can also play a role in regulatory compliance. One thing to consider in this case is if your partner requires you to list them as an additional insured on your policy and if they request a waiver of subrogation, as these options may impact your premiums.
If you’re trying to protect your business from the potential financial ruin of a data breach, you’re probably focusing more on the coverages to make sure they’re comprehensive. You’ll also want to evaluate optional coverages to see if they’re applicable to your specific business risks.
Insurance premiums are typically priced based on your risk. It’s important to evaluate your organization’s cyber risk profile ahead of time to understand where your gaps lie. That way you can implement stronger cybersecurity measures to reduce your risk and lower your insurance costs. These are some of the questions you should be asking yourself as you evaluate the risks your company faces:
1. Does your company collect or handle sensitive information like payment card information (PCI), personally identifiable information (PII), or protected health information (PHI)?
The more sensitive and regulated data that you collect, the more at risk your company is. It’s important to have strong, holistic risk management in place.
2. Is your customer information safe and secure?
Make sure you’re following best practices in regards to encryption, data storage, backup, and retention, as well as least privilege access.
3. Does your business rely heavily on confidentiality?
Law offices and healthcare organizations rely heavily on confidentiality and collect and store a significant amount of sensitive data, making them prime targets for cyber attacks.
4. Do you have a website or a web application that interacts with customers and stores login or other sensitive data?
Web-based attacks are extremely common. Regularly scan your website and web applications for weaknesses that hackers exploit. You can do this with an automated web vulnerability scanner.
5. What third-party vendors do you use, and how much access do they have to your IT infrastructure and customer data?
You should hold your third parties to the same cybersecurity standards as your own organization as you are exposed to the threats that they are exposed to. You might want to find coverage for mistakes made by third parties as well as contractually require them to have their own cyber insurance.
6. Do you allow your employees to bring their own devices?
If you do, you should have a BYOD policy in place and use a mobile device management solution. You should also train your employees on best practices when using personal devices for company purposes.
How much can you spend on your premium? But even beyond that, do you have a rainy day fund that can help you cover the cost of a cyber attack? The average cost of a data breach is around $150 per stolen record. Will your coverage limit be able to cover enough of the costs so that your financial burden is lessened?
If your coverage limit is appropriate, what can you or are you willing to pay for your deductible? This is similar to how you would evaluate an auto insurance policy. If you get into a car accident, are you comfortable paying the $1000 deductible before your insurance policy kicks in or would you rather pay more on your premium for a $250 deductible?
Read through the terms, conditions, and exclusions of your policy carefully before you purchase. For example, what kind of triggers are there for coverage? A policy could focus on specific types of attacks or accidents rather than offering blanket coverage. This means that you wouldn’t qualify for coverage unless you met those triggers.
Are there any exclusions to your coverage that pertains to your business practices? For example, some policies may exclude coverage for incidents that occur due to BYODs. If you allow employees to bring their own devices, then a policy with a BYOD exclusion will not be appropriate for your organization.
You should seek insurance coverages based on your specific business needs. For example, if you must comply with the Payment Card Industry Data Security Standard (PCI DSS), you should find a policy that helps cover PCI fines and penalties.
Examples of cyber insurance coverages include, but are not limited to:
There are several key elements of cyber insurance coverage that most businesses need. These essential coverages include:
In addition to the key elements of cyber insurance coverage listed above, businesses in the market for cyber insurance should consider whether they require coverage in other areas such as:
Cyber insurance is the ultimate safety net for organizations should they experience a data breach. It transfers some of your risks to your insurance provider. However, cyber insurance is still a passive defense. It should complement a strong cybersecurity posture and program.
Ultimately, you’ll want to choose an insurance provider that grows with you and allows you to update your limits based on your needs. They should act as a partner. Here at Zeguro, we pride ourselves on our customer service. While the entire experience of buying cyber insurance with us is online for your convenience, if you have any questions or need assistance, our licensed team is here to help you find the best-fit insurance solution for your organization. You can start your quote today here.