Do Businesses Need Cyber Insurance, Downtime Insurance, or Both?

27th Apr 2021

By Tsafrir Oranski

The demand for cyber insurance has rapidly increased over the last decade. As digital transformation has become a top priority for businesses, cyber policies are now considered a real-world necessity, rather than a luxury purchase. Over the past year, cybercriminals have taken advantage of the pandemic, upping their attacks and exploiting security gaps that are continuously evolving now that remote working has become standard practice.

According to Statista, data breaches cost the affected businesses nearly $9 billion in related expenses. But even if your company has cyber insurance, is that policy enough to protect your financial risks?

In this post, we’ll take a deeper look into cybersecurity insurance, the reasons companies need it, and what else companies should have in their insurance arsenal in order to succeed in today’s digital-first environment.

The Two Main Risks Covered by Cyber Insurance Policies

Cyber insurance can be classified into two segments, each designed to cover a different set of losses.

First-party cyber insurance policies compensate a business for the cost of an attack that affects their business. Depending on the policy, it can also cover expenses related to restoring brand reputation, data recovery, or even experts that negotiate ransom payments.

Third-party cyber insurance functions differently. It serves to reimburse a business for the costs incurred by their clients due to a malware infection, data breach, or other types of attack.

For tech-first companies, both types of insurance have substantial value and should be considered.

Cyber Risks Are Growing Rapidly

Since the shift to remote work occurred, 46% of all businesses have experienced at least one cybersecurity threat, with the rate and sophistication of cyberattacks growing daily. And these attacks happen for various reasons, including data theft, corporate sabotage, political motivations, and financial gain. 

Companies need to put together a comprehensive cybersecurity plan that complies with company objectives, corporate requirements and government regulations to address these issues. Best practices should incorporate a security assessment to identify existing security gaps and determine the risks to the company’s day-to-day business operations.

Whether caused by a malicious attack from a third party or by an employee within the network, the repercussions of a cyber incident can be substantial. The financial loss and costs incurred to restore the network and the data and IP it holds add up, not to mention liability claims and the lasting impact on brand reputation.

How Cyber Insurance Protects Businesses

Cyber insurance provides an innovative risk transfer solution to exposures that are typically excluded from traditional commercial liability policies, such as Directors & Officers, Commercial General Liability, and Professional Indemnity. Although existing insurance policies can potentially provide some coverage, they are predominantly focused only on third-party exposures, failing to address the first-party costs and losses that can be sustained from a cyber incident. 

A solid cyber insurance policy is designed to minimize and mitigate these risks, and businesses across all sectors are beginning to recognize their importance in today’s increasingly complex and high-risk digital landscape.

Most cyber insurance policies provide coverage for the entire lifetime of the breach event including the damage incurred during the event and and the various costs that add up afterwards. Most insurance companies also provide some level of risk management services to help prevent claims before they even happen.

Here are some of the ways in which cyber insurance policies cover what happens before, during and after breach events:

  • Incident Response: Provides almost immediate access to expert support from IT forensics specialists, legal and PR teams.
  • Business Interruption: Covers income loss and increased working costs due to ransomware and DDOS attacks or operational errors that cause system interruptions or outages.
  • The Human Factor: Cover businesses for the most common causes of data breaches related to employees using low-quality passwords or carelessly by clicking on risky links or attachments.
  • Social Engineering: Include an inner limit of coverage for scenarios such as an employee giving out confidential information or funds transferred to a fraudster through a phishing email disguised as one from a trusted supplier.
  • Cyber Extortion: Provides the required expertise and support to negotiate with hackers and the required knowledge about hackers, malware variants, and the dark web, as well as payment of potential ransom demands.
  • GDPR and Notification of Personal Data Breach: Offers specialized legal advice regarding how to inform affected clients and covers the costs of the notifications in addition to credit monitoring assistance.
  • Network Security and Privacy Liability: Covers legal liability to third parties for incidents, including claims that arise from transmitting harmful malware to others,
    and claims for damages and distress as a result of a breach.
  • System Damage and Rectification Costs: Covers the costs to restore lost data and system applications, including staff overtime to re-enter or re-create data and the hiring of forensic and IT specialists that are needed to bring the business back online. 
  • Regulatory Costs, Fines and Penalties: Provides coverage to respond to and defend any regulatory investigation, and pay any fines and penalties imposed on the insured as a result.

Downtime Policies Fill the Cyber Insurance Gap

Although cyber policies cover many incidents that occur for a broad range of reasons, they still leave a significant open gap – coverage for IT downtime events.

As digital transformation becomes the norm, companies rely more heavily on third-party IT service providers for cloud services, web hosting, eCommerce platforms, CRMs, payment systems, and more. That leaves companies at the mercy of a third party as they are directly affected if the service provider has a downtime incident. 

Some cyber and business interruption policies have expanded to include coverage for IT downtime events such as cloud outages, but these have notable limitations. The coverage comes paired with a time-based deductible or waiting period, typically between 8 to 12 hours. Since most outages are shorter, they rarely meet this threshold, leaving companies with out-of-pocket losses that can add up to hundreds of thousands of dollars.

Insurance companies have found it challenging to cover third-party IT downtime incidents because of a lack of objective data regarding these events. Without clear and precise data such as when the downtime started and ended, what services it affected and to what extent, insurance companies couldn’t determine the accurate risks and pricing for such policies.

Introducing Parametric Downtime Insurance

Objective event- or index-based parametric models, based on 24/7 monitoring of all the relevant third-party services, are the ideal solution to bridging this insurance gap. They detect downtime events as soon as they occur, triggering the policy when the predetermined parameters (waiting periods, compensation per hour, services insured) are met without the need for claims adjustment or forensic investigations.

The benefits of parametric downtime insurance include:

  • Knowing the Payment Amounts and Triggers in Advance – With downtime insurance policies, the insured company determines, in advance, how much reimbursement it needs per hour and the thresholds it wants the policy to be based on. A company could construct their policy to be triggered after one hour, 11 hours, or anywhere in-between. This type of transparency, knowing all the variables and payments, enables the insured company to create a disaster recovery plan that it can easily follow should an event happen.
  • Hassle-free Claims – Parametric policies are objective and event-based by design, based on monitoring systems that capture any event that occurs, tracking it from the first millisecond until its resolution. This means that when an event occurs, there is no need to calculate losses and damages or deal with insurance claim adjusters. Instead, the claim is triggered automatically, eliminating the need for costly and time-consuming forensic investigations. This helps keep premium costs low, so savings can be passed on to the customers. Additionally, these policies do not have financial deductibles or restrictions, allowing companies to use the funds in any manner they see fit.
  • Coverage for SLA Agreements – Every company has SLA agreements with its customers, yet more traditional insurance policies only cover the damage to the business itself, leaving the business to use reserves to cover its SLAs. Since parametric policies allow companies to determine how much an hour of downtime costs them, the policy can be constructed to cover contractual liabilities like SLAs within that hourly amount.
  • Fast and Reliable Compensation – With no investigation needed and no requirement to prove damages, policies payout quickly after the event. This approach gives businesses the ability to recover almost immediately, stopping the snowball effect of losses piling up. 

Do Companies Need Cyber and Downtime Insurance?

Companies face an ever-growing number of online risks these days. To mitigate them as much as possible they need a combination approach that includes a cyber insurance policy and a downtime insurance policy that covers their third-party IT services, as well as redundancy measures. 

If a company has any cyber exposure, skipping cyber insurance is a mistake that can cost them dearly. B2B companies have responsibilities to their customers, investors, and partners, all of whom will most likely require them to have this type of policy and protection. 

In terms of downtime insurance that’s included in cyber policies, however, the current form is usually not a compelling offer due to long waiting periods, extended claims adjustment processes, and limits on payment usage. This leaves companies exposed to the financial repercussions of uncontrollable third-party downtime, whether caused by a cyberattack or any other trigger.

But now businesses have access to parametric downtime insurance policies which provide a simple and cost-effective solution that is relevant to everyone from SMBs to enterprises. They are an excellent addition to existing cyber policies, rounding out online coverage to include both first-party and third-party risks.

[ Downtime Happens | Are you covered for damages? | Learn more ]