By Tsafrir Oranski
The demand for cyber insurance has rapidly increased over the last decade. As digital transformation has become a top priority for businesses, cyber policies are now considered a real-world necessity, rather than a luxury purchase. Over the past year, cybercriminals have taken advantage of the pandemic, upping their attacks and exploiting security gaps that are continuously evolving now that remote working has become standard practice.
According to Statista, data breaches cost the affected businesses nearly $9 billion in related expenses. But even if your company has cyber insurance, is that policy enough to protect your financial risks?
In this post, we’ll take a deeper look into cybersecurity insurance, the reasons companies need it, and what else companies should have in their insurance arsenal in order to succeed in today’s digital-first environment.
Cyber insurance can be classified into two segments, each designed to cover a different set of losses.
First-party cyber insurance policies compensate a business for the cost of an attack that affects their business. Depending on the policy, it can also cover expenses related to restoring brand reputation, data recovery, or even experts that negotiate ransom payments.
Third-party cyber insurance functions differently. It serves to reimburse a business for the costs incurred by their clients due to a malware infection, data breach, or other types of attack.
For tech-first companies, both types of insurance have substantial value and should be considered.
Since the shift to remote work occurred, 46% of all businesses have experienced at least one cybersecurity threat, with the rate and sophistication of cyberattacks growing daily. And these attacks happen for various reasons, including data theft, corporate sabotage, political motivations, and financial gain.
Companies need to put together a comprehensive cybersecurity plan that complies with company objectives, corporate requirements and government regulations to address these issues. Best practices should incorporate a security assessment to identify existing security gaps and determine the risks to the company’s day-to-day business operations.
Whether caused by a malicious attack from a third party or by an employee within the network, the repercussions of a cyber incident can be substantial. The financial loss and costs incurred to restore the network and the data and IP it holds add up, not to mention liability claims and the lasting impact on brand reputation.
Cyber insurance provides an innovative risk transfer solution to exposures that are typically excluded from traditional commercial liability policies, such as Directors & Officers, Commercial General Liability, and Professional Indemnity. Although existing insurance policies can potentially provide some coverage, they are predominantly focused only on third-party exposures, failing to address the first-party costs and losses that can be sustained from a cyber incident.
A solid cyber insurance policy is designed to minimize and mitigate these risks, and businesses across all sectors are beginning to recognize their importance in today’s increasingly complex and high-risk digital landscape.
Most cyber insurance policies provide coverage for the entire lifetime of the breach event including the damage incurred during the event and and the various costs that add up afterwards. Most insurance companies also provide some level of risk management services to help prevent claims before they even happen.
Here are some of the ways in which cyber insurance policies cover what happens before, during and after breach events:
Although cyber policies cover many incidents that occur for a broad range of reasons, they still leave a significant open gap – coverage for IT downtime events.
As digital transformation becomes the norm, companies rely more heavily on third-party IT service providers for cloud services, web hosting, eCommerce platforms, CRMs, payment systems, and more. That leaves companies at the mercy of a third party as they are directly affected if the service provider has a downtime incident.
Some cyber and business interruption policies have expanded to include coverage for IT downtime events such as cloud outages, but these have notable limitations. The coverage comes paired with a time-based deductible or waiting period, typically between 8 to 12 hours. Since most outages are shorter, they rarely meet this threshold, leaving companies with out-of-pocket losses that can add up to hundreds of thousands of dollars.
Insurance companies have found it challenging to cover third-party IT downtime incidents because of a lack of objective data regarding these events. Without clear and precise data such as when the downtime started and ended, what services it affected and to what extent, insurance companies couldn’t determine the accurate risks and pricing for such policies.
Objective event- or index-based parametric models, based on 24/7 monitoring of all the relevant third-party services, are the ideal solution to bridging this insurance gap. They detect downtime events as soon as they occur, triggering the policy when the predetermined parameters (waiting periods, compensation per hour, services insured) are met without the need for claims adjustment or forensic investigations.
The benefits of parametric downtime insurance include:
Companies face an ever-growing number of online risks these days. To mitigate them as much as possible they need a combination approach that includes a cyber insurance policy and a downtime insurance policy that covers their third-party IT services, as well as redundancy measures.
If a company has any cyber exposure, skipping cyber insurance is a mistake that can cost them dearly. B2B companies have responsibilities to their customers, investors, and partners, all of whom will most likely require them to have this type of policy and protection.
In terms of downtime insurance that’s included in cyber policies, however, the current form is usually not a compelling offer due to long waiting periods, extended claims adjustment processes, and limits on payment usage. This leaves companies exposed to the financial repercussions of uncontrollable third-party downtime, whether caused by a cyberattack or any other trigger.
But now businesses have access to parametric downtime insurance policies which provide a simple and cost-effective solution that is relevant to everyone from SMBs to enterprises. They are an excellent addition to existing cyber policies, rounding out online coverage to include both first-party and third-party risks.
[ Downtime Happens | Are you covered for damages? | Learn more ]