The data breach has been around as long as stored data itself. But what may have been a random annoyance 15 years ago can now bring small companies, global conglomerates and even some of the largest cities in America to their knees.
According to the Cost of a Data Breach Report 2023 jointly released by IBM and the Ponemon Institute, the average expense associated with a data breach has surged to a historic peak of US$ 4.45 million in 2023. This represents a 2% rise when compared to the figure of US$ 4.35 million reported in 2022.
Clearly, enterprises are in dire need of solutions to mitigate the financial impact of intrusions, but their options are dwindling.
Private insurers, for example, are backing out of the market by excluding some of the most high-level cyberattacks from being covered by insurance policies. Moreover, many enterprises are realizing that they’re not able to adequately control cyber risk across the entire attack surface, with research showing that 83% of organizations report they aren’t adequately protected against digital threats.
This is where cyber insurance comes in. It's one thing to build an infrastructure to proactively safeguard your company's network, but it's an entirely different matter to cover the expenses and services you need after suffering an attack. Let's take a closer look at this modern phenomenon of cyber insurance and how it can apply to your organization.
Cyber insurance dates back to the 1990s when a growing number of ecommerce companies sought to protect themselves from the risk that hackers would disrupt their websites. More recently, the US has seen significant growth in cyber insurance due to strict data protection laws and penalties for data breaches, prompting companies to invest in coverage.
Cyber insurance serves as a specialized shield for organizations, guarding them against financial consequences stemming from tech-centric threats like data breaches, ransomware, and unauthorized access. In many cases, it also encompasses other relevant areas such as business interruption and cyber extortion as well as losses caused to others. For example, if a company falls victim to a data breach, its cyber insurance policy could help them cover the cost of legal fees, PR and hiring experts to identify the cause of the breach to prevent future attacks. These kinds of threats are typically not accounted for with traditional insurance policies.
IBM's report highlights the staggering costs associated with data breaches, emphasizing four key expense categories: lost business, detection and escalation, post-breach response, and notification. Among these, the costliest is detection and escalation, surging from $1.44 million to $1.58 million. This category covers activities facilitating breach detection, including forensics, assessments, crisis management, and communication with executives and boards. Conversely, lost business costs, encompassing disruptions, revenue losses, customer acquisition, and reputation damage, decreased to $1.30 million in 2023.
To put it simply, it has become abundantly clear why companies obtain cyber insurance – it's not just a safeguard, but a critical lifeline protecting businesses from the financial abyss that data breaches can create.
WHAT DOES CYBER INSURANCE COVER?
For starters, think of cybersecurity insurance for your organization as an essential business practice, similar to, let's say, fire insurance. To be eligible for most policies, you must already have some form of protection in place, like setting up smoke detectors, sprinklers, and fire alarms. However, unlike fire safety, cybersecurity has not been defined in any static, meaningful manner as the technology landscape and the threats are constantly evolving.
So, the onus falls on you to understand the policy's language to assess the extent of coverage it provides for different types of cybercrimes. When a cybersecurity breach happens, organizations can face repercussions in four major areas: costs associated with business disruption and restoration, ransom payments, legal responsibilities, and litigation.
Most cyber insurance providers are likely to factor in the financial costs associated with a data breach, and in some instances, they may even incorporate event management, data restoration, third-party costs, network interruption, and extortion. A few also offer an expanded policy that covers business interruption, property damage, physical industry, and product/completed operation coverage, but these are rather rare. But the most bare-bones policies may only cover the cost of the ransom, which usually pales in comparison to the catastrophic business losses you suffer due to cybercrime.
An effectively designed cyber insurance policy will crisply detail each covered category. Additionally, it will lay out both the requisite risk evaluations and mandated systems and controls for ensuring policy adherence, including any specific exclusions. However, keep in mind that you might encounter several scenarios in which your insurer refuses coverage in case of a cybersecurity event, such as failure to maintain or acts of war.
According to the US Department of the Treasury, some insurers have adjusted their strategies to balance their risk. This may involve setting caps on claim payouts after cyber incidents or raising premium amounts to buffer against potential losses. Particularly for small to medium-sized enterprises, there's a focus on offering safeguards against threats like cyber extortion, restoring lost data, interruptions to business operations, and electronic fraud.
As a result, companies need to choose a policy that aligns with your unique requirements, with an eye toward preventing unnecessary spending on coverage or potential gaps in protection.
Cybercrime is no longer a threat only to large enterprises.
While larger organizations may be able to invest in sophisticated cybersecurity systems and strategies, smaller organizations that may be less prepared to guard against cyberattacks are now on the chessboard. The truth of the matter is that modern cyberthreats are simply too complex for small-to-medium businesses to address with complete consistency. That’s why many providers build insurance packages for small and mid-sized organizations, offering coverage against cyber extortion, data recovery, business interruption and e-crime.
Smaller businesses may also mitigate cyber risk by utilizing tools and coverage that can help before, during and after a security incident, leveraging services like digital forensics and incident response. At the same time, a smaller business may not need every type of coverage offered by cyber insurance providers either. They need to assess the largest risks associated with their business and invest in a plan accordingly. Purchasing more insurance doesn’t necessarily mean you’re more protected.
Here are some key reasons why companies are investing in cyber insurance as of late:
Though cyber insurance may seem like a luxury rather than a necessity, businesses should keep in mind that the cost of coverage will always be far lower than the cost of a breach.
Cyber insurance plays a critical role in reducing the exposure to these evolving risks, particularly as more and more organizations migrate data to the cloud and support remote work environments.
Given the significant surge in cybersecurity incidents in recent years, the demand for cyber insurance has reached unprecedented levels. However, as cyber expenses continue to rise — and the possibility of severe financial losses in extensive attacks looms large — numerous insurers are reassessing their vulnerability to such losses, raising premiums and imposing more restrictive coverage terms.
Rising costs are not the only concern though. As we discussed earlier, compared to traditional insurance policies, cyber security insurance coverage can vary widely between providers. Coverage specifics for cybersecurity insurance are far from uniform. Given its novelty, the industry hasn't reached a standardized approach. This means every provider tends to have its unique policy terms and conditions, potentially making policy comparisons and comprehension challenging for potential clients.
At GSI, Inc., we deliver security rating tools and continuous monitoring to help you maintain a robust cybersecurity stance, not to mention remediation services to effectively address any potential vulnerabilities across your business.
Moreover, through GSI’s proprietary tool Bitsight and its Cybersecurity Ratings, we’re able to mitigate risks and reduce insurance premiums on behalf of our clients. Bitsight provides insurers with a comprehensive understanding of an organization's cybersecurity stance, enabling precise underwriting decisions, accurate policy pricing, and effective risk management.
To learn more about how GSI’s cybersecurity practice can help, please contact us today.