What is cyber insurance and why do you need it?
Buying insurance for your business is never easy. Unless you’re a lawyer in your spare time, reading terms and exclusions is right up there with getting wisdom teeth pulled. Now, imagine searching for cyber insurance to protect your business from the impact of cyberattacks. Major companies find cyber insurance very confusing themselves, so it’s no surprise that sorting through options for your own business. As The New York Times reported in 2019, leading brands like Merck sued their insurance companies because cyberattacks were deemed an “act of war” instead of the usual business disruption.
Fortunately, the cyber insurance market has become more straightforward in the past few years, as insurers carefully define coverages, terms, and exclusions. Insurers (and you, no doubt) have also learned much more about cyberattacks in the past few years, which means MSPs can put more protections in place to either block attackers or minimize the damage from attacks. Here’s your primer on cyber insurance if you’re in the market for it, why you need it, and which risks it covers.
What is cyber insurance?
Cyber insurance, also known as cyber-liability insurance, helps protect organizations from the effects of a cyberattack, often including both the disruption to the business (such as days lost to serving customers) and the financial impact (such as the cost of lost business). By having a cyber insurance policy in force, your business can ride out the difficult period during and just after a cyberattack, at least in terms of covering the bills that result from a successful attack.
While you can’t 100% prevent a cyberattack from occurring, you can insulate your business from the worst of the effects.
Why does your business need cyber insurance?
In general, businesses need cyber insurance if they do business online (just about everyone these days), use technology to conduct their business, or send or store electronic data. MSPs certainly meet the latter definition, as they usually have access to their customers’ data.
The need for cyber insurance becomes more pressing if your business has access to sensitive data. And let’s face it, most of the data you manage or interact with on behalf of your customers probably falls into the “sensitive” category, such as financial or personal information. Such data can be highly attractive to online criminals, which is why ransomware attacks have become so common. The bad guys know the value of the information they can steal from businesses.
Business owners worldwide are worried about ransomware attacks. According to Zurich’s October 2021 Information Security and Cyber Risk Management Survey, most of their business respondents (80%) said they feel “very prepared” or “moderately prepared” to face a ransomware event. Another 7% described themselves as “extremely prepared” for a ransomware event.
However, survey respondents also worried that they wouldn’t be able to blunt the full impact of a ransomware attack. Forty-five percent of respondents said business interruption would be the worst outcome of a ransomware event, followed by 21% who cited reputational harm.
What risks does cyber insurance cover?
Cybersecurity insurance usually covers “first-party” losses, which means losses incurred by the insurance buyer. As the Federal Trade Commission explains in its briefing on cyber insurance, “First-party cyber coverage protects your data, including employee and customer information.”
First-party coverage can (but not always) include:
- Recovery and replacement of lost or stolen data: A cyber insurance policy usually covers a business’s costs to recover any data damaged or made inaccessible by a cyberattack.
- Customer notiﬁcation and call center services: If your customers’ personally identifiable information (PII) was exposed as part of a cyberattack on your business, you would likely be required to notify all of your customers about the data breach. Your insurance could cover the cost of such outreach.
- Attack remediation: The insurance policy can cover the costs of hiring forensic data experts who can recover data—for example, in a ransomware attack where attackers have locked down data.
- Legal costs and fines: If the attack results in a violation of privacy or regulatory policies, the insurance policy could cover fines, penalties, and expenses for legal representation.
- Lost income due to business interruption: Insurance may cover the lost income if the attack is bad enough to force you to close your business for weeks or months.
- Repair to technology systems: The cost of repairing or replacing hardware and software damaged by a cyberattack could also be covered.
- Ransom demands: If a ransomware attacker demands a ransom and your business pays that ransom, the cost would typically be covered by insurance.
What’s not usually covered by cyber insurance?
Cyber insurance will usually exclude coverage for online attacks that could have been easily prevented—so you don’t want to lose out on reimbursements because of haphazard cybersecurity practices. Typically, the exclusions are for attacks that were caused by human error or negligence, such as these:
Poor cybersecurity processes: If you and your employees don’t prioritize applying cybersecurity patches or managing network access, that’s a red flag to insurers.
Insider attacks: If one of your employees was behind a cyberattack and a corresponding loss or data theft, insurers won’t cover the event.
Preexisting vulnerabilities: If there’s a known vulnerability in your software or hardware, and you didn’t do anything about it, insurers won’t pay up.
Improvements: While insurers usually cover the repair or replacement of technology systems to bring them back to the state they were in before the attack, they usually won’t cover enhancements to strengthen your cybersecurity. That’s on your dime.
How do you find cyber insurance?
As mentioned earlier in this article, even huge companies struggle to obtain and understand cyber insurance. The search process may be even more challenging if you’re a midsized or small MSP. You may need to assess your risk footprint thoroughly and how to reduce it before you search for insurance since underwriters will want to know the likelihood of a cyberattack and how damaging an attack would be.
Another thing to research is whether you should obtain a stand-alone cyber insurance policy or if you can obtain adequate cyber insurance within an existing policy. However, you may find that there are slightly more stand-alone policies than there used to be since insurers want to better define the risks and coverage for fast-moving cyberthreats. According to Zurich’s Information Security and Cyber Risk Management Survey, over 83% of its respondents now buy cyber insurance, with 66% carrying stand-alone cyber insurance policies.
Be realistic about cyber insurance
Keep in mind that there are impacts that cyber insurance can’t protect your business from. You’ll have to make sure you understand exactly what’s covered—and perhaps more important, what isn’t covered. While having some form of cyber insurance in place can help your business ride out an attack, in the end, your insurer isn’t responsible for your business’s cybersecurity. You and your employees are.