Cyber insurance isn’t a “get out of jail free” card — but if cybercriminals come for your business, it could be the difference between sinking and surviving.
Compared with other types of insurance, cyber coverage is pretty new. It’s been around 15-20 years, and the Insurance Journal estimates that nationwide, only 15-20 percent of small businesses carry it.
But Colorado Springs experts say every business should have cyber insurance, and small and medium-sized companies are no exception. With ransomware rampant and cybercriminals growing more sophisticated, a cyber breach is now a “when, not if” scenario.
Setting aside the costs of mandatory breach notifications, fines and legal fees, mitigation alone can run easily into the tens of thousands of dollars for a small business. And none of it is covered by general liability, property or umbrella policies.
“I think [many businesses] are probably unaware that that is not covered as part of their regular insurance, and that’s probably the greatest reason they don’t have cyber insurance,” said Shawn Morland, Navakai co-founder and technology adviser. “If they were all aware of that, they would probably get it.”
So what is cyber insurance and why does it matter? To find out, the Business Journal talked with Morland; Todd Morris, senior vice president at CB Insurance; Doug DePeppe, cyberlaw attorney at EosEdge Legal; and Chris Fagnant, president at Qualtek Manufacturing.
What is cyber insurance?
Cyber insurance — also known as cyber liability insurance, cyber risk insurance or data breach insurance — is designed to help offset the costs of recovery after a cyber-related security breach.
Morris listed some of the costs cyber insurance can help cover:
• mitigation after unauthorized access or privacy breach (usually via hacking);
• recovery from ransomware attacks (to include recovery of compromised data and repairing damaged systems);
• notifying customers and other affected individuals about a data breach;
• credit monitoring for individuals whose information has been compromised;
• forensic investigation of the breach; and
• legal defense costs and damages.
The legal risk and costs can’t be underestimated.
“Beside having cover for the immediate risks from prevalent attacks like ransomware, the catastrophic risk would be litigation exposure from a major data breach,” DePeppe said in an email. “In cyberspace, the litigation risk presents virtually incalculable risk exposure. That’s because a cyberattack can create substantial damages to third parties. A good cyber policy can cover these third party risks. What if the breached company’s negligence directly caused the subsequent breach of a partner and its loss of valuable intellectual property, like a new invention? That level of liability exposure would be catastrophic for most companies.”
Who needs it?
“The reality is any organization who does business over the internet or who has customer, employee, partner, [or] vendor personal identification information on their systems will have what we call a cyber exposure,” Morris said. “…Any organization that has information or money is a target for bad actors.”
DePeppe described cyber insurance as “a must-have component of a company’s approach to its cybersecurity plan.
“It may be a bit like having auto breakdown protection, that some people need to lose network access and file access from a ransomware attack to learn their lesson,” he said. “But proper due diligence and risk analysis should ordinarily point toward having a cyber policy.”
Why does it matter?
Fagnant can answer that. He’s been speaking out about cyber insurance since Qualtek was hit by a ransomware attack in August 2017. The manufacturing company faced chaos while it scrambled, with the help of five other organizations, to pay a $4,850 ransom, secure its systems and get back to work.
The hackers held half a year’s worth of data hostage, along with everything else on Qualtek’s server: digital work instructions, accounting software, email, and the manufacturer’s material requirements planning system, which included order entry, invoicing, work order generation, shipping and documentation.
The cost of recovering from the ransomware attack: $45,000-$50,000. Qualtek, which had secured cyber insurance a couple of months before the attack, paid only a $10,000 deductible.
Fagnant said Navakai came on board to guide Qualtek’s recovery after a couple of failed attempts with other organizations in the early hours of the ransomware fallout. Morland said it’s common for companies hit by cyber attacks to have no idea where to begin their mitigation efforts.
“I think most of them don’t realize what’s involved in the recovery, what the extent of damage is and what it’s going to take to get it back,” he said.
He recommends coverage to all his clients, and he’s seen businesses saved by cyber insurance, too.
“I worked with a company recently that was hit with a variant of cryptolocker,” he recalled. “They did pay the ransom for their servers — they had two of them — but for the 50 computers they elected not to pay the ransom because it wasn’t covered by cyber insurance. What they did elect to do was just rebuild them all, and that was about $50,000 in mitigation damage that was covered by cyber insurance.”
For a lot of businesses, that’s the difference between staying afloat and going under.
“I know most companies do not have dollars or budgets set aside to handle a cyber incident, and that’s where cyber insurance comes in,” Morland said.
This sounds expensive
At the moment, it’s not.
“[Cyber insurance] is relatively inexpensive,” Morland said. “I want to say that even for a $2 million policy, which I think is what we’ve got, it’s on the order of $1,000 a year.”
“The good news is, there are quite a few insurance carriers who want to play in this space,” Morris said. “And because there are so many carriers who want to get into the cyber insurance industry, it helps to keep pricing down and it helps keep coverage competitive.”
Insurance Journal’s analysis of cyber policies sold 2015-2017 backs that up: “The cyber market is intensely soft as many carriers are fighting for market share … Despite the high volume of breaches occurring, there is an unusually competitive environment right now.”
Morris estimates a 30-35 percent increase in the number of cyber policies he’s selling now, compared with five years ago.
“Most carriers will sell a cyber policy starting at a million dollar limit and then it will go up by a million-dollar layer each time,” he added. “Depending on the organization, you could have a premium that’s anywhere from $1,000 to $1,500 based upon your exposure. Probably the most expensive cyber policy that I’ve ever sold is just under $20,000. So for a million-dollar limit that’s pretty small.”
Morland, Morris and Fagnant urge businesses not to look at cyber insurance as a “get out of jail free” card, or an excuse to shift responsibility for cybersecurity on to insurance.
“Even if you’ve got it, you should elevate your security practices no matter what,” Morland said. “One thing I preach a lot to our clients, is that we all take for granted that because nothing’s happened to us, our security must be fine. I think most businesses probably underestimate it — the security measures they put in place are just not enough.”
Even with insurance, it’s critical for businesses to assess their risk exposure and make a plan for how they’ll respond to a cyber incident or breach, Morris said.
“We’ve found organizations that have had an incident occur just do not understand the internal drain on resources it takes to address a situation until it has happened,” he said. “For most organizations that’s been the biggest impact that they were not prepared for.”
“It is like any other type of insurance,” Fagnant notes. “Even if you have it, you need to understand how it works — what is covered, what isn’t, and how you need to be prepared to document what happened in a crisis situation. For us, we likely missed out on some of the coverage because we did a lot of the fixes ourselves in the aftermath, where if we had hired an outside firm to make the fixes it would have been clearly attributable to the event and thus covered. But because it was labor we had on the payroll, it wasn’t. Little things like that can add up and cost you thousands.”
Disclosure: Navakai is a vendor to the Colorado Springs Business Journal.