Average data breach costs rose to $4.24 million for companies surveyed globally in IBM’s 2021 Cost of a Data Breach Report. That’s a 10% increase between 2020 and 2021. In companies where remote work played a role in breaches, the average was more than 1 million higher. On average, costs in the United States are more than double the global average.
For this reason, many Nebraska SMBs like yours are turning to cyber insurance to protect themselves from the adverse effects of data breaches and other cyber attacks.
Today, purchasing a cyber policy should be an important part of your risk management and business continuity plan. But, what do you need to know when making this purchase for your business?
1. Is Cyber Insurance Right for My Business?
Cybersecurity must be incorporated when building an IT budget in 2021. But what about cyber insurance? In our experience, the short answer is yes, cyber insurance is a smart choice for all businesses. All small and midsize businesses that use technology, collect data, and have a remote or hybrid workforce are at risk of a cyber attack or data breach. Too many business leaders underestimate how sophisticated and expensive breaches and attacks can get.
According to the 2019 Travelers’ Risk Index, small business victims of cyber attacks increased by 200%, and yet only 51% of the total businesses surveyed had purchased cyber insurance. And the pandemic’s effects on these statistics have caused them to increase even more.
So, is cyber insurance right for your business? To help you arrive at a definitive answer, gather your leaders and discuss the following questions:
- Do we collect or store any of our clients’ or employees’ personal information? If you do, you will want to purchase cyber insurance.
- If our data and documents were stolen or locked would it severely cripple the business operations? For most, the answer would be yes, but identifying the impact is important.
- Does our industry require data protection or data privacy certifications like ISO/IEC 27001 or ISO/IEC 27701? You may be required to purchase a policy as part of the certification process.
- What would and could we do if we experienced a cyber incident today? How a company responds to a cyber attack or a data breach can make or break a business.
In our experience, it is also wise to adequately prepare by evaluating your company’s risk profile prior to speaking with an agent about purchasing a policy.
2. Evaluate Your Risk Profile
According to data collected by BairdHolm in their Third Annual Report on Cybersecurity in Nebraska, in 2020 the number of breaches reported increased by 27%. The report also stated that cybercriminals are targeting vulnerabilities in systems rather than solely by company size or the number of records they could access.
More and more of your customers will likely adapt to remote work for the foreseeable future, and they will continue communicating with you digitally rather than in person. So, we recommend that your IT department evaluate your organization’s risks, identify gaps, and adjust your IT budget to meet these new demands. Filling these gaps can also ensure you are more resilient in the face of any potential threats and can ultimately help reduce overall cyber insurance premiums.
Here are some questions to discuss with your IT partner that will help you assess your company’s risk:
- Do we have holistic risk management in place for the personal information we collect on our customers and employees?
- Are we following data encryption, storage, backup, and retention best practices?
- Do we regularly update our applications and secure our website to eliminate weaknesses cybercriminals can exploit?
- Do we have a policy in place for third-party vendors and have we included the appropriate verbiage in our contracts with them?
- Do we hold regular training for staff in all departments, to ensure we are all complying with our device and security policies?
Like any other insurance policy, cyber insurance premiums are higher for companies that are at greater risk of an attack than those that have achieved and maintained a low-risk profile. In our experience, it’s important to supply your business with the resources you need to constantly and consistently monitor your systems to prevent risks. A managed security service provider like CoreTech can help. We also recommend implementing security awareness training for all employees.
3. What Requirements Does a Business Need to Meet
Your cyber insurance provider will assess your company’s risk before extending a policy. Sometimes, companies that are too high-risk will not even qualify. Other times, companies may be able to secure a cyber insurance policy, but then relax on their security measures and default on the policy’s requirements. For this reason, it is important that you make sure your business is well-equipped to consistently and constantly assess your risk and your compliance with the policy.
The bottom line is that purchasing cyber insurance is not a “set it and forget it” solution. Your IT provider will need to be constantly aware of new tools and resources which will help you stay compliant. In addition, you and your IT provider need to be aware of what the policy does and does not cover, so that when a breach does occur, your policy actually kicks in to protect you. Equipping your business for these tasks may mean hiring a managed service provider like CoreTech.
4. What is Covered by the Policy?
Your insurance company may offer separate policies for data breach insurance and cyber-liability insurance. We recommend you always ask your business insurance agent questions about what is covered and read the fine print before purchasing any policy. However, in general, cyber insurance policies often cover the costs of legal expenses, forensic expenses, and public relations expenses related to cyber attacks, as well as regulatory fines and penalties, credit monitoring, and ID theft repair.
Other expenses a cyber insurance policy may help cover include a loss of income from a network outage. However, lost income or financial damage from loss of intellectual property isn’t generally covered. These are extremely valuable intangible assets that your security and risk management plan should especially protect. Another cost not covered by a cyber insurance policy is the reputational costs to your business following an attack. In other words, you may lose business following an attack, and this lost revenue is not something a policy will cover.
CoreTech is here to help your business make sure the right tools, resources and training are in place to meet your cyber insurance policy requirements. Explore our options here and book a call with one of our experts to learn more about great partners for cyber insurance.
Would you like more information on cyber insurance? Read: Why Your SMB Needs Cyber Insurance [+Statistics]