Companies of all sizes across industries can be targets. Meghan Hannes, cyber and technology errors and omissions product head at Hiscox USA, a company specializing in insurance for small businesses, says she was once asked if a taco stand needed cybersecurity insurance.
“I said, ‘Well, does your business operate on a solely cash basis? The answer is probably not. If you have any reliance at all on some sort of electronic system, then you are exposed to the harms that ransomware can cause your business.’”
Outside of extortion events, there are other data breaches, such as employee errors or accidental data disclosures, that can expose customers’ data. While they may not be at the hands of bad actors, these are still events that businesses need to protect themselves against.
What Does Cybersecurity Insurance Cover?
Specific insurance plans vary by carrier. Companies can choose to get cybersecurity insurance as a stand-alone policy or have it included in a package with other types of insurance coverage.
Hannes says that generally, cyber insurers will cover third-party liability in the event of a lawsuit, as well as the costs to recover from a cybersecurity incident. The financial impact of a hack or data breach could be “crippling,” especially for small and midsized businesses, says Tim Francis, enterprise cyber lead at Travelers, which has one of the largest market shares in this space.
“It may essentially cause the company to close its doors. It doesn’t usually get that severe, but it certainly could,” he says. Francis adds that this can especially be the case when ransomware is involved, with even small companies receiving multimillion-dollar demands.
If companies are forced to pay the ransom, cybersecurity insurance can help with reimbursement. But that’s often only a fraction of the total cost of losses, Francis says. There are also income losses incurred during downtime and costs for repairs to systems.
“The forensics costs, the notification costs, the data restoration to try to bring back what was compromised — all of that adds up pretty quick,” he says.
Cybersecurity insurers can also help connect companies to experts in the field to help them through an attack or breach, including incident response teams that can help get systems back online. Insurance companies may also send in breach coaches that provide legal counsel to the customer and other services many companies don’t have in-house.
Francis says that this is where cyber insurance is different from other types of insurance.
“We’re involved immediately,” he says. “If we’re talking about property insurance and a building is on fire, the first call is not the insurance company. Call the fire department, right? Put the fire out. In the context of cyber, the insurer — the carrier — can, in essence, be the equivalent of the fire department.”
Cyber insurers also have a role to play in educating businesses on cybersecurity best practices.
At Hiscox, Hannes says, the “community” that consumers get when they purchase a cybersecurity insurance policy includes not only post-breach response services, such as incident response and breach coach teams, but also an array of educational materials and employee training on how to spot potential cybercrime activities.
What Are the Requirements of Cybersecurity Insurance?
When cybersecurity insurance first came on the scene, companies saw it as an opportunity to cross-sell products, offering expanded coverage at decreased rates as they tried to gain market share. However, they often did so without a lot of expertise in the area, says Mario Paez, national cyber leader at Marsh McLennan Agency, a risk management firm and insurance broker.
“If you simply had your name, office location and your web address, you could get a quote,” he says. Now — and especially over the past 18 months as the market is hardening — insurers will require supplemental forms to help get a clearer picture of a company’s security posture, and policies come with prerequisites.
“One example is multifactor authentication. If you do not have that implemented within your IT environment, it could preclude you from getting coverage,” Paez says.