What Is Cyber Insurance

The first cybersecurity insurance policy was issued in 1997. In the following 27 years it's grown from a niche insurance product to an important consideration for organizations large and small to protect their bottom line from cyber threats like malicious data breaches, malware, phishing attacks, and ransomware.

While there are many security tactics to deploy in order to maintain business continuity (BC) should any of the above happen, getting back up and running in the event of a security incident can cost time and money. Cyber insurance is one way to reduce fallout from security events, prepare your business, and support business continuity objectives.

Today, we are breaking down the basics of cyber insurance: What is it? How much will it cost? What do cyber insurance companies provide? And how do you get it?

Does my organization need cyber insurance?

Cyber insurance has become more common as part of BC planning. Like many things in the cybersecurity world, it can be a bit hard to measure precise adoption numbers because there are different industry associations, enforcement agencies, and so on in different geographic markets. According to Fortune Business Insights, the global cyber insurance market size was valued at $16.66 billion in 2023. The market is projected to grow from $20.88 billion in 2024 to $120.47 billion by 2032, exhibiting a compound annual growth rate (CAGR) of 24.5% during the forecast period.

Take a look at these three data points in cybersecurity risk:

1. According to a 2023 Ransomware Market Report, global ransomware costs are predicted to reach $265 billion annually by 2031, up from $20 billion in 2021.
2. According to IBM, the average cost of a data breach in the U.S. is $4.88 million, up 10% over 2023.
3. Fifty-nine percent of organizations were hit by ransomware in the last year, according to Sophos' State of Ransomware 2024 report.

Whether your company is a 10 person software as a service (SaaS) startup or a global enterprise, cyber insurance could be the difference between a minor interruption of business services and closing up for good. However, providers don't opt to provide coverage for every business that applies for cyber insurance. If you want coverage (and there are plenty of reasons why you would), it helps to prepare by making your company as attractive (meaning low-risk) as possible to cyber insurers. Some cyber insurance providers like Coalition even offer assistance and services to reduce your cyber risk posture before an attack as part of a "whole package" approach.

What is cyber insurance?

Cyber insurance protects your business from losses resulting from a digital attack. This can include business income loss, but it also includes coverage for unforeseen expenses, including:

• Forensic post-breach review expenses.
• Additional monitoring outflows.
• The expenditure for notifying parties of a breach.
• Public relations service expenses.
• Litigation fees.
• Accounting expenses.
• Court-ordered judgments.
• Claims disbursements.

Cyber insurance policies may also cover ransom payments. However, according to expert guidance, it is never advisable or prudent to pay the ransom, even if it's covered by insurance.

There are a few reasons for this:

1. It's not guaranteed that cybercriminals will provide a decryption key to recover your data. They're criminals after all.
2. Even with a decryption key, you may not be able to recover your data. This could be intentional, or simply poor design on the part of cybercriminals. Ransomware code is notoriously buggy.
3. Paying the ransom encourages cybercriminals to keep plying their trade, and can even result in businesses that pay being hit by the same ransomware demand twice.
4. Ransom payouts may be illegal. Certain states make it illegal for local government entities to pay ransoms. Federally in the U.S., it's illegal to make payments to individuals, organizations, regimes, and sometimes entire countries that are on the sanctions list-and some cyber crime groups are certainly on that list.

Ultimately, the most effective way to undermine the motivation of these criminal groups is to reduce the potential for profit.

Types of cyber insurance

What plans cover and how much they cost can vary. Typically, you can choose between first-party coverage, third-party coverage, or both.

First-party coverage protects your own data and includes coverage for business expenses related to things like recovery of lost or stolen data, lost revenue due to business interruption, and legal counsel, and other types of expenses.

Third-party coverage protects your business from liability claims brought by someone outside the company. This type of policy might cover things like payments to consumers affected by a data breach, costs for litigation brought by third parties, and losses related to defamation.

Depending on how substantial a digital attack's losses could be to your business, your best choice may be both first- and third-party coverage.

Cyber insurance policy coverage considerations

Cyber insurance protects your company's bottom line by helping you pay for costs related to recovering lost or stolen data and cover costs incurred by affected third parties (if you have third-party coverage).

As you might imagine, cyber insurance policies vary. When reviewing cyber insurance policies, it's important to ask these questions:

1. Does this policy cover a variety of digital attacks, especially the ones we're most susceptible to?
2. What are the policy's exclusions? For example, unlikely circumstances like acts of war or terrorism and well-known, named viruses may not be covered in the policy.
3. How much do the premiums and deductibles cost for the coverage we need?
4. What are the coverage (payout) amounts or limitations?

Keep in mind that choosing the company with the lowest premiums may not be the best strategy. For further reading, the Federal Trade Commission offers a helpful checklist of additional considerations for choosing a cyber insurance policy.

Errors & omissions (E&O) coverage

Technology errors and omissions (E&O) coverage isn't technically cyber insurance, but could be part of a comprehensive policy. This type of coverage protects your business from expenses that may be incurred if/when your product or service fails to deliver or doesn't work the way it's supposed to. This can be confused with cyber insurance coverage because it protects your business in the case your technology product or service fails. The difference is that E&O coverage comes into effect when that failure is due to the business' own negligence.

You may want to pay the upcharge for E&O coverage to protect against harm caused if/when your product or service fails to deliver or work as intended. E&O also offers coverage for data loss stemming from employee errors or employee negligence in following data safeguards already in place. Consider whether you also need this type of protection and ask your cyber insurer if they offer E&O policies.

Beyond insurance

Cybersecurity insurance providers often offer a range of holistic services designed to help you manage and mitigate cyber risks. These services go beyond traditional insurance coverage, providing proactive support in the form of risk assessment, incident response, and recovery assistance. This comprehensive approach helps you strengthen your cybersecurity posture and minimize the impact of cyber incidents.

Services potentially offered by cybersecurity insurance providers:

• Risk assessment and management: Evaluating your current cybersecurity measures and identifying vulnerabilities.
• Incident response planning: Assisting in the development and implementation of incident response plans.
• Threat intelligence: Providing real-time information on emerging cyber threats and vulnerabilities.
• Employee training and awareness: Offering programs to educate employees on best practices for cybersecurity.
• Breach response services: Support during and after a cyber incident, including forensic investigation and legal assistance.
• Business continuity and recovery support: Helping to restore operations and recover lost data following an incident.
• Regulatory compliance guidance: Assisting in meeting industry-specific cybersecurity regulations and standards.

It's important to ask if these services are included in your policy or if you can add them if needed.

Premiums, deductibles, and coverage

What are the average premium costs, deductible amounts, and liability coverage for a business like yours? The answer to that question turns out to be more complex than you'd think.

How are premiums determined?

Every insurance provider is different, but here are common factors that affect cyber insurance premiums:

• Your industry (e.g., education, healthcare, and financial industries are higher risk)
• Your company size (e.g., more employees increase risk)
• Amount and sensitivity of your data (e.g., school districts with student and faculty personal identifiable information are at higher risk)
• Your revenue (e.g., a profitable bank will be more attractive to cybercriminals)
• Your investment in cybersecurity (e.g., lower premiums go to companies with dedicated resources and policies around cybersecurity)
• Coverage limit (e.g., the cost per incident will decrease with a lower liability limit).
• Deductible (e.g., the more you pay per incident, the less your plan's premium)

What does the average premium cost?

These days, it's challenging to estimate the true cost of an attack because historical data hasn't been widely shared. The U.S. Government Accountability Office reported that the rising "frequency, severity, and cost of cyberattacks" increases cyber insurance premiums.

But, generally speaking, if you are willing to cover more of the cost of a data breach, your deductible rises, and your premium falls. Data from TechInsurance reveals that the average cyber insurance premium is around $145 per month depending on your risk profile and the policy limits you choose.

How do I get cyber insurance?

Most companies start with an online quote from a cyber insurance provider, but many will eventually need to compile more detailed and specific information in order to get the most accurate figures.

If you're a business owner, you may have all the information you need at hand, but for mid-market and enterprise companies, securing a cyber insurance policy should be a cross-functional effort. You'll need information from finance, legal, and compliance departments, IT, operations, and perhaps other divisions to ensure cyber insurance coverage and policy terms meet your company's needs.

Before the quote, an insurance company will perform a risk assessment of your business in order to determine the cost to insure you. A typical cyber insurance questionnaire might include specific, detailed questions in the areas of organizational structure, legal and compliance requirements, business policies and procedures, and questions about your technical infrastructure. Here are some questions you might encounter:

• Organizational: What kind of third-party data do you store or process on your computer systems?
• Legal and compliance: Are you aware of any disputes over your business website address and domain name?
• Policies and procedures: Do you have a business continuity plan in place?
• Technical: Do you utilize a cloud provider to store data or host applications?

Cyber insurance readiness

Now that you know the basics of cyber insurance, you can be better prepared if and when the time comes to get insured. Shoring up your vulnerability to cyber incidents goes a long way toward helping you acquire cyber insurance and get the best premiums possible. You can start by protecting business workstations with automatic backups and by protecting virtual machines (VMs), servers, and network attached storage (NAS) data for BC and disaster recovery (DR).