A Quick Guide for Small Cybersecurity Teams Looking to Invest in Cyber Insurance

In the world of insurance providers and policies, cyber
insurance is a fairly new field. And many security teams are trying
to wrap their heads around it.

What is it and do they need it? And with what time will they
spend researching how to integrate cyber insurance into their
strategy?

For small security teams, this is particularly challenging as
they contend with limited resources.

Luckily, there’s a new eBook^[1]
dedicated to helping small security teams better understand cyber
insurance policies and how they may impact an organization’s
cybersecurity measures.

Background

In 1997, the “Internet Security Liability” (ISL) insurance
policy was launched at the International Risk Insurance Management
Society’s convention in Honolulu. Underwritten by AIG, ISL
insurance was designed to protect ecommerce retailers like Amazon
that were collecting sensitive customer data and storing it on
internal networks. It is credited as one of the very first cyber
insurance policies to be made available to businesses.

Now, a quarter of a century later, the cyber insurance market
has grown exponentially and covers a wide range of cybersecurity
incidents. According to the National Association of Insurance
Commissioners (NAIC), the cybersecurity insurance market hit $4.1
billion last year, up 29.1% over the previous year. Industry
reports predict the market will reach $11.4 billion by the end of
this year – and nearly double to $22.3 by 2025.

“Last year was a stark reminder that hackers are pivoting — and
are succeeding — in deploying new attack strategies,” writes John
Farley, managing director of Gallagher, a global insurance
consultancy. “There were a wide variety of victims that ranged from
global software providers, email platforms, the largest U.S. meat
supplier and fuel suppliers that provides nearly half the fuel to
the east coast of the U.S. Threat actors have found this vase
system of interdependencies to be fertile hunting grounds.”

Organizations with even the smallest cybersecurity teams are now
looking at cyber insurance to protect their businesses from cyber
attacks.

But investing in cyber insurance is not as easy as adding a new
insurance policy.

What is cyber insurance?

Cyber insurance, also referred to as cyber liability insurance
or data breach insurance, can help mitigate the costs of cyber
attacks – an expense that is growing at an alarming rate. While
still not a mandatory expense, cyber insurance is quickly rising to
the top of priority lists for many organizations that manage vast
amounts of data.

Because a cybersecurity attack can cost a business millions of
dollars – IBM reports the average cost of a data breach reached
$4.35 million in 2022 – businesses that do not invest in cyber
insurance are putting their entire enterprise at risk. A cyber
insurance policy does not stop a cyber attack, but it can prevent
it from completely devastating a business.

What does cyber insurance cover?

As with any insurance policy, there are different forms of cyber
insurance that cover various cyber security threats. The market
varies widely, with policies often determined by insurance
providers, but the primary forms of cyber insurance include:

1. Network security systems policies which cover the cost of
   lawyers, IT forensic services, data restoration, breach
   notifications and communications, and more when a data breach,
   malware infection or ransomware incident occurs.
2. Privacy liability policies which cover any costs related to a
   data breach that exposes personally identifiable information (PII),
   i.e. lawsuits, compliance violations, reputational risk management,
   etc.
3. Network business interruption policies that enable a business
   to cover costs related to data loss or any financial losses
   incurred by a disruption in services.
4. Errors and omissions policies that are similar to network
   business interruption policies, covering cyber attacks that
   jeopardize a businesses’ ability to deliver services or meet
   contractual obligations.
5. Media liability policies which cover any losses resulting from
   allegations of slander, libel, disparagement, or copy
   infringement.

This is not a complete list of cyber insurance policies.
Specific terms and conditions are up to insurance providers, with
claims often disputed as it can be difficult to define a cyber
attack that involves sophisticated forms of cybercrime or social
engineering schemes which are difficult to identify.

How do existing cybersecurity efforts impact cyber
insurance policies?

Before obtaining a cyber insurance policy, businesses must be
approved for coverage. To protect their own costs, insurance
providers often make cyber insurance contingent on a number of
specific cybersecurity measures.

These contingencies usually include a business’ cybersecurity
efforts – things like making sure an organization has written
security policies in place, uses multi-factor authentication (MFA),
and encrypts their data. Often cyber insurance providers dictate
which cybersecurity tools a business must implement and even
security vendors the business chooses to partner with.

Such rules set by the cyber insurance provider directly impacts
an organization’s cybersecurity efforts and can create friction
between cybersecurity teams and the business leaders purchasing the
cyber insurance policy. The best path to reducing this friction is
to make sure the cybersecurity team is on board with the process
from the start and involved in key decisions that impact the
business’ cybersecurity strategy.

Cybersecurity team leads need to understand cyber insurance
policies and be able to assess whether or not a tactic required by
an insurance provider weakens or strengthens the business’ existing
cybersecurity protections.

If your organization is currently evaluating cyber insurance
policies, download Cynet’s insurance guide^[2]
to better understand what’s at stake – both for your cybersecurity
team and your business at large.

Download Cynet’s Small Security
Team’s Guide to Cyber Insurance.^[3]