Limiting Risk

Increasing cyberattacks underscore the value of cyber insurance.

Virtually all organizations are now dependent on technology to one degree or another, which means they are at risk of cybercrime. Given the increasing frequency and sophistication of threats, it is no surprise that there is growing interest in cyber insurance.

According to the 2017 Cyber Survey from the Risk Management Society (RIMS), 83 percent of organizations now have a standalone cyber insurance policy. Of those without a standalone cyber policy, 84 percent indicated that other insurance policies include cyber liability coverage.

“At any given moment, cyber-predators can unleash a new hack to infiltrate an organization’s system, steal or lock critical data, and cause significant business interruption damages,” said RIMS President Nowell Seaman. “RIMS Cyber Survey shows that risk professionals continue to invest in cyber insurance products and must work in tandem with their insurers and IT professionals to help develop innovative and adaptable solutions for the next generation of cyber threats.”

SMBs Targeted

Ransomware has become especially threatening. Researchers at the University of California-San Diego recently estimated that cyber criminals have made more than $25 million over the past two years using malware that encrypts an organization’s data and requires a payoff to unlock it.

On average, there were more than 4,000 ransomware attacks every day in 2016, according to figures from the Justice Department. That’s a 300 percent increase over the previous year. Small to midsize businesses (SMBs) are particularly vulnerable.

That’s no real surprise. Cyber crooks know SMBs don’t have the security expertise or the budget of their enterprise counterparts. In fact, only 14 percent of SMBs rate their ability to mitigate cyber risk as highly effective. Too often, small businesses owners simply choose not to invest in preventive measures because they think they are too small to even be a target for ransomware. That could prove to be a seriously expensive miscalculation.

According to Osterman Research, 22 percent of SMBs that fell victim to a ransomware attack had to shut down their operations immediately. About 17 percent experienced downtime of 25 hours or more. On average, each incident cost SMBs more than $100,000 due to downtime.

Coverage Options

While cyber insurance isn’t meant to supplant strong security measures, it can limit the financial damage from an incident and help organizations keep their doors open. A well-crafted policy will typically feature the following coverages:

Liability. This covers the legal fees, court judgments and other costs incurred after a cyberattack that results in financial harm to customers, partners or other third parties. This could involve the exposure of personal information or the unintentional transmission of a computer virus to another party.

Management liability. This option provides coverage for the liability risks faced individually by a company’s officers, directors and key decision-makers while acting on behalf of the company.

Crisis management. This covers the cost of notifying consumers about a data breach that resulted in the release of private information, and also providing them with credit monitoring services. It could also cover the cost of retaining a public relations firm or launching an advertising campaign to rebuild a company’s reputation.

Business Interruption. This covers loss of income due to an attack that causes an organization to temporarily shut down or otherwise limits its ability to conduct business.

Cyber extortion. This covers the settlement of a ransomware extortion threat.

Forensics.  This covers the cost to hire computer forensics consultants to investigate the cause and scope of a breach, and to track down the source of the attack.

Data loss. This covers the loss, damage or destruction of valuable information assets.

It’s also a good idea to look for an underwriter that provides threat mitigation services.  This might include online training resources, best practices guidelines and risk assessments to help organizations learn how to avoid risk, along with incident response planning to help minimize the damage in the immediate aftermath of an incident.

Security threats are more complex, diverse and frequent than ever before. They require a layered defense that integrates a variety of hardware- and software-based tools, along with consistent training and education programs that reinforce the need for employee diligence. While it may not be possible to completely eliminate cybercrime, proper planning can limit the risk and a solid cyber insurance policy can minimize the financial exposure.