Why Businesses Need Cyber Insurance

Cyberattacks hit every day and they’re becoming more frequent, according to Accenture, which estimates that cybercrime will cost global companies an estimated $10.5 trillion per year by 2025. Cyber insurance can help protect businesses of all sizes, as cyberattacks continue to rise nearly 125% each year.

Cyber attacks grew during the COVID-19 pandemic. The global explosion in remote workers only created more opportunities for things like phishing and ransomware.

What is Cyber Insurance and Why Do You Need It?

Most businesses store sensitive customer data in the cloud, such as credit card information, Social Security numbers, passwords, birthdays or healthcare records. Malicious actors find that information attractive and use ransomware attacks to obtain it. Those attacks are the most common reason for a cyber insurance claim, though policyholders may also file claims around phishing email scams, distributed denial-of-service (DDoS) attacks and wire-transfer fraud.

The reason companies need dedicated insurance for cyberattacks is simple: Most insurers won’t cover cyber incidents as part of your general liability policy, which covers bodily injuries and property damage. Meanwhile, many cloud service providers structure contracts to limit their own liability, putting the burden of attack mostly or entirely on partners and users. So, special and dedicated protection is needed.

Naturally, more risk demands more protection. Which is why President Joe Biden in the spring of 2021 signed an executive order requiring government contractors to report cyber incidents, mandating that government software meet certain security standards and creating a government board to review major cyber incidents.

But cybersecurity isn’t the responsibility of the government alone. It’s also the responsibility of large corporations, small businesses and individual consumers, all of who are vulnerable to malicious attacks by internet criminals.

Reflecting on his experience teaching the next generation of IT leaders, Sebastian Goodwin, the chief security officer at hybrid multicloud software company Nutanix, said the complexity of the technologies that businesses and organizations use has increased exponentially in recent years. 

“Security teams have to not only understand a multitude of technologies that operate across disparate substrates and platforms but also understand how those technologies can be exploited and how to protect them,” he said. “With unique vulnerabilities in each platform, it’s a constant challenge to prioritize and mitigate risk.”

What Does Cyber Insurance Cover?

The short answer: It depends. However, coverage generally is divided into first-party (i.e., yourself and your business) and third-party (i.e., your customers or others who might be affected) coverage.

Among other things, policies might pay the cost of:

• Cybersecurity professionals who can investigate the crime;
• Losses from business interruptions;
• Customer communications;
• Data recovery;
• Media liability;
• Infringement of intellectual property;
• Legal fees;
• Government fines; and
• Customer settlements.

Insurance companies may offer various cyber insurance packages catering to companies of different sizes and risk exposures. These can be standalone options or added to existing policies. For example, a data breach is the most concerning cyberattack for an individual or small business, so small businesses might invest only in data breach coverage. Meanwhile, a larger enterprise may opt for an extensive cyber liability insurance policy that’s more comprehensive.

Because cyber coverage is not cut and dry, cybersecurity expert JohnE Upgrade – a pseudonym that he uses to protect his identity from hackers – suggests that businesses chat with an unbiased third party before investing in cyber insurance coverage.

“Have an assessment of your defensive abilities done by a cybersecurity company that doesn’t provide insurance,” he said. “This way, you can examine the policy and see exactly what isn’t going to be covered.”

But is Cyber Insurance Enough?

Cybersecurity insurance can help your company recover from a cyberattack, but it won’t prevent one from happening in the first place. And if the worst does happen, it can’t protect your company’s reputation; trust in your brand will almost certainly erode.

For those and other reasons, cyber insurance shouldn’t replace good cyber hygiene; instead, it should complement it.

At its best, that’s how all insurance functions. For example, consider the origin of fire insurance.

“Ben Franklin started a civic proposition about controlling fires because the creation of electricity led to more fires,” said Tim Andrews, vice president at cybersecurity solutions provider Booz Allen Hamilton.

“Insurance companies have an obvious interest; they have to pay if things go poorly, so they instituted building codes to ensure businesses and homeowners are taking proper precautions. Cybersecurity insurance is similar – you’ve got to show you have reasonable processes in place.”

In fact, an insurance company may refuse to honor or even offer a policy without evidence that good cyber hygiene is practiced.

To prove you’re up to snuff, consider investing in ongoing cybersecurity training, advises Heather Stratford, founder and CEO of cybersecurity training firm Drip7, who suggests “microtraining” – delivering short and frequent bursts of content that employees can absorb at their convenience.

“Microlearning has been demonstrated to produce much better results than the traditional lecture-followed-by-a-test approach,” Stratford said.

Training is critical because human error is still the biggest cause of cyber vulnerability.

“The No. 1 issue is not upgrading software on your phones and computers,” Andrews says. “Even if you have an automatic update, it could fail because it’s not plugged in or another setting skips it. So many people are willfully out of sync with their updates.”

How Do Cloud Computing and Cyber Insurance Work Together?

To protect themselves, consumers and companies alike are turning to two very different but very complementary instruments: cloud computing and cyber insurance coverage.

The former is both a source of cybercrime and a solution to it. On the one hand, cloud computing increases attack surfaces by exposing more information to networks that could be breached and hacked. On the other hand, cloud computing is inherently secure due to encryption and protected access, making it harder for bad actors to breach. Plus, cloud service providers are making deep investments in security updates and enhancements, including built-in firewalls, AI protection and auto-patching.

Still, technology will never be completely impenetrable. That’s where cyber insurance coverage comes in. Although it’s still new, it’s growing fast. In fact, analysts at Fitch Ratings say direct written premiums for cyber insurance coverage increased 22% last year, to $2.7 billion. That includes $1.6 billion in premiums for standalone cyber coverage, which grew 29% last year.

Because they use it every day, most companies by now are familiar with the cloud. But cyber insurance is still uncharted territory for many. 

The amount of information stored in the cloud will continue to grow, and hackers will continue to find ways to obtain it. Consumers and businesses, therefore, need multiple tools in their toolbelt in order to protect themselves.

Cyber insurance is one tool, but it’s unclear how effective it will be. For example, Upgrade notes that it could take years to get payouts from claims. And some smaller insurance companies may never be able to complete a payment.

“What happens to a company that offers cybersecurity insurance, and malware comes out that affects multiple clients at once?” Upgrade asks. “Who do they pay first? How do they determine which companies were negligent in their defensive policies and implementation?”

Along with insurance that can help after an attack, it’s therefore important to invest in strong security measures that can help prevent an attack in the first place. That’s where cloud computing comes in: storing it in the cloud and partnering with cloud vendors that invest in the latest cybersecurity technologies and practices.

Nothing is ironclad. Paired with good cyber hygiene, however – keeping servers and systems up-to-date, using multi-factor authentication, and avoiding suspicious emails and texts – cloud computing on the front end and cyber insurance on the back end can help protect organizations against consequential cyberattacks.

Cybersecurity Insurance In Practice

Davis Hake, a defense expert and Adjunct Professor of Cyber Risk Management at the University of California, Berkeley battles cybercrime across the private, education and government sectors. As co-founder of Resilience Insurance in San Francisco, he helps modernize the insurance industry to avoid or minimize digital losses. In addition to insuring companies against ransomware and other breaches, his company also offers cyber education, protection, and recovery solutions to help fend off attacks and reduce the business impact of a breach.

Hake told The Forecast that interest in new insurance models skyrocketed after the COVID-19 outbreak because organizations fast-tracked remote work capabilities. These organizations faced security challenges “not because of cloud technology, per se, but because they’ve quickly disrupted old ways of doing things. He said their companies’ cloud projects were accelerated by as much as five years” due to the pandemic.

Those companies are “finding themselves in a hybrid IT environment” that they haven’t spent years learning to protect yet, he explained. But operating on modern IT platforms allows organizations to leverage new securities technologies and services more easily.

Hake said Resilience clients make their own decisions about whether they pay ransom demands in cases of ransomware attacks. Whether or not to acquiesce to cyber-blackmailers is a controversial issue. Some private-sector organizations have adopted no-pay policies, and some U.S. states are pushing for legislation to ban payments at local and state levels. The thinking is that making the payments provides criminals with an incentive to hold data hostage for monetary payoffs likely only to grow larger.

However, Hake pointed out, organizations like hospitals and energy companies provide life-essential services and can’t endure prolonged data outages without risking the loss of life and public safety.

“We work with every one of our clients to ensure that they have secure backups, that they're running endpoint protection, that they've deployed multifactor authentication, and that they've secured their administrative accounts,” said Hake

“This is all basic cyber hygiene that can be very effective at providing options for recovery, even if the attackers do get in.”

Hake underscores once again the role of beefing up incident recovery best practices to build a bright future. 

“A lot of research we’re seeing is going into determining best practices for being able to take a punch but come back quickly with minimal disruption.”

This article is an updated version of the original published on October 12, 2021.

Joey Held is a writer, author and podcaster based in Austin, Texas. Connect with him on Twitter or LinkedIn.

Jacob Gedetsis updated this article. In addition to The Forecast, his work has appeared in The Kansas City Star, The Post Standard and The Plain Dealer, among others. Find him on Twitter @JacobGedetsis.

© 2022 Nutanix, Inc. All rights reserved. For additional legal information, please go here.