Cyberattacks hit every day and they’re becoming more frequent, according to Accenture, which estimates that cybercrime will cost global companies an estimated $10.5 trillion per year by 2025. That’s an increase of 250% from just a decade earlier.
These attacks grew during the COVID-19 pandemic. The global explosion in remote workers only created more opportunities for things like phishing and ransomware.
Naturally, more risk demands more protection. Which is why President Joe Biden in May signed an executive order requiring government contractors to report cyber incidents, mandating that government software meet certain security standards and creating a government board to review major cyber incidents.
But cybersecurity isn’t the responsibility of the government alone. It’s also the responsibility of large corporations, small businesses and individual consumers, all of who are vulnerable to malicious attacks by internet criminals. To protect themselves, consumers and companies alike are turning to two very different but very complementary instruments: cloud computing and cyber insurance coverage.
The former is both a source of cybercrime and a solution to it. On the one hand, cloud computing increases attack surfaces by exposing more information to networks that could be breached and hacked. On the other hand, cloud computing is inherently secure due to encryption and protected access, making it harder for bad actors to breach. Plus, cloud service providers are making deep investments in security updates and enhancements, including built-in firewalls, AI protection and auto-patching.
Still, technology will never be completely impenetrable. That’s where cyber insurance coverage comes in. Although it’s still new, it’s growing fast. In fact, analysts at Fitch Ratings say direct written premiums for cyber insurance coverage increased 22% last year, to $2.7 billion. That includes $1.6 billion in premiums for standalone cyber coverage, which grew 29% last year.
Because they use it every day, most companies by now are familiar with the cloud. But cyber insurance is still uncharted territory for many.
What is Cyber Insurance and Why Do You Need It?
Most businesses store sensitive customer data in the cloud, such as credit card information, Social Security numbers, passwords, birthdays or healthcare records. Malicious actors find that information attractive and use ransomware attacks to obtain it. Those attacks are the most common reason for a cyber insurance claim, though policyholders may also file claims around phishing email scams, distributed denial-of-service (DDoS) attacks and wire-transfer fraud.
The reason companies need dedicated insurance for cyberattacks is simple: Most insurers won’t cover cyber incidents as part of your general liability policy, which covers bodily injuries and property damage. Meanwhile, many cloud service providers structure contracts to limit their own liability, putting the burden of attack mostly or entirely on partners and users. So, special and dedicated protection is needed.
What Does Cyber Insurance Cover?
The short answer: It depends. However, coverage generally is divided into first-party (i.e., yourself and your business) and third-party (i.e., your customers or others who might be affected) coverage.
Among other things, policies might pay the cost of:
- Cybersecurity professionals who can investigate the crime;
- Losses from business interruptions;
- Customer communications;
- Data recovery;
- Media liability;
- Infringement of intellectual property;
- Legal fees;
- Government fines; and
- Customer settlements.
Insurance companies may offer various cyber insurance packages catering to companies of different sizes and risk exposures. These can be standalone options or added to existing policies. For example, a data breach is the most concerning cyberattack for an individual or small business, so small businesses might invest only in data breach coverage. Meanwhile, a larger enterprise may opt for an extensive cyber liability insurance policy that’s more comprehensive.
Because cyber coverage is not cut and dry, cybersecurity expert JohnE Upgrade – a pseudonym that he uses to protect his identity from hackers – suggests that businesses chat with an unbiased third party before investing in cyber insurance coverage.
“Have an assessment of your defensive abilities done by a cybersecurity company that doesn’t provide insurance,” he said. “This way, you can examine the policy and see exactly what isn’t going to be covered.”
But is Cyber Insurance Enough?
Cybersecurity insurance can help your company recover from a cyberattack, but it won’t prevent one from happening in the first place. And if the worst does happen, it can’t protect your company’s reputation; trust in your brand will almost certainly erode.
For those and other reasons, cyber insurance shouldn’t replace good cyber hygiene; rather, it should serve as a complement to it.
At its best, that’s how all insurance functions. For example, consider the origin of fire insurance.
“Ben Franklin started a civic proposition about controlling fires because the creation of electricity led to more fires,” said Tim Andrews, vice president at cybersecurity solutions provider Booz Allen Hamilton.
“Insurance companies have an obvious interest; they have to pay if things go poorly, so they instituted building codes to ensure businesses and homeowners are taking proper precautions. Cybersecurity insurance is similar – you’ve got to show you have reasonable processes in place.”
In fact, an insurance company may refuse to honor or even offer a policy without evidence that good cyber hygiene is practiced.
To prove you’re up to snuff, consider investing in ongoing cybersecurity training, advises Heather Stratford, founder and CEO of cybersecurity training firm Drip7, who suggests “microtraining” – delivering short and frequent bursts of content that employees can absorb at their convenience.
“Microlearning has been demonstrated to produce much better results than the traditional lecture-followed-by-a-test approach,” Stratford said.
Training is critical because human error is still the biggest cause of cyber vulnerability.
“The No. 1 issue is not upgrading software on your phones and computers,” Andrews says. “Even if you have an automatic update, it could fail because it’s not plugged in or another setting skips it. So many people are willfully out of sync with their updates.”
How Do Cloud Computing and Cyber Insurance Work Together?
The amount of information stored in the cloud will continue to grow, and hackers will continue to find ways to obtain it. Consumers and businesses, therefore, need multiple tools in their toolbelt in order to protect themselves.
Cyber insurance is one tool, but it’s unclear how effective it will be. For example, Upgrade notes that it could take years to get payouts from claims. And some smaller insurance companies may never be able to complete a payment.
“What happens to a company that offers cybersecurity insurance, and malware comes out that affects multiple clients at once?” Upgrade asks. “Who do they pay first? How do they determine which companies were negligent in their defensive policies and implementation?”
Along with insurance that can help after an attack, it’s therefore important to invest in strong security measures that can help prevent an attack in the first place. That’s where cloud computing comes in: storing it in the cloud and partnering with cloud vendors that invest in the latest cybersecurity technologies and practices.
Nothing is ironclad. Paired with good cyber hygiene, however – keeping servers and systems up-to-date, using multi-factor authentication, and
avoiding suspicious emails and texts – cloud computing on the front end and cyber insurance on the back end can give your organization 360-degree protection against the most common and consequential cyberattacks.
Read more: