We have a lot of conversations with our clients about cybersecurity insurance. Adelia Risk doesn't sell cybersecurity insurance. Instead, we provide a holistic cybersecurity service to small, high value, heavily regulated firms. As part of providing our service, cybersecurity insurance is a common topic.
The single biggest misconception that we see? Clients think that insurance protects you from monetary loss. Like, if a hacker gets access to your online banking and steals $1mm, then you'll get that money back.
Other insurance policies cover that (like "computer fraud" policies), but that's not what cybersecurity insurance does.
Cybersecurity insurance is meant to cover all of the expenses that a firm incurs when it's the victim of a data breach.
It really adds up.
Many policies will also cover the productive time lost to repairing the breach, the costs of credit monitoring for affected clients and for the business itself… there are even some policies which will cover a provable and ascertainable loss to the worth of the ‘brand’. A breach and all its complications can do serious harm.
The average cost of a data breach is $141 per breached record https://www.csoonline.com/article/3251606/data-breach/what-does-stolen-data-cost-per-second.html), but this number can be misleading for small firms trying to figure out whether or not cybersecurity insurance makes sense to them. This is an industry average, and includes a lot of very large data breaches that drive down the cost per record.
The best exercise to go through is to try to estimate what your costs would be if all of your records were breached, and then use that final tally to get a quote on cybersecurity insurance. Then it becomes a risk/reward calculation like any other insurance product -- If there's a small risk that we could get hit with a $500k or $1mm bill (for example) in the event of a breach, are we able to cover it out of cash flow? If not, then insurance makes a lot more sense.
We think that any firm that has data that is attractive to criminals should seriously consider cybersecurity insurance. Many privacy regulators are starting to ask about it. For example, the SEC's guidance on cybersecurity given to wealth managers and financial advisors explicitly asks if a firm has "insurance that specifically covers losses and expenses attributable to cybersecurity incidents." It's not saying definitively "You Must Have Cyber Insurance," but if you're ever audited, you should have a pretty good reason as to why you don't.
Like with all insurance policies, the devil is in the details. Different companies provide very different coverages, so take the time to really understand what kinds of costs you might experience in the event of a breach, and make sure that your insurance covers all of them.
We think cyber insurance policies make a ton of sense. Breaches can be incredibly expensive.
Having cybersecurity insurance makes breaches difficult-yet-survivable instead of a business-threatening event.