As the risk of cyber attack increases, and the cost of those attacks rises, many organisations of all sizes and across all sectors and industries have invested in cyber liability insurance coverage to mitigate the impact of a cyber attack when it occurs. As of now, 43% of businesses and 29% of charities in the UK now have some form of cyber insurance, up from 32% for businesses in 2020.
However as the market grows, and more organisations buy cyber risk insurance, it is becoming increasingly clear that while it is beneficial to many organisations, cyber liability insurance is not a replacement for an effective cyber security programme.
What is cyber liability insurance coverage?
Cyber insurance, also known as cyber risk insurance or cyber liability insurance, covers the costs of data breaches and other forms of cyber attack.
Cyber risk insurance offers risk transfer opportunities for organisations by providing a backup in case of an attack. However this is often contingent on having cyber protections in place from the start.
Most cyber liability insurance policies will cover first party costs from a cyber attack, paying out for lost, damaged, stolen, or corrupted data or electronic systems. This includes the cost of investigating the attack, recovering data (including in some cases paying the ransom in a ransomware attack), loss of income from downtime, the costs of any activities associated with reputation management, and more.
Third party cyber liability insurance coverage will include the costs of damages and settlements to customers and other stakeholders (including GDPR fines), and the cost of legal defence should the company be sued as a result of the cyber attack.
Why buy cyber insurance?
Cyber liability insurance coverage is tailored to cyber attack
In today’s world, most organisations rely on their IT systems to carry out their business. However those same IT systems are also connected to the internet, making them vulnerable to attack from cyber criminals who will look for vulnerabilities to exploit and gain access to systems.
Cyber risk insurance is specifically designed to pay out against these cyber attacks, and as such it will provide cover for the specific damage caused by a cyber attack, where other forms of insurance policy may not.
Cyber attack can be ruinously expensive
Cyber attacks cost money. The various costs from a cyber attack include:
Ransomware costs: There are the obvious costs of unlocking or buying back data that has been encrypted or stolen in an attack and held for ransom. According to research by Sophos, the most common ransom payment is $10,000 but the average ransom payment in 2021 is $170,404, with some ransom payments far exceeding that figure.
Output loss costs: Cyber attacks often cause downtime and disruption to services. The longer systems are offline, the longer employees can’t do their jobs and customers won’t receive their services, reducing productivity and revenues.
Recovery costs: Recovery costs can far outweigh the direct costs of the attack. In fact the research from Sophos found that the average cost of recovering from a ransomware attack is $1.85 million – 10 times the cost of the ransom itself.
Ongoing costs: Many organisations face loss of reputation as a result of suffering a cyber attack, and with that a loss of customers who choose to shop elsewhere. As recently as 2018, 60% of businesses who suffered a ransomware attack went out of business within six months of the attack.
For some businesses, especially smaller businesses, cyber liability insurance coverage has proven useful as it has smoothed the recovery process and made the difference between continuing to trade or closing their doors. From that perspective alone, cyber insurance may well be worth it.
Some sectors/ organisations are attractive targets
Many cyber criminals (especially ransomware gangs) are looking to make a profit from their activity, and will choose targets that will realise the biggest returns from an attack. Some sectors, and some organisations within those sectors present particularly attractive targets for attackers because of the data they hold.
Businesses within those sectors may find that cyber insurance benefits will far outweigh the costs.
Is cyber insurance worth the cost?
The section above looked at cyber insurance benefits, this section discusses the ways in which cyber liability insurance coverage may simply be an expense.
Cyber risk insurance premiums are rising
Cyber risk insurance doesn’t come cheap. Premiums are increasing, and coverage is being scaled back as some insurers are refusing to pay claims against ransomware payouts. Furthermore, some organisations may never need to make a claim against the insurance, meaning they have paid out thousands of pounds a year for nothing.
Cyber liability insurance coverage may be… patchy
As the market evolves, so do the cyber insurance products on offer. As a result not all cyber liability insurance policies will cover everything, and the cost of getting the right amount of coverage may add significantly to the overall cost of the insurance.
Cyber liability insurance comes with an expensive list of requirements
Many insurers are now tightening up their requirements for organisations looking to buy cyber risk insurance. They will look to see whether an organisation has been attacked in the past (with or without making a claim), and may adjust coverage or premiums accordingly.
Increasingly, insurance companies are also asking for evidence that the organisation has a cyber security programme in place ahead of insuring them.
Cyber insurance is linked to rising ransomware demands
The cyber security industry have found a cause and effect relationship between cyber insurance and the increase in ransomware demands. As cyber liability insurance coverage has increased and matured, it has encouraged cyber criminals to become bolder. For example, evidence suggests that the higher ransomware demands are a result of more organisations paying up because they have insurance, and that some cyber criminals are tailoring their ransom demands to the coverage in their victim’s insurance policies.
Cyber liability insurance coverage isn’t a replacement for a solid cyber security programme
Cyber liability insurance coverage will not instantly solve all cyber security issues, and it will not prevent a cyber attack from taking place. Instead, cyber liability insurance coverage should be seen as the final piece in a cybersecurity programme, the one that will catch the organisation and enable it to recover if all other protections should fail.
The cost of preventing a cyber attack is far lower than the cost of mitigating the impact of a cyber attack. A multi pronged cybersecurity programme that includes effective network and infrastructure security, employee training, and comprehensive incident response plans as well as support from cyber insurance will enable organisations of all sizes to weather any cyber attack.