Search
Close this search box.
Request a quote

Can a business forgo a cyber insurance policy?

pexels-zhang-kaiyv-842649

Can a business forgo a cyber insurance policy?

While most companies store customer data or process transactions, only 20% have cyber coverage.

Frequently, business owners don’t understand how the price of cyber insurance policies is determined and what is covered under a policy.

Though the cyber insurance market in the U.S. is currently valued at more than $7 billion, it is forecast to reach more than $20 billion by 2025.

Considering the increase in cyber-attacks just since the COVID-19 pandemic, it has become increasingly clear that most, if not all, businesses that store customer data or process electronic transactions may be targets of cyberattacks. Yet only 20% of businesses have cyber insurance coverage, according to a survey conducted by Appalachian State University and Selective Insurance.

One obvious hindrance is that business owners don’t always understand how the price of cyber insurance policies is determined and what is covered under their policy.

The amount paid for a cyber insurance premium will vary based on the type of business and by-products offered through individual insurers.

Choosing cyber coverage

According to Insureon, 27% of small business owners pay less than $1,000 per year for cyber liability insurance and another 36% pay between $1,000 and $2,000 per year. Excluding high and low outliers, the median premium for cyber liability insurance is $140 per month. Cyber liability policies have limits that range from $1 million to $5 million or more.

Premiums are dependent on several factors, including the industry the business engages in, the exposure, the dollar limits selected, the type of coverage provided, as well as the chosen deductibles.

A small business such as a bakery operating on a regional basis with a limited customer base and a smaller revenue will likely pay less for cyber insurance than a national retailer that stores customer credit card information through in-person and online shopping.

Other high-exposure examples include medical clinics and hospitals that store protected personal information (PPI) within their potentially vulnerable databases.

Aspects that impact insurance costs include the limitations, deductibles and exclusions of the business’ specific policy. A business owner should carefully review the policy language since cyber fraud scenarios are constantly changing.

Read the fine print

The latest tale of an organization falling victim to a business email compromise attack on their credit card processor highlights how very specific the scenario needs to be to see a payout. A Texas-based company’s credit card processor was duped to modify disbursement instructions, losing more than $10 million.

A lawsuit following the Texas company’s cyber insurer’s denial of the claim demonstrates how policy language can make or break a cyber claim payout. In this case, the court found that for coverage to apply, the Texas company had to be the victim of the cyberattack per its policy language rather than the credit card processor.

When a business shops for a cyber policy, insurers will review the following for each business it considers insuring:

Infrastructure security. The insurer’s underwriters will audit a business’ controls and procedures to determine how vulnerable its infrastructure is to breach or attack. If, for example, a business has multiple vendors and a dated security system, the security may be more easily compromised. On the other hand, the more security measures in place, the lower the cyber insurance premium cost.

Training procedures. The risk of a breach or a loss is dependent on the training that the business’s users and information technology staff receive. Personnel should be trained to understand network security risks and, in the event of a cyber-attack, know what to do when one occurs. This is especially important given that phishing scams are the leading threat vector against businesses. Verizon’s 2020 Data Breach Investigations Report shows phishing as the leading threat action, followed by the use of stolen credentials and password dumpers. An insurer’s underwriter examines the mitigation procedures in place in the event of a cyber breach as part of their pricing model.

Loss history. Does the business have a history of breaches or losses? This history provides underwriters an understanding of past exposure and aids in revealing areas within the business that may be vulnerable to security flaws.

Type of data collected and stored. Businesses that store credit card data, financial information, or healthcare data tend to be more heavily targeted by cybercriminals. The type of information that the business collects and stores is used to help determine the risk involved.

Geographic location. The location of the business and its network infrastructure may factor into a business’ risk profile.

Regulatory requirements. Governance policies such as GDPR in Europe, the CCPA in California, and the Biometric Information Protection Act could increase the accountability of a business when handling sensitive data. If a business is found to have sustained a breach or failed to follow stated procedures, significant fines could be imposed.

Working together, small businesses and insurers can minimize the damage and claims that may result in the event of a cyber-attack by ensuring a business has the appropriate policy and coverage in place.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related posts
Commercial P&C Insurance

Commercial Office Space Set for a Strong Comeback

The sustained increase in demand for office space across the nation since late 2022 suggests that the market has moved past its lowest point, according to insights from the real estate technology platform, VTS. Demand for office space began to rise in late 2022 and continued into early 2023. Since then, the office market has experienced a period of stability and growth, supported by favorable economic factors, indicating a market rebound. This conclusion is drawn from the VTS Office Demand Index (VODI), which tracks unique new tenant tour requests for office properties in key U.S. markets. The VODI serves as an early indicator of future office leasing activity. According to the index, demand for office space has grown consistently over the past 12 months, closing the second quarter with a 17% year-over-year increase and a 34% rise from the VODI’s lowest point in December 2022. A significant shift in office-based employment patterns further supports the belief that demand for office space has stabilized. After reaching its peak in August 2022, office-based employment declined by 3.9% in early 2024. However, this trend has since stabilized, and employment growth has remained steady. Additionally, a recent decrease in work-from-home rates has fueled the renewed demand for office space. “They say you can only recognize a market bottom after it has passed, and the office space market is no exception. Following what we now see as the bottom, the national demand has gradually increased, though it remains susceptible to economic challenges,” said Nick Romito, CEO of VTS. “However, the growth observed in VODI over the past 18 months, coupled with positive trends in the office-using workforce, suggests that the market has reset, and the worst is behind us.” It’s important to note that this national trend does not impact all local markets equally. Cities like Los Angeles and New York City have seen healthy growth in office space demand, while markets such as San Francisco and Washington, D.C., have experienced prolonged stagnation. In Los Angeles, office space demand surged in the second quarter, briefly surpassing pre-COVID levels, driven by an increase in the average size of office spaces sought by tenants. New York City followed a similar overall pattern, though with some softness in the second quarter. Conversely, San Francisco’s demand for office space remains unpredictable, largely due to its tech-focused workforce, which continues to favor remote work more than other industries. “Markets heavily dependent on the tech sector, like San Francisco and Seattle, are on a markedly different post-COVID recovery path compared to more diversified markets like Los Angeles and New York City. It may take some time before we see office demand in San Francisco and Seattle return to pre-COVID levels,” added Ryan Masiello, Chief Strategy Officer at VTS.

Read More
Cyber Liability

Global IT Outage Puts Business Interruption Insurance in the Spotlight

In July, a global IT outage had a significant impact on business interruption insurance policies, overshadowing the effects on cyber insurance coverages. “This incident wasn’t a result of a malicious attack, which is why typical cyber insurance policies may not have been activated,” explained Peter McMurtrie, a partner in West Monroe’s insurance sector, in an interview with PropertyCasualty360.com. “Where coverage was applicable, factors like deductible amounts, waiting periods, and coverage limits played a critical role in determining the extent of exposure,” McMurtrie noted. “Standard policies for small businesses were less likely to offer coverage, while more complex policies for mid-sized companies and Fortune 500 corporations may have included broader triggers for non-malicious outages caused by third-party software issues.” The outage was triggered by a software update on July 19, 2024, by cybersecurity firm CrowdStrike, which affected organizations worldwide using Microsoft Windows. This interruption had far-reaching consequences, including disrupting hospital systems, media outlets, financial institutions, delaying thousands of flights, and halting daily business operations. McMurtrie emphasized that while the initial impact of the outage was similar for both large and small businesses, the ability to recover operations and whether insurance covered the loss of business income varied. “Larger companies are more likely to have advanced disaster recovery plans that ensure service redundancy following unexpected outages,” he added. “Their insurance programs also tend to cover a wider range of incidents.” According to Microsoft, the CrowdStrike update error affected over 8.5 million Windows devices globally. The incident highlighted the interconnected nature of our global ecosystem, including cloud providers, software platforms, security services, and their clients. “It’s a stark reminder of the importance of prioritizing safe deployment and disaster recovery across the tech industry,” the company said in a blog post. McMurtrie pointed out that the outage’s widespread impact was largely due to its effect on organizations that are critical to societal infrastructure—sectors like agriculture, airlines, banking, energy, government, healthcare, manufacturing, and retail. “Insurance companies base their risk appetite on their ability to understand and price risks appropriately. This becomes increasingly challenging with emerging threats,” he said. “However, I anticipate that insurers will respond by clarifying policy language, refining risk selection criteria, and possibly developing new products specifically designed for this evolving exposure.”

Read More
Categories
Try your instant quote
Click here to proceed