Responding to a Cyberattack: Should Businesses Have Cyberinsurance?
Cybercrime is growing and the threat is changing. Even businesses that wisely invest in cyberdefenses are not impenetrable. In addition to having a good plan to prevent an attack, businesses need a plan to respond if one should occur. (see blog: Cybercrime: The Event That Could Shut Down Your Business in 6 Months) This is true for businesses of all sizes. According to Travelers Companies, 50% of small businesses have been victim of a cyberattack, and 62% of cyberattacks are targeted at small and mid-sized businesses. To mitigate risk, some businesses are looking to cyberinsurance.
Current Cyberinsurance Climate
Cyber-risk insurance is a relatively new product, but the market is growing. Globally, gross written premiums grew from $850 million in 2012 to $2.5 billion in 2014. A recent study by PwC predicts that the cyberinsurance market will triple over the next five years.
In part, this is due to a growing threat, but also there are more laws dictating what businesses must do in the case of a data breach that may add to a company’s financial exposure. (see blog: Five Questions Answered about Virginia’s Data Breach Law) Underwriting cyberinsurance policies can be challenging as the actuarial data is lacking, which leads to a more individualized approach. Insurers may look at a business based on industry, size, security measures in place, type of data collected, web presence and the like to customize policies. This can make for an expensive product.
Potential Costs of a Breach
There are a number of different cyberattack scenarios and costs that may be incurred by a victimized business. Expenses may include:
- Legal advice
- Investigation to determine how the breach occurred and what was lost
- Notification of victims
- Credit monitoring
- Replacement of lost assets
- Public Relations
- Extortion by cybercriminals
- Regulatory compliance costs
- Lawsuit for breaches (e.g., liability for negligence and failure to prevent the loss of sensitive information)
- Business interruption
Coverage Options and Exclusions
Many of the costs associated with cybercrime are not covered by general commercial insurance policies, but are covered by cyberinsurance policies. The coverage options in these plans can cover the costs directly incurred by a company that is the primary victim of the attack as well as third party claims by those also affected, including the expenses listed above.
Cyberinsurance policies may NOT cover costs related to:
- Reputational harm
- Loss of future revenue
- Technology fixes
- Loss due to lax security (not installing security patches and software updates)
- Loss due to unencrypted data
- Lost value of the primary victim’s IP
- Government claims
- Vicarious liability for the breach of a vendor
Given that cyberattacks will cost the average U.S. business $15 million in 2015, and the majority of small businesses will close their doors within 6 months of an attack, cyberinsurance may be worth the investment. That said, implementing a proactive defense strategy is important not only to improve your risk profile from the perspective of a potential insurer, but also to prevent an attack in the first place.