Cyber insurance often gets a bad rap.
Turned off by surging premiums, widening exclusions, and increased scrutiny of applicants’ cyber hygiene practices, many businesses are choosing to roll the dice and go with little or no financial backstop against cyberattacks.
In fact, only 55% of North American companies polled recently by BlackBerry and Corvus Insurance said they have cyber insurance, and fewer than 20% have coverage valued at more than $600,000, which was the median amount ransomware attackers demanded last year.
To be fair, cyber insurance isn’t for everyone. Some behemoth companies don’t need it, since they have the budget and personnel to underwrite their own risk. But other companies are likely forgoing coverage because they don’t fully comprehend its value.
“Cyber insurance is probably the least understood product in the insurance market today, and it’s the most challenging,” says Scott Godes, a partner at Barnes & Thornburg LLP, a nationwide law firm that represents companies in insurance recovery cases.
Following are five common myths about cyber insurance—as well as a reality check from the industry insiders Focal Point interviewed.
Myth: Insurance is expensive, so it’s better to go it alone
Reality: Yes, with the explosion of ransomware attacks over the past few years, cyber insurance premiums have spiked. They were up an average of 28% in the first quarter of 2022 compared to the previous quarter, according to the Council of Insurance Agents & Brokers (CIAB).
Cyber insurance is probably the least understood product in the insurance market today, and it’s the most challenging.
And, yes, going it alone can be a viable approach for large companies that have huge security teams and feel confident in their ability to assess and mitigate risk, says Josephine Wolff, an associate professor of cybersecurity policy at the Fletcher School at Tufts University.
Forgoing insurance can also make financial sense for some smaller companies, adds John Pescatore, director of emerging security trends at SANS Institute, a cybersecurity training, certification, and research firm. “The cost of incidents generally scales with the number of customers impacted, either by a data breach or disruption of services,” he says.
For a small business with fewer than 10,000 customers, the cost of a policy may be less than $5,000 a year for $1 million in coverage and a $10,000 deductible, Pescatore says. That will likely cover the hard costs of an incident. But spending that $10,000 does not mean you can skip investing in cybersecurity, as you’ll simply leave yourself open to much costlier and more frequent attacks.
Jason Rebholz, CISO for Corvus Insurance, agrees that cyber insurance isn’t for everyone. But he maintains that investing in insurance is worthwhile because most companies do not have the technical or financial ability to withstand data breaches, which Forrester estimates cost organizations $2.4 million on average. Although costs vary widely according to the level of coverage needed, the typical cyber insurance premium in the United States in 2021 was $1,589 a year, according to AdvisorSmith Solutions, a small-business research firm.
“As a CISO, I would love an unlimited budget to handle security incidents,” Rebholz says. “But I’m also not under the misperception I’d ever have enough to handle anything coming my way. That’s where cyber insurance can help.”
Myth: My business is too small to be attacked
Reality: A cyberattack is coming for small businesses, if it hasn’t hit them already. AdvisorSmith Solutions estimates nearly 42% of small businesses experienced some form of cyberattack in 2021. Admittedly, 24% of those appeared to be low-level phishing attacks. But 19% were full-scale data breaches, and 11% were potentially business-killing ransomware attacks.
The reality is that small to medium-sized businesses (SMBs) are not immune to cyberattacks, and being hit by one can be disastrous. Digital attacks cost the average small business up to $25,612, according to Hiscox, a business insurance provider. Yet 66% of small-business decision-makers believe they are too inconsequential or under-the-radar for cybercriminals to care about.
Rebholz says that attacks aren’t as targeted or personal as many small-business leaders might believe. “Attackers don’t necessarily care who you are,” he says. “A lot of ransomware incidents, for example, are opportunistic attacks where attackers try to get access to anyone and everyone. If they find a batch of five or more companies, they’ll launch attacks against all of them, hoping one will pay.”
Myth: It’s risky to disclose too much to insurers about your cybersecurity practices
Reality: As with their applications for auto, health, and life insurance, many consumers have come to believe that disclosing too much to an insurance provider will result in higher premiums or denial of coverage. Security professionals, meanwhile, are already risk-averse and don’t like divulging too many of their trade secrets to anyone, let alone insurers they do not fully trust.
That reluctance to share too much often leads company executives to decide against getting insurance, minimize what they disclose on often lengthy insurance applications, or fudge their responses.
But these approaches benefit no one, says Rebholz. He says insurers want as much ongoing information as possible, in order to proactively head off cyberattacks that might prove costly to the insurer and policyholder alike. At the same time, he notes, cyber insurers could offer better rates to policyholders who show they are following cybersecurity best practices—much as auto insurers offer safe-driving discounts.
Gary Davis, chief cybersecurity advocate at BlackBerry, a cybersecurity software provider, says policyholders are beginning to come around to a more proactive way of thinking and are being more forthcoming about their cybersecurity strategies. “Our research showed that 64% of companies would be comfortable sharing their security posture insights with their carrier in exchange for lower cyber insurance coverage costs,” he says. “The risk of believing this myth is that the opposite outcome could happen: Your premiums could go up because your cyber defenses are weak or vulnerable.”
Myth: Insurance providers will look for ways to get out of paying a claim
Reality: It’s always possible that an insurer could deny a claim if an organization gets attacked. It happens all the time.
The majority of claims are being paid out. People just get tripped up on their assumptions about what policies cover.
But, typically, denials occur because policies do not cover a scenario. This is one of the most common misperceptions people have about insurance. They purchase a homeowner’s policy, for example, and are stunned to learn it doesn’t cover damage from an earthquake or flood. Similarly, when some companies get hit with a ransomware attack, they buy new hardware as part of the recovery process and are shocked to learn insurance won’t cover those kinds of upgrades.
Rebholz says businesses shouldn’t reject cyber insurance because it may not pay enough. Instead, they should get protection with their eyes wide open. It’s vital to know what’s in a policy, he says. If it does not cover certain scenarios, such as legal costs related to an affiliate that’s also affected, executives should investigate other options.
Insurers may also decline or even revoke coverage if policyholders don’t live up to what they attest in applications about their security posture. In other words, if they claimed to have multifactor authentication but did not actually use or maintain it, that could become an issue.
“If you look at everything in the aggregate, the majority of claims are being paid out,” says Rebholz. “People just get tripped up on their assumptions about what policies cover.”
Myth: Basic cyber insurance is enough
Reality: Most times in life, you get what you pay for. If you only buy liability coverage for your older car and it’s wrecked, you won’t be able to replace it. Similarly, if you get the cheapest cyber insurance and something serious occurs, the consequences could be devastating.
When you get insurance for something, it can make you sloppy in practice and policy. You feel as if you are going to be covered when disaster hits.
“Our research shows 44% of companies don’t carry enough coverage to pay for the median ransomware demand, and 43% aren’t covered in the event of auxiliary expenses, like court costs and employee downtime,” says Davis of BlackBerry. “The risk of believing this myth is you could become the victim of an attack where the potential cost of digging out is more than your business can reasonably afford.”
Companies should choose to invest in cyber insurance based on reality rather than myths, the experts interviewed for this article agreed. At the same time, security pros should not let down their guard, says Sean O’Brien, a visiting fellow at the Information Society Project at Yale Law School. “When you get insurance for something, it can make you sloppy in practice and policy,” he says. “You feel as if you are going to be covered when disaster hits and so you might not be as attentive as you should be.”
Ultimately, O’Brien argues, avoid letting your insurance coverage hold you back from fully embracing a robust security strategy. In the end, that always pays off.