Cyber insurance can be a difficult beast to wrangle. Many businesses are choosing to take a gamble and go with little or no financial backup against cyberattacks. These companies are commonly turned off by widening exclusions, surging premiums and increased scrutiny of applicants’ cyber security practices.
And because it’s not fully understood, there are a decent number of cyber insurance misconceptions floating around.
BlackBerry and Corvus Insurance recently polled North American companies and discovered only 55 percent of them said they have cyber insurance, and less than 20 percent have coverage valued at more than $600,000, which was the median amount ransomware attackers demanded in 2022.
Scott Godes, a partner at Barnes & Thornburg LLP, a nationwide law firm that represents companies in insurance recovery cases, said “cyber insurance is probably the least understood product in the insurance market today, and it’s the most challenging.”
Here are five of the most common cyber insurance misconceptions and why you should rethink cyber insurance to safeguard your business.
1. Cyber Insurance Is Expensive, So I Shouldn’t Invest In It
Unfortunately, with the explosion of ransomware attacks over the past few years, cyber insurance premiums have spiked. In fact, cyberattacks increased by an average of 28 percent in the first quarter of 2022 compared to the previous quarter, according to the Council of Insurance Agents & Brokers (CIAB).
And, yes, not investing in cyber insurance can be an approach for larger companies that have massive security teams and feel confident in their risk mitigation abilities, says Josephine Wolff, an associate professor of cyber security policy at the Fletcher School at Tufts University.
But what’s the real cost of cyber insurance?
For a small business with fewer than 10,000 customers, the cost of a policy may be less than $5,000 a year for $1 million in coverage and a $10,000 deductible, John Pescatore, director of emerging security trends at SANS Institute, a cyber security training, certification and research firm says.
This will likely cover the hard costs of an incident, but spending that $10,000 does not mean you can skip investing in cyber security, as you’ll simply leave yourself open to much costlier and more frequent attacks.
The bottom line is investing in insurance is worthwhile because the majority of companies simply do not have the technical or financial ability to handle data breaches, which Forrester estimates cost enterprise organizations $2.4 million on average. Although costs vary depending on the level of coverage needed, the typical cyber insurance premium in the United States in 2021 was $1,589 a year, according to AdvisorSmith Solutions, a small-business research firm.
2. My Business Is Too Small to Be Attacked.
As it turns out, AdvisorSmith Solutions estimates nearly 42 percent of small businesses experienced some form of cyberattack in 2021. While 24 percent of those attacks were low-level phishing attacks, 19 percent were full-scale data breaches, and 11 percent were potentially business-killing ransomware attacks.
The unfortunate reality is that small to medium-sized businesses (SMBs) are not immune to cyberattacks, and being hit by one can be disastrous. Yet 66 percent of small-business higher-ups believe they are too “under the radar” or inconsequential for cybercriminals to care about.
In a 2021 NetDilligence cyber insurance claims study, 99 percent of claims ($537 million in total) came from small to medium enterprises (SMEs) with less than $2 billion in annual revenue. “There is no clear correlation between the size of an entity and the magnitude of a cyber-related loss,” the study reports. “Sometimes a smaller organization will experience a very expensive claim (>$100 million) and a large organization will have a claim so small (less than $5,000) that it makes one wonder why the claim was filed in the first place… the most expensive incident during the five [years] occurred at an SME.”
3. You Shouldn’t Disclose Too Much to Cyber Insurers About Your Cyber Security Practices
Like auto, health and life insurance, many people have come to believe that disclosing too much to an insurance provider will result in denial of coverage or higher premiums. Security professionals are already risk-averse and don’t like divulging too many of their trade secrets to anyone, let alone insurers they do not fully trust.
Unfortunately, the reluctance to share that information often leads company executives to decide against getting cyber insurance, minimize what they disclose on often longer insurance applications, or fudge their responses in the hopes that they get a better deal.
Here’s the reality: Cyber insurers want as much information as possible to proactively prevent cyberattacks that might prove costly to both the policyholder and insurer alike. Cyber insurers could even offer better rates to policyholders who demonstrate or reveal they are following cyber security best practices — similar to how auto insurers offer safe-driving discounts.
4. Cyber Insurance Providers Will Find Ways to Get Out of Paying a Claim
Typically, denials occur because policies do not cover a specific scenario. This is one of the most common misconceptions people have about insurance. For example, they might purchase a homeowner’s policy, and are shocked to learn it doesn’t cover damage from an earthquake or flood.
By the same token, when some companies get hit with a ransomware attack, they purchase new hardware as part of the recovery process and are stunned to learn insurance won’t cover those kinds of upgrades.
Cyber insurers may also revoke or decline coverage if policyholders don’t live up to what they attest in applications about their security posture, like what was recommended in the previous section. For example, if they claimed to have multifactor authentication but did not use or maintain it, that could become an issue.
The reality is the majority of claims are being paid out, but people make assumptions about what policies cover.
5. Basic Cyber Insurance Is Good Enough
If you only buy liability coverage for your car and it gets totaled, you won’t be able to replace it. Similarly, if you find the cheapest cyber insurance and something disastrous occurs, the consequences could be devastating for your business.
In the 2021 Netdiligence cyber claims study, the average ransomware amount was $146,000, the average cost of crisis services was $72,000, and the average total cost of an incident was $267,000 for SMEs. The risk of believing this misconception is the fallout of an attack could devastate your business where the potential cost of digging out is more than your business can reasonably afford.
So, How Should I View Cyber Insurance?
“Shut down your network for two days and tell me how your day goes. If it isn’t that important to you, try. Try preparing tax returns, try building bridges, try making cars – it won’t work too well,” says Justin Reinmuth, founder and CEO of The Technology Risk Underwriting Group.
If you choose to get cyber insurance, avoid letting your insurance coverage hold you back from fully embracing a robust cyber security strategy.
“If you take out that cyber insurance, hopefully when an event does occur it’s just a tropical storm and not a Category 5 tornado.”
Want to learn more about cyber insurance or cyber security? Contact us or book a quick consultation.
Are you aware of the most common cyberattack methods?
Did you know there are over 3.4 billion phishing emails sent every day? Phishing and other cybercriminal behavior are a lot more common than you’d think.
Our free “Phishing, Smishing, Vishing, Pharming? A Cyberattacks Guide” will inform you about cyberattack methods and give you the latest in data security tips.