The dramatic increases in cyber attacks over the last few years has driven a close alignment between cybersecurity practices and Cyber Insurance, and underwriters are looking closely at applicants cybersecurity practices. Because underwriters offer the best Cyber Insurance terms for organizations that institute the best practice cybersecurity protections, cybersecurity practitioners are marketing to this need. But cybersecurity experts may not fully understand Cyber Insurance, which leads to misconceptions. We thought it might be helpful to list some common Cyber Insurance misconceptions.
Smaller organizations are not targets.
False! Criminals often target smaller organization because the financial rewards can be significant and cybersecurity protections may be minimal.
Corporate policies cover cyber.
Technically yes, practically no. “Corporate policies” are really package policies that smaller businesses buy, include general liability and property coverages. These policies may also provide limited coverage for other exposures like cyber, however cyber coverage provided in these policies is not comprehensive and the limits are small meaning the coverage is inadequate. Don’t be fooled – do not depend on the cyber coverage in a package policy for cyber protection!
The application process is difficult.
Generally not. Underwriters will want to see basic information on your organization and its cybersecurity practices in order to assess the cyber exposure and to provide terms (here), but the process can be very easy. The information requested by underwriters has been reduced and also varies by the size and type of organization. In fact, you can get Cyber Insurance quotes on our website with minimal information and in a matter of minutes. Easy. Not hard.
Cyber Insurance is expensive.
No, but expensive is subjective. The primary drivers of Cyber Insurance pricing are the type of organization, revenue, number of records (or customers), cybersecurity protections and limits/deductibles sought. We have multiple Cyber Insurance options under $1,000 for smaller businesses.
Data Breach is THE exposure.
False! Ransomware (here, here), followed by fraudulent funds transfer (FFT), are the most frequent and damaging types of cyber attacks for small and medium sized businesses. Claim statistics are roughly 40% ransomware, 30% FFT and 20% data breach (and vary depending on how insurers classify claims). Ransomware claims can shut down an organization and FFT claims can create financial challenges for any organizations.
Cyber Insurance replaces cybersecurity.
False. Cybersecurity is critical for any organization’s protection and an important part of underwriting Cyber Insurance. Cybersecurity avoidance will result in higher pricing and reduced terms, and maybe a cyber incident.
It is hard to qualify.
Generally not. As noted, underwriters are looking for organizations that have taken appropriate cyber security steps to protect themselves, and provide the best terms to those organizations – cybersecurity matters. Just because your organization does not have significant cybersecurity protections in place does not mean you will not get covered. But underwriters will expect organizations with significant exposures, such as funds transfer exposures, to have strong cyber protections in place.
MFA is required.
No, not always. MFA (multi factor authentication) is expected for most organization, but smaller, low exposure organizations can obtain competitive Cyber Insurance without MFA. A more important question is how MFA is used: MFA is typically expected for email and for all key systems, particularly for administrator access.
So, what are the key cyber-security steps you can take?
Cyber exposures are real and significant, and some experts say it is not if but when a cyber incident will occur. For small and medium sized businesses, a few basic steps can go a long ways towards reducing cyber exposure and easing the process for getting the most attractive Cyber Insurance coverage and pricing, including:
- Awareness training – addresses human vulnerability
- MFA – MFA (multifactor authentication) should be in place for at least e-mail, remote access, and administrator accounts
- Endpoint detection – implement an endpoint detection and response tool
- Patching/updating – ensures that software used is up to date, reducing vulnerabilities
- Backups – regular and separate back up processes disconnected from your system will allow you to recover recent data
- Regulation – some regulators have imposed cyber security requirements, which must be followed
- Expertise – use both cyber security and Cyber Insurance experts to significantly improve your protection
- Trading parties – review your trading partners’ cyber security: Indemnification protections in contracts, do they maintain comprehensive Cyber Insurance
- Email – protect with a secure e-mail gateway
- Data – do not retain unnecessary personal, health care, or financial data (like credit card information)
- Funds transfer – use expert third parties, such as credit card processors, and require alternative verification IE not e-mail on all funds transfer such as wires
If you’re interested in learning about Cyber Insurance options and premiums for your business, reach out to the eSpecialty Insurance team! We’re here to help you find the coverage that’s right for you and your business.