Unless you’ve been living under a digital rock, you’d know that cybercrime is not only rampant in 2023—it’s here to stay. In fact, the FBI’s Internet Crime Complaint Center has received over 5.6 million complaints since its inception in 2000. According to its 2020 Internet Crime Report, in the past five years alone, total internet crime-related losses are estimated at $13.3 billion.
The threat extends well beyond the bottom line too. A cyber-attack can damage your business’ computer system, cause irreparable harm to your brand reputation, and put your customers and employees at risk. That’s why it should come as no surprise that cyber insurance has quickly become one of the most sought-after forms of liability coverage in the world.
WHAT IS CYBER INSURANCE?
Cyber insurance is a line of specialty insurance that’s designed to protect businesses and individuals from internet-based risks such as data breaches, ransomware, phishing, and more. There are two types of coverage in most cyber insurance policies:
- First-Party Coverage: This covers any costs that are directly incurred by the insured, such as data destruction, extortion, and business interruptions caused by the attack.
- Third-Party Coverage: This protects companies from lawsuits and helps compensate the victims of breached data, defamation, and other cyber security cases.
Many people believe cyber insurance is included in their commercial liability coverage and thus they don’t need a separate policy. Unfortunately, this is far from the truth. While some policies have language that includes cyber insurance-related terms, these packages don’t have high enough limits and aren’t intended to cover the myriad of cyber threats your business could face at any moment.
WHAT DOES CYBER INSURANCE COVER?
Cyber insurance can cover the costs incurred from any and all of the following:
- Credit card fraud
- Identity theft
- Stolen funds
- Data loss and restoration
- Computer system repair
- Extortion and blackmail
- Damaged brand reputation
- Business interruption
- Cyber-attack investigation
- Legal fees and expenses
WHO NEEDS CYBER INSURANCE?
The truth of the matter is every business—large or small—should invest in at least some form of cyber insurance. You may not think your business would be a target, but most criminals don’t care where their money comes from, and oftentimes small and mid-sized businesses are the ones most vulnerable to an attack.
If your company collects Personal Identifiable Information (PII) from your customers, you should absolutely invest in cyber insurance coverage. One of the most significant issues in cyberspace right now is having the PII of your clients or customers stolen. The problem is, because so many things are considered PII (name, email, address, phone number, SSN, etc.), most companies are collecting it whether they realize it or not. Medical related PII in particular has proven to be very costly to insurance carriers as its much more valuable to criminals. If this data is ever breached, you could have a significant exposure on your hands.
Cyber insurance is also a great option for many individuals, particularly those who own a business or have a public profile. Having this type of personal liability coverage can help protect your assets, identity, and public image.
WHAT INDUSTRIES DO CYBERCRIMINALS TARGET?
The truth is cyber criminals can—and will—threaten any sector. With that said, there are some industries that report far more cyber-attacks than others. If your business is in one of the following industries, you should seriously consider reviewing your cyber insurance policy.
The most targeted industries for cybercrimes:
WHAT ARE THE MOST COMMON CYBER SECURITY THREATS?
One of the biggest challenges cyber investigators and security experts face is that the landscape is constantly evolving, with new “flavors of the month” popping up all the time. Some of the biggest offenders have managed to stand the test of time, though, and include the following:
- Social Engineering
- Dependent Business Interruption
- Invoice Manipulation
- Crypto Jacking
To learn more, read our post about these 8 cyber security threats and how to prevent them.
WHAT CYBER SECURITY MEASURES DO YOU RECOMMEND?
At Christensen Group Insurance, we strongly urge all of our clients to immediately implement the following cyber security measures if they are not already in place. Failure to enact these controls may result in a non-renewal or a material change in your premium and/or coverage.
Recommended Cyber Security Measures:
- Add multi-factor authentication protection on all remote access to your network (including any remote desktop protocol connections), email servers, cloud services, and data backup solutions.
- Include multi-factor authentication protection on all network administrator accounts and any other user accounts with elevated permissions within your network.
- Use a robust backup solution that is either disconnected (“air-gapped”) from your network or segregated from your network with multi-factor authentication access control. Backups should be tested frequently and, ideally, be capable of restoring essential functions within 24 hours in the event of a widespread ransomware attack across your network.
- Implement next-generation anti-virus protection, including automated endpoint detection and response functionality on all endpoints. All detected endpoint activity should be monitored and investigated 24/7/365.
- Enable an email filtering solution that pre-screens emails for potentially malicious attachments and links. If using Office 365, we strongly recommend enabling the Microsoft Advanced Threat Protection add-on.
- Implement employee training programs so your staff can more easily recognize and avoid phishing and other blatant scam attempts. Send out random “test” emails disguised as a phishing attack to identify which team members require additional training.
HOW HAS THE CYBER INSURANCE LANDSCAPE CHANGED OVER THE YEARS?
In the late 1990s/early 2000s, cybercriminal activity was just beginning to take off, and most businesses in the United States were completely unaware of what it was about to become. Cyber insurance was in its infancy, with a few London-based markets at the forefront.
In the early years, everybody was worried about liability, lawsuits, and losing their credit card information. It wasn’t until the monumental Target data breach in 2013—in which hackers stole 40 million credit and debit records and which ultimately ended in an $18.5 million settlement—that businesses started to take notice. Since then, the cyber insurance landscape has evolved at a rapid pace, making placement much more difficult than in years past.
In light of recent cyber risks, carriers are now asking for additional underwriting information from businesses before policies will be granted. In order for clients to look more appealing to underwriters—and to establish better cyber controls—insureds should be implementing the cyber security measures below.
WHAT YOU NEED TO KNOW ABOUT CYBER INSURANCE IN 2023
The most important thing you need to know is that the industry is in a period of transition, and you should plan accordingly if you want to properly manage your cybercrime risk. Look for the following cyber insurance trends in 2023 and beyond.
Attestations will become a thing of the past
Insureds will need to prove—with proper documentation, of course—that the cyber security measures they say are in place are truly there.
The burden of proof will be on the insured
In order to prove the security measures outlined in the policy were being properly adhered to following a breach, the burden of proof will no longer be on the insurance companies.
Catastrophic coverage will be an exclusion
To maximize the possibility of a full payout, business owners and stakeholders will need to keep detailed records of their cyber insurance requirements and show there are methods in place to reduce risks.
Insurance premiums will go up
Depending on your industry, these increases could be anywhere from 30-50%. The healthcare industry, in particular, is experiencing triple-digit increases in some cases.
Getting insured will become more difficult
Businesses that cannot verify proper security measures will not be renewed, even if the company has had a longstanding relationship with their insurance provider.
FINAL THOUGHTS ON CYBER INSURANCE
When it comes to the ever-changing landscape of cybercrimes, our best advice is to be proactive and get your cyber insurance applications completed as soon as possible. If you’re lacking the necessary controls, it’s better to have an underwriter inform you now before it’s too late and you don’t get renewed.
If you’re worried your business may not be renewed—or you’ve already been denied—the cyber insurance experts at Christensen Group can help. Contact us today and we’ll walk you through the cyber security requirements you need to meet and help identify your business’ liability risks.