Unless you’ve been living under a digital rock, you’d know that cybercrime is not only rampant in 2024—it’s here to stay. Since its inception in May 2000, the FBI’s Internet Crime Complaint Center (IC3) has received over 7 million complaints. And, according to its 2022 Internet Crime Report, in the past five years alone, total internet crime-related losses have been estimated at $27.6 billion!

That’s why it should come as no surprise that cyber insurance has quickly become one of the most sought-after forms of liability coverage in the world. In this guide, we'll get you caught up on everything you need toknow about cyber insurance, including:

• A brief overview of cyber insurance
• Cyber insurance requirements in 2024
• Cyber insurance coverage for businesses
• Cyber insurance coverage for individuals
  

What is cyber insurance?

Cyber insurance is a line of specialty insurance that’s designed to protect businesses and individuals from internet-based risks such as data breaches, ransomware, phishing, and more. There are two types of coverage in most cyber insurance policies:

1. First-Party Coverage: This covers any costs that are directly incurred by the insured, such as data destruction, extortion, and business interruptions caused by the attack.
2. Third-Party Coverage: This protects companies from lawsuits and helps compensate the victims of breached data, defamation, and other cyber security cases.

Many people believe cyber insurance is included in their commercial liability coverage and thus they don’t need a separate policy. Unfortunately, this is far from the truth. While some policies have language that includes cyber insurance-related terms, these packages don’t have high enough limits and aren’t intended to cover the myriad of cyber threats your business could face at any moment.

How has the cyber insurance landscape changed over the years?

In the late 1990s/early 2000s, cybercriminal activity was just beginning to take off, and most businesses in the United States were completely unaware of what it was about to become. Cyber insurance was in its infancy, with a few London-based markets at the forefront.

In the early years, everybody was worried about liability, lawsuits, and losing their credit card information. It wasn’t until the monumental Target data breach in 2013—in which hackers stole 40 million credit and debit records and which ultimately ended in an $18.5 million settlement—that businesses started to take notice. Since then, the cyber insurance landscape has evolved at a rapid pace, making placement much more difficult than in years past.

In light of recent cyber risks, carriers are now asking for additional underwriting information from businesses before policies will be granted. For clients to look more appealing to underwriters—and to establish better cyber controls—insureds should be implementing the cyber security measures below.

What does cyber insurance cover?

Cyber insurance can cover the costs incurred from all of the following:

• Credit card fraud
• Identity theft
• Stolen funds
• Data loss and restoration
• Computer system repair
• Extortion and blackmail
• Damaged brand reputation
• Business interruption
• Cyber-attack investigation
• Legal fees and expenses

Who needs cyber insurance coverage?

The truth of the matter is every business—large or small—should invest in at least some form of cyber insurance. You may not think your business would be a target, but most criminals don’t care where their money comes from, and oftentimes small and mid-sized businesses are the ones most vulnerable to an attack.

Cyber insurance is also a great option for many individuals, particularly those who own a business or have a public profile. Having this type of personal liability coverage can help protect your assets, identity, and public image.

Cyber insurance requirements in 2024

To ensure comprehensive coverage against online threats, organizations must meet key cyber insurance requirements outlined in their policies. Here are seven common components to check off your cyber security risk management list:

1. Cultivate a cyber-aware culture—Start by fostering a culture of cybersecurity awareness among your workforce. To achieve this, begin implementing regular training sessions to ensure your employees understand their role in protecting sensitive data and systems.
2. Fortify your digital gates—Implement robust access controls to help mitigate the risk of unauthorized access to your critical resources. Utilize frameworks such as role-based or attribute-based access control to manage user permissions more effectively.
3. Proactively identify risk—Conduct routine vulnerability assessments to identify and promptly address any system weaknesses. Proactive scanning helps mitigate potential threats before they can be exploited by cybercriminals.
4. Strengthen your access security—Enhance your organization's security measures by implementing multi-factor authentication for remote access. This adds an extra layer of protection by requiring users to provide multiple forms of verification.
5. Develop a cyberattack response plan—Create and test a well-defined response plan to effectively manage the most common types of cyberattacks. Be sure to outline procedures for detecting, containing, and resolving security incidents, along with a post-incident analysis. We recommend you keep a hard copy of your plan where all key employees can easily find it. We have seen well-thought-out cyberattack response plans that are stored on a company’s server or in the cloud that become inaccessible during a ransomware attack. Even the best plans are worthless if you can’t find or implement them when needed.
6. Safeguard your sensitive information—Protect your Personal Identifiable Information (PII) and other sensitive data with encryption to prevent unauthorized access or manipulation. Encrypt data at rest and in transit to ensure the most comprehensive protection against cyber threats.
7. Control your infrastructure access—Manage access to your company's critical infrastructure with privileged access management solutions. Monitor and track all privileged user activity to detect and respond to potential security threats effectively.

By fulfilling these criteria, your organization can enhance its resilience against online threats and ensure comprehensive coverage under your cyber insurance policy.

2024 Cyber insurance trends

The most important thing you need to know is that the cyber insurance industry is in a period of transition, and you should plan accordingly if you want to properly manage your risk. Look for the following cyber insurance trends in 2024 and beyond.

• Attestations will become a thing of the past—Insureds will need to prove—with proper documentation, of course—that the cyber security measures they say are in place are truly there.
• The burden of proof will be on the insured—To prove the security measures outlined in the policy were being properly adhered to following a breach, the burden of proof will no longer be on the insurance companies.
• Catastrophic coverage will be an exclusion—To maximize the possibility of a full payout, business owners and stakeholders will need to keep detailed records of their cyber insurance requirements and show there are methods in place to reduce risks.
• Insurance premiums will go up—Depending on your industry, these increases could be anywhere from 30-50%. The healthcare industry, in particular, is experiencing triple-digit increases in some cases.
• Getting insured will become more difficult—Businesses that cannot verify proper security measures will not be renewed, even if the company has had a longstanding relationship with their insurance provider.

Cyber coverage for businesses explained

When it comes to cyber security, the threat extends well beyond your bottom line. A cyber-attack can damage your business’s computer system, cause irreparable harm to your brand reputation, and put your customers and employees at risk.

The truth is, no business is safe. Cybercriminals can—and will—threaten any sector. With that said, some industries report far more cyber-attacks than others. If your business is in one of the following industries, you should seriously consider reviewing your cyber insurance policy.

The most targeted industries for cybercrime include:

• Healthcare
• Energy
• Hospitality
• Construction
• Retail
• Manufacturing
• Human Resources

PII protection is a must

If your company collects Personal Identifiable Information (PII) from your customers, you need to invest in cyber insurance coverage. One of the most significant issues in cyberspace right now is having the PII of your clients or customers stolen. The problem is, because so many things are considered PII (name, email, address, phone number, SSN, etc.), most companies are collecting it whether they realize it or not.

Medical-related PII in particular has proven to be very costly to insurance carriers as it is much more valuable to criminals. If this data is ever breached, you could have a significant exposure on your hands.

What to look for in cyber insurance coverage

When evaluating cyber insurance policies for your business, consider the following factors:

• Coverage scope—Ensure the policy covers a broad range of cyber risks, including data breaches, network security incidents, business interruption, and regulatory fines.
• Policy Limits—Assess the coverage limits to ensure they align with your potential exposure to cyber threats and the financial impact of a breach.
• Incident Response Services—Look for policies that provide access to incident response teams, including forensic investigators, legal counsel, and public relations support.
• Third-Party Liability—Evaluate coverage for liabilities arising from third-party claims, such as lawsuits from affected customers or business partners.
• First-Party Losses—Consider coverage for first-party losses, including costs related to data restoration, business interruption, and extortion payments to cyber criminals.
• Regulatory Compliance—Ensure the policy covers expenses associated with regulatory investigations, fines, and penalties resulting from non-compliance with data protection laws.
• Cyber Extortion and Ransomware—Verify coverage for expenses related to ransomware attacks, including ransom payments, data recovery, and cyber extortion threats.
• Social Engineering Fraud—Look for coverage against fraudulent schemes, such as phishing scams or CEO fraud, where employees are tricked into transferring funds or sensitive information.
• Cyber Terrorism—Assess coverage for losses resulting from cyber-terrorism events, such as coordinated cyber attacks targeting critical infrastructure or public safety.
• Policy Exclusions—Review policy exclusions carefully to understand what types of incidents are not covered, such as acts of war, intentional misconduct, or pre-existing vulnerabilities.
• Premium Costs—Compare premium costs across different policies and insurers, considering the coverage limits, deductible amounts, and additional services provided.
• Claims Process—Evaluate the insurer's reputation for claims handling, including responsiveness, efficiency, and support throughout the claims process.

By carefully assessing these factors, businesses can select cyber insurance coverage that effectively mitigates their cyber risk exposure and provides financial protection in the event of a cyber incident.

Managing cyber risks in a down economy

To help minimize growing inflation concerns that have spanned across industry lines over the past few years, the Federal Reserve (Fed) has steadily been hiking up interest rates. Economic experts predict the Fed’s efforts will pay off in the coming years, with inflation issues subsiding throughout the year. Yet, some experts have forecasted that rising interest rates will ultimately cause a recession.

During a recession, businesses usually experience decreased sales and profit margins stemming from changing consumer behaviors, prompting them to reduce spending to avoid issues such as bankruptcy. Furthermore, a down economy can also create heightened cybersecurity risks. After all, cybercriminals have historically capitalized on social and economic crises by leveraging public uncertainty to launch additional attacks, as evidenced by the rise in healthcare scams and related cyber losses throughout the COVID-19 pandemic.

As such, businesses must understand the cyber exposures that may result from a recession and adjust their operations accordingly. This article outlines cybersecurity concerns for businesses to keep in mind amid a down economy and provides cyber security risk management strategies to mitigate such issues.

Cyber exposures in a down economy

An economic downturn could pose a variety of cyber risks for businesses of all sizes and sectors, including:

• Limited IT spending abilities—In preparation for a recession, businesses may implement strategies to decrease their spending and scale back certain operational costs. This could entail cutting IT expenses and, in turn, reducing available cybersecurity resources. While making difficult financial adjustments is common during a down economy, limiting IT spending may leave businesses unable to purchase new technology, conduct critical software updates, and invest in advanced security solutions to address the latest cyber threats. Consequently, companies’ digital defenses will likely degrade, making them increasingly vulnerable to cyber incidents and associated losses.
• Elevated skills shortages—Labor shortages have impacted the vast majority of businesses in recent years. Such shortages have contributed to widening cybersecurity skills gaps within many workplaces. Leading up to an economic downturn, businesses may implement hiring freezes or conduct staff layoffs, which theoretically could help decrease these skills gaps by allowing the talent pool to catch up with the demand for labor. However, shrinking workforces paired with rapidly evolving digital threats will likely only exacerbate demand for cybersecurity talent and compound skills gaps. Further, companies that limit or cut their cyber training programs as a cost-saving measure could encounter even larger skills gaps among their existing employees. As cybercriminals become aware of companies’ staffing changes, they may exploit these skills gaps by deploying additional attacks.
• Increased insider threats—Poor economic conditions affect both businesses and individuals. This means a recession could place some individuals in troubling financial situations, potentially pushing them to engage in activities they otherwise wouldn’t to help increase their incomes. A recent survey conducted by security company Palo Alto Networks confirmed that economic hardship can potentially lure a significant proportion of individuals into committing cybercrimes against their employers, thus driving up insider threats within businesses. These crimes may involve sharing confidential company data, distributing workplace login credentials or providing digital access to essential business assets in exchange for payment—all of which could result in costly cyber losses for impacted employers.
• Compounded cybercrime concerns—Apart from increasing insider threats, a down economy could also exacerbate existing cybercrime concerns resulting from external attackers. According to FBI data, cybercrime increased by 22.3% during the last major U.S. economic downturn—known as the Great Recession—which took place between 2007 and 2009. It’s certainly possible that history could repeat itself amid a future recession, taking already surging cyber incident frequency and severity to new highs.
• Heightened nation-state exposures—When a country enters a recession, other nations may attempt to exploit its economic weaknesses and further destabilize its operational frameworks by launching cyberwarfare and other digital attacks against its citizens and businesses. As a result, several U.S. industries could be more susceptible to nation-state cyberattacks during a down economy. Specifically, businesses in the private sector could be targeted due to their integral involvement in promoting a sufficient flow of capital; similarly, those in the public sector could be attacked due to their contributions to vital infrastructures. Considering cyberwarfare incidents are currently on the rise due to the ongoing Russia-Ukraine conflict, growing nation-state exposures could be particularly concerning for many businesses.
• Reduced innovation capabilities—As part of their decreased spending measures, businesses may cut back or eliminate funding for developing and adopting new cybersecurity solutions amid an economic downturn. However, cybercriminals’ attack methods will continue to advance, allowing them to exploit the shortcomings in companies’ prevention and response capabilities and exacerbate losses.
  

Cyber security risk management considerations

To combat the myriad of cyber risks, businesses should consider the following best practices:

• Have a plan—Cyber incident response plans can help businesses establish protocols for mitigating losses and acting swiftly amid cyber events. Successful plans should outline potential cyberattack scenarios, methods for maintaining key functions during these scenarios, and the individuals responsible for such functions. These plans should also provide procedures for notifying relevant parties of cyber incidents. Businesses should routinely review their plans to ensure effectiveness, making adjustments as needed.
• Conduct training—Employees are often the first line of defense against cyberattacks. That’s why businesses need to make cybersecurity training a priority. Employees should receive the following guidance during such training:some text
  • Avoid opening or responding to emails from unfamiliar individuals or organizations. If an email claims to be from a trusted source, verify their identity by double-checking the address.
  • Never click on suspicious links or pop-ups, whether they’re in an email or on a website. Don’t download attachments or software programs from unknown sources or locations.
  • Utilize unique, complicated passwords for all workplace accounts. Never share credentials or other sensitive information online.
• Purchase cyber coverage—No matter the economy, businesses must have sufficient insurance. Companies should consider purchasing dedicated cyber coverage to ensure financial protection against cyber losses.

By better understanding these risks and taking steps to mitigate them, businesses can reduce associated losses. Contact us today for more cyber security risk management guidance.

{{richtext-cta-business-insurance="/components/rich-text-cta"}}

Personal cyber coverage explained

Today’s society has grown increasingly digital, with many individuals leveraging smart devices within their daily lives. Although this technology can offer various benefits, it can also make individuals more susceptible to cybercrime. Such incidents have steadily become more common and costly. The FBI reported receiving more than 800,000 complaints regarding cybercrimes in the past year, totaling $4.2 billion in overall expenses.

These findings emphasize how critical it is for individuals to safeguard themselves and their families from cyber events. That’s where personal cyber insurance can help. Typically offered as an endorsement of a homeowners policy, this form of coverage can provide financial protection for losses resulting from a range of cyber incidents—including fraud, identity theft, and data breaches

The growing need for personal cyber coverage

Technology has continued to advance in the past decade, playing a larger role in how individuals live, work, and entertain. A variety of online platforms have given individuals the ability to stream content, communicate with others, shop for goods, and make electronic payments at the click of a button. Additionally, smart devices have allowed individuals to upgrade many household appliances (e.g., thermostats, fridges, doorbells, and security systems).

Altogether, this technology has contributed to the growing adoption of the Internet of Things (IoT), which refers to any devices that connect or send information to the Internet. Looking ahead, insurance experts anticipate that the average household will possess as many as 50 IoT-capable gadgets by 2023.

While these devices certainly offer several advantages, increased technology utilization also comes with greater cyber vulnerabilities. As technology advances, so do the tactics of cybercriminals—resulting in more frequent and severe cyber events.

Common cyber incident scenarios for individuals

• Bank fraud—This form of fraud entails a cybercriminal gaining unauthorized access to an individual’s electronic bank credentials, allowing them to transfer and steal funds from the individual’s account. According to a recent report from Norton LifeLock, cybercriminals steal over $170 billion each year via bank fraud.
• Identity theft—Such theft refers to a cybercriminal accessing an individual’s personal information (e.g., Social Security number or credit card number) and using it to commit fraud or other crimes under the individual’s name. The Federal Trade Commission confirmed that nearly 1.4 million complaints related to identity theft were filed last year, up 113% from the previous year.
• Data loss—If an individual’s device gets infected with a virus or other malicious software (also called malware), they face the risk of losing any valuable data stored on that device. Viruses and malware can come from numerous avenues, including harmful websites, dangerous email attachments, or infected USB flash drives—thus making data loss a major threat.
• Extortion—Ransomware incidents have contributed to a substantial rise in cyber extortion over the last few years. These incidents stem from a cybercriminal using malware to compromise an individual’s device (and any data stored on it) and demanding a ransom payment in exchange for restoration. In some cases, the cybercriminal may even threaten to publicly share the individual’s data if they don’t receive payment. According to cybersecurity experts, ransomware incidents have increased 500% since 2018, with the average ransom payment totaling over $300,000.
• Cyberbullying—While social media platforms allow individuals to connect with others, these platforms can also, unfortunately, be used for negative purposes, such as cyberbullying. This type of bullying refers to harassment, threats, or other intimidating language that occurs via electronic means. Although anyone can be a victim of cyberbullying, kids and teenagers are particularly vulnerable. The latest data from Pew Research revealed that 59% of teens have experienced cyberbullying.

Considering these risks, it’s clear that individuals can’t afford to ignore cybercrime. In addition to implementing effective cybersecurity practices, having adequate insurance in place is crucial. By investing in personal cyber coverage, individuals can properly protect themselves and their families amid cyber-related losses.

7 types of cyber insurance for individuals

Because cyber liability insurance is still a relatively new type of coverage, it is usually only available as an add-on to an existing homeowners policy. Further, certain insurers only provide this coverage as an endorsement for high-value homeowners policies. Yet, some insurers may offer standalone cyber insurance coverage.

Personal cyber insurance varies between insurers. However, there are many key coverage offerings available:

1. Online fraud coverage—This coverage can offer reimbursement for financial losses that may result from various types of online fraud, such as phishing scams, identity theft, or unauthorized banking.
2. Online shopping coverage—Such coverage can help pay for the cost of any goods that were purchased online but arrived damaged upon delivery or didn’t get delivered whatsoever.
3. Identity recovery coverage—This coverage can provide reimbursement for the expenses associated with recovering from an identity theft incident (e.g., rectifying records with banks or other authorities, hiring a consultant to assist with credit restoration, and taking unpaid time off from work to recover from the incident).
4. Data restoration coverage—Such coverage can help compensate for the cost of having an IT specialist recover a device and restore any data stored on it if the device gets infected with a virus or malware.
5. Data breach coverage—This coverage can offer reimbursement for the necessary notification and recovery services if private, nonbusiness data entrusted to the policyholder becomes lost, stolen, or published.
6. Cyber extortion coverage—Such coverage can help pay for the expenses associated with responding to a ransomware event (e.g., consulting an IT specialist to mitigate the extortion attempt and restoring compromised devices or data).
7. Cyberbullying coverage—This coverage can provide reimbursement for the costs that come with recovering from a cyberbullying incident resulting in unlawful harassment or defamation of character. These costs may include psychological counseling services, legal advice, temporary relocation expenses, and social media monitoring software. This coverage can also offer protection if an individual or their child engages in cyberbullying and faces subsequent legal action from the victim.
   

Moving forward, insurance experts expect the personal cyber coverage market to continue growing, allowing for more widely available policy options. In any case, individuals should consult trusted insurance professionals to discuss their specific coverage capabilities. For further cyber security risk management resources and insurance solutions, contact us today.

{{cta-personal-property="/components/rich-text-cta"}}

Final thoughts on cyber insurance

When it comes to the ever-changing landscape of cybercrimes, our best advice is to be proactive and get your cyber insurance applications completed as soon as possible. If you’re lacking the necessary controls, it’s better to have an underwriter inform you now before it’s too late and you don’t get renewed.

Failure to enact these types of controls may result in a non-renewal or a material change in your premium and/or coverage. For our recommended cyber security measures, check out our guide on the top 8 cyber security threats (and how to prevent them).

If you’re worried your business may not be renewed—or you’ve already been denied—the cyber insurance experts at Christensen Group can help. Contact us today and we’ll walk you through the cyber insurance requirements you need to meet and help identify your business’ liability risks.