From an irritation to a global threat—ransomware has evolved to become a real problem. In some cases, an attack can prove devastatingly fatal.
An Alabama hospital suffered a ransomware attack in 2019, and a baby died as a result. According to a lawsuit filed by the baby’s mother, the child suffered severe brain injury because its umbilical cord was wrapped around its neck. The problem could have been prevented if key computer systems had been up and running, allowing the hospital to perform tests that would’ve detected the issue in time. But because of the attack, the hospital’s computer systems were down and the tests weren’t performed. The baby died nine months later.
In 2020, a German woman suffering from an aortic aneurysm died because the university hospital close by had been hit by a ransomware attack and couldn’t accept her. She was taken to another hospital 32 kilometers away, and the woman’s treatment was delayed by an hour.
Cyber Insurance: What You Need to Know
Ransomware attacks are increasing in frequency and sophistication. And IT teams have long accepted that getting hit by a ransomware attack is no longer a question of if but when. As a result, ransom demands and payments are continuing to go up. Palo Alto’s 2022 Unit 42 Ransomware Threat Report found that the average ransom demanded in 2021 was $2.2 million, which was 144% higher than 2020’s average of $900,000.
It’s no wonder organizations are getting cyber insurance to insulate themselves from the potentially crippling financial fallout. But what is cyber insurance, exactly? The quickest way to paint a comprehensive picture of cyber insurance is to break down what it covers and what it doesn’t.
What Does Cyber Insurance Cover?
Cyber insurance covers financial damage stemming directly from a cyber attack, such as in the following:
- Network security coverage: Expenses associated with post-attack IT forensics, data restoration, legal fees, public relations, communicating the breach to customers, and mitigation of identity theft-related issues
- Media liability costs: Losses resulting from attackers releasing audio or video content prematurely—or if they leak something you never meant to publish
- Technology errors and omissions: If customers sue you because they lost money as a result of your inability to meet customer expectations or your company discontinuing certain services because you no longer have the infrastructure to support them
- Business interruption coverage: Earnings lost if you run an e-commerce site and your website becomes inoperable because of an attack
- Privacy liability issues: Financial loss resulting from exposed private information—for example, hackers used stolen information to take money from a customer’s account and the customer holds your company accountable
What Does Cyber Insurance Not Cover?
Cyber insurance is, in many ways, like other types of insurance—there are certain costs it won’t cover, such as those resulting from:
- Customers doing business elsewhere: Cyber insurance doesn’t cover losses due to customers no longer wanting to do business with your company post-breach.
- Cybersecurity upgrades: Cyber insurance can’t be used to make cybersecurity improvements.
- Intellectual property theft: Cyber insurance won’t cover losses stemming from theft of intellectual property.
Pros of Cyber Insurance
No organization is immune to a cyber attack, and cyber insurance is a risk management strategy that many companies have come to rely on for the following reasons:
- Business interruption reimbursement: If your IT infrastructure fails as a result of an attack, customers who are unable to access your systems won’t be able to make payments. Platforms that rely on the system that got attacked will also stop generating revenue. A cyber insurance policy may cover losses incurred during this time period. Some policies may also cover increased business costs even after the attack.
- Offsetting the cost of a data breach: Cyber insurance may reimburse expenses related to a data breach. These can include litigation fees, security fixes, and the protection measures you put in place to safeguard sensitive data from malicious entities.
- Reimbursement of legal expenses: The legal costs you may incur after getting attacked can range from consultation fees to court appearances, from litigation expenses to fees you have to pay to customers. A cyber policy can help cover these costs.
Cons of Cyber Insurance
Cyber insurance can cushion organizations from the financial impact of a cyber attack, but there are also some drawbacks to consider:
- Inadequate coverage: Some of the most devastating financial effects of an attack aren’t covered by cyber insurance. For example, if investors decide to pull out because they’ve lost confidence in your organization, cyber insurance won’t cover that cost. If customers choose to take their business elsewhere, cyber insurance won’t cover the lost revenue, either.
- Price: Cyber insurance premiums have been steadily increasing, and that’s largely because the number of attacks—and the amounts hackers demand—have also been increasing.
- A double-edged sword: Attackers will more likely target your company if they know you can afford to pay the ransomware settlements they demand. Even if you try to conceal the fact you’re cyber-insured, they can get to you through your cyber insurance provider. Hackers are known to breach insurance systems to obtain insurers’ lists of customers.
Can Insurers Deny You Coverage?
The short answer is yes, they certainly can.
And that’s primarily due to the multimillion-dollar payouts and the rising number of attacks. So even if you have the resources to pay for cyber liability insurance, there’s no certainty you’ll get one.
In many cases, insurers will require prospects to put what they consider essential measures in place before they’d even sit down to discuss coverage. Depending on the insurer and the company being insured, such measures may include, among others, multifactor authentication, endpoint detection and response (EDR), secure backup systems, privileged access management (PAM), and email filtering and web security.
Essential Cybersecurity Measures Your Organization Needs, Whether You Get Cyber Insurance or Not
In addition to getting insurance—or even if you choose not to—there are some things you can do to protect your company and make it harder for hackers to infiltrate your organization:
- Frequently update systems and applications: Manufacturers often release patches that address security problems, and updating your systems immediately after these are released ensures you have the most secure version of an app or your operating system.
- Educate everyone about cyber attacks: Keep all employees—and yourself—up-to-date on the latest forms of attacks and the methods attackers use. Cultivating a culture of cybersecurity awareness can be your most powerful defense against opportunistic hackers.
- Ensure your cybersecurity solutions are addressing your organization’s needs: Basic cybersecurity protection, such as firewalls and antivirus software, may not be enough to keep your company safe from threats. Assess your current needs and risks, then take the steps necessary to make sure your cybersecurity strategy is up to scratch.
- Employ the principle of least privilege: Protect your critical assets by giving network users just enough access privileges to perform their jobs. Any access right they should not have should not be given to them. Deprovision users immediately after they leave the company or no longer need access to a particular application.
- Secure all endpoints: Secure all entry points to your organization’s network, such as laptops, desktops, and mobile devices. Employ endpoint security software to automatically examine all files entering your network.
Choosing the Right Cyber Insurance for Your Business
If you decide to buy cyber insurance to further shield your company from the negative consequences of a cyber attack, take the time to consider the options available to you. Different insurers offer different coverage, so make sure you understand what is and what’s not included. Seek the help of an experienced broker to help you determine what’s right for your organization. In addition, only do business with a reputable cyber insurance vendor.
And perhaps most importantly, even after securing cyber liability insurance, continue to exercise caution. By putting robust security systems in place, you can protect business systems, customer information, and even the lives of those you serve.