The prospect of loss motivates us to take precautions to reduce the impact an incident will have. It’s why we have insurance for nearly every aspect of our lives, from health insurance to renter’s insurance to a prenuptial agreement. But, even if you do everything right, something could still go wrong.
For retail and hospitality businesses, that looming potential loss increasingly these days isn’t the traditional physical threats we’ve always insured; it’s moved online, right alongside a good portion of our business. As a result, cyber liability insurance is a growing necessity for companies nervously watching ransomware attacks increase in frequency, targeting everyone from large corporations to US infrastructure.
Most businesses will already have insurance policies protecting their assets to shield them from liability should anything happen to their employees or customers, but these general liability policies most often focus on the physical and usually do not cover the fallout from a cyberattack. Cyber insurance is insurance that specifically protects your organization from liability stemming from a data breach or some other type of cyber incident.
What Does Cyber Insurance Cover?
Cyber insurance can cover many of the costs you would incur after a cyber breach. The most common one to come to mind here is ransomware. Yes, cyber insurance can cover the ransom from a ransomware attack, but these policies can also cover other associated costs such as:
- legal fees
- crisis management consulting
- cost of notifying your customers of a breach
- financial losses suffered while your business is shut down following an attack
- forensic investigations necessary to understand the extent of a breach
- getting your network back up and running post-incident
Much like any other type of insurance you can buy, cyber insurance companies offer a variety of policies with varying levels of coverage depending on your organization’s risks.
What Determines My Organization’s Cyber Risk?
To start, the cost of your cyber insurance is going to be based on a couple of basics about your business:
- Industry: Some industries are viewed as more vulnerable to attack than others. For example, organizations in the healthcare industry have seen lower limits on ransomware payouts and reduced coverage available.
- Business Size: While all sizes of businesses are vulnerable to attack, naturally, the bigger the company, the more human risk there is for phishing, etc. Larger businesses are also likely to have more remote access, more extensive networks, not to mention more money to be stolen.
- Type of Data: Risk will also depend on the data your organization can access. If you’re storing a lot of highly sensitive personal information, you’ve got more at risk.
Once the inherent risks are determined, the insurer will also evaluate the measures you’re taking to protect yourself from cyberattack. Of course, the insurer and the insured both know there is no such thing as a guarantee against attack, hence why insurance exists in the first place. Still, if the organization applying for a policy is taking precautions that protect them, they’re much more likely to be accepted and much more likely to pay lower premiums.
The market for cyber insurance has exploded over the last few years, as a rise in high-price attacks has driven more companies to want to offset the potential cost to their business. However, insurers have been watching the same news and have adjusted their prices accordingly, with the cost of insurance premiums rising right alongside the costs of ransomware attacks. They, too, do not want to lose money and are doing their due diligence to investigate a company’s cyber practices before insuring them. In fact, many insurance companies are using third-party cyber risk assessors to evaluate an applicant’s cyber risk.
Ultimately, you’re going to have lower premiums if you’re doing all of the things you should be doing anyway to avoid a breach. Both you and your insurer want the same thing, for you not to experience a cyber incident so that they will reward following industry best practices such as:
- Turning on multi-factor authentication and enforcing a strong password policy
- Cyber training for employees
- Effective third-party management
- Use of a Managed Security Services Provider
- Regularly installing patch updates
- Encrypting data and performing regular back-ups stored separately from the network
- Development of a clear incident response plan
- Regular penetration testing
- Limiting stored data and restricting network access
Finally, a great way to make sure you’re following best practices and reducing your cyber insurance premiums is by joining the ISAC for your industry. ISACs provide a platform for collaboration among cybersecurity teams in your field and are a great source of intel to strengthen your cybersecurity program. Some cyber insurers will ask if you’re an ISAC member as it demonstrates your organization has made a commitment to prioritizing cybersecurity.
Learn more about membership in the Retail & Hospitality ISAC to get started!