- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
As cyber threats have increased in recent years, more organizations are turning to cyber insurance to mitigate their financial risks. In this article, we’ll review cyber insurance basics, including what cybersecurity insurance is, how it works, what it covers, and what it costs. By the end, you will understand the different types of cyber insurance, the benefits of coverage, and how cyber insurance fits into a comprehensive security strategy.
What Is Cyber Insurance?
Cyber insurance, also called cybersecurity insurance or cyber liability insurance, is an insurance policy that covers the losses a business might suffer from a data breach or cyber attack.
Data breaches can result in significant financial losses and legal penalties for businesses—not to mention harm to reputation. Because internet-based threats that impact IT infrastructure, policy, and data aren’t typically covered by commercial liability insurance, many organizations are adding cyber insurance coverage to mitigate their security risks as part of a comprehensive cybersecurity posture.
Brief History of Cyber Insurance
Cyber insurance has gained a lot of attention recently as an emerging and fast-growing market amidst increasing cyber threats. But it’s actually been around for over 20 years. The first iteration of cyber insurance was created in 1997 by Steven Haase, who was working for an insurance agency focused on insuring technology companies. Several of his clients, including a large network security company, were early internet adopters and needed help protecting their data online.
After searching the marketplace, Haase found that agencies were reluctant to take on the risk. Cyber exposure was so new that there weren’t any methodologies in place for loss prevention. However, he got lucky when he met with a friend at AIG who was looking to create a new product line. Together, they created the Internet Security Liability Policy—the first cyber risk policy. Within a few years, the global cybersecurity insurance market emerged.
Evolution of cyber risk insurance
Today, cyber insurance is one of the fastest growing lines of business in the insurance industry, and the market is expected to reach $29.2 billion by 2027. But how did it get here?
Initially, cyber insurance policies were add-ons to traditional liability coverage for companies in the tech and security industries. Typically, these products only covered third-party liabilities—such as losses to the business’s clients. However, by the early 2000s, cyber insurance brokers began offering first-party coverage as well, which provided protection for losses to the businesses themselves.
By the mid-2000s, growing cyber risks and high-profile breaches led to increased demand for cybersecurity insurance coverage for all businesses—not just those in the tech space. As a result, more insurance agencies started offering cyber insurance as a standalone product.
Then, in 2020, the COVID-19 pandemic forced many organizations to operate remotely, leading to widespread use of mobile devices, remote access to business systems, and migration to the cloud. While remote work had many advantages for businesses and employees alike, this transition dramatically increased the threat landscape and drove home the need for more cyber risk mitigation strategies like cyber insurance.
Why is Cyber Insurance Important?
Cyber attacks have grown exponentially in recent years, causing billions of dollars in losses and damages. In fact, cyber threat is now seen as the top risk to business in seven out of eight countries surveyed—ahead of the pandemic, economic downturn, and skills shortages.
If a business faces a significant data breach or cyber attack, it may struggle to recover without additional support and resources. After all, most businesses operate on relatively lean day-to-day budgets, and with the average global cost of a data breach totaling $4.35 million, it’s easy to see how just one cyber attack could devastate a company.
Cyber insurance plays a critical role in mitigating these growing risks for businesses, particularly as more and more organizations migrate to the cloud and support remote workers.
Regulations on cyber security are increasing
Financial protection isn’t the only reason more companies are turning to cyber insurance. Government and international regulations and standards in cybersecurity are also incentivizing cyber insurance uptake. As regulatory mandates increase, organizations are relying on cyber insurance to help fill in the gaps in their coverage and improve compliance across the board.
For example, privacy laws such as the U.S. Health Insurance Portability and Accountability Act (HIPAA) and the European Union’s General Data Protection Regulation (GDPR) impose strict standards for the handling and securing of private data—with steep penalties for those found non-compliant.
In March 2022, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was signed into law. It will require critical infrastructure companies to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA). Additionally, the U.S. Securities and Exchange Commission (SEC) proposed a rule in March 2022 requiring publicly listed companies to report cybersecurity incidents, their cybersecurity capabilities, and their board’s cybersecurity expertise and oversight.
Regulations like these motivate companies to protect themselves from potential breaches that could carry the additional costs of regulatory fines and damages, on top of business losses.
Cyber insurance improves compliance and security posture
Cyber insurance can help protect companies by covering:
- Audits of their cybersecurity posture to ensure compliance with new standards
- Post-breach notification requirements and other compliance costs
- Liability expenses for non-compliance claims
Additionally, cyber insurance incentivizes stronger security practices by encouraging the adoption of best practices. If a company fails to meet the insurance agency’s minimum standards, the agency may not insure them—or they will incur higher premiums. By tying relative risk to the availability and cost of insurance, cyber insurance agencies push businesses to implement a stronger cybersecurity posture.
Benefits of Cyber Insurance
The number one reason businesses invest in cyber attack insurance is to address concerns about data security. But cyber insurance also helps companies address existing threats and vulnerabilities, achieve or maintain regulatory compliance, and secure customer-facing services and applications as part of a comprehensive risk management program.
Some of the main benefits of cyber insurance include:
- Forensic support
- Data breach coverage
- Cyber extortion defense
- Business interruption loss reimbursement
- Legal support
- Compliance support
Because nearly every business is at risk, supplementing general liability insurance with a cyber security insurance policy can offer comprehensive protection and peace of mind.
Issues with Cyber Insurance
The cyber insurance landscape is rapidly evolving. Despite the growing demand for cyber insurance (and in some ways because of it), cyber insurance presents several challenges for insurers and customers alike.
With the massive spike in cybersecurity incidents in recent years, demand has never been higher for cyber coverage. But with soaring cyber costs—and the potential for catastrophic financial damages in large-scale attacks—many insurers are re-evaluating their own exposure to these losses, imposing higher premiums and more limitations on coverage.
Rising costs are not the only concern though. Compared to traditional insurance products, cyber security insurance coverage can vary widely between providers. Cyber insurance is not yet standardized across the industry because it is a relatively new product. Each insurer has its own policy form and language, which can lead to confusion for customers trying to compare their options or understand what is actually covered.
Types of Cyber Insurance
To understand cyber insurance, it’s important to delineate between the two main types of data breach insurance coverage: first-party coverage and third-party liability.
First-party cyber coverage protects the company from direct losses due to a data breach or attack, including employee and customer information.
Third-party cyber coverage protects the company from liability when a customer, partner, vendor, or other party sues following a breach.
Specific insurance policies will provide coverage that falls under one or both of these types of insurance. More on this later.
How Does Cyber Insurance Work?
Cyber insurance works much like traditional liability insurance. Insurers offer various policies designed to cover common cyber risks, liabilities, and associated costs. However, cyber risk is difficult for insurance companies to quantify as it can vary so broadly between businesses and industries. So, often cybersecurity insurance companies will work more closely with the business during the underwriting process to identify coverage needs as well as existing compliance efforts.
For example, many insurers will want to see what policies and security measures are already in place to reduce cyber risk. Depending on the maturity of the cybersecurity program, the insurer may require certain security steps or standards before agreeing to cover the business.
Who Needs Cyber Insurance
Cyber insurance is no longer just for niche technology companies. Today, at least 41% of firms in U.S. and European markets have already invested in cyber insurance policies. Essentially, any business that stores sensitive client, customer, or partner data, or supports electronic transactions needs cyber insurance coverage. Here are the top reasons why.
Data breaches have major financial consequences
Cyber insurance is rapidly becoming an essential risk mitigation strategy for businesses and organizations of all sizes. And it's no surprise why: damages from breaches and attacks are getting too expensive (and frequent) to pay out of pocket.
The median cost of a cyber attack has risen 29% to just under $17,000.
Although breaches at large enterprises make the biggest headlines, large corporations are not the only organizations under threat. Cybercriminals are increasingly targeting small and medium-sized businesses. In fact, companies with revenues of $100,000 to $500,000 can now expect as many cyber attacks as those earning $1 million to $9 million annually. That means cyber insurance for small businesses is increasingly important going forward.
Help meeting regulatory compliance standards
Some industries have stricter cybersecurity standards than others, such as the financial and technology sectors. Achieving compliance in these industries can be daunting. Cyber insurance can help organizations meet regulatory standards before and after a cyber incident. Even organizations outside these highly regulated industries can benefit from cyber insurance support to ensure they are meeting their legal responsibilities.
IT businesses need additional liability protection
Since virtually all businesses have a digital component to their operations, cybersecurity is an important consideration for any company. Most companies will likely need first-party protection of their direct assets. But many businesses in the information technology industry could benefit from additional third-party coverage as well.
These businesses can include:
- IT consultants
- Software developers
- Network and security consultants
- App developers
- Web hosting businesses
These businesses directly handle and impact customer data and security, making third-party liability insurance essential for protecting them if and when a customer experiences a breach or cyber attack.
Cyber Insurance Coverage
What does cyber insurance cover?
Cyber insurance policies protect businesses against financial losses, system damages, and network security and liability due to a cyber attack or data breach.
Here’s what to look for in cyber insurance coverage:
First-party coverage against losses, such as data destruction, extortion, theft, hacking, and denial of service attacks.
This typically includes coverage for costs related to:
- Recovery and replacement of lost or stolen data
- Legal counsel to determine obligations
- Customer notification
- Lost income due to business interruption
- Fees, fines, and penalties related to the incident
For example, if a business’s website is hacked and customer credit card info is stolen, first-party cyber insurance can pay for expenses like credit monitoring, customer notification, and public relations campaigns to manage the reputational fallout.
Third-party liability coverage, which protects businesses from third-party claims against them. Coverage can include losses caused by errors and omissions, failure to safeguard data, or defamation. Cyber liability insurance is especially important for businesses that are responsible for their clients’ data and online security.
For instance, if an IT company’s client has a ransomware attack, the insurance policy can protect the IT company from losses if that client sues.
A third-party liability policy can cover expenses such as:
- Legal fees
- Accounting costs
- Judgments if the business is found liable
- Payments to consumers
- Losses related to copyright or defamation infringement
Some insurers will also provide additional benefits, such as regular security audits, post-incident investigative expenses, and criminal reward funds.
What cyber insurance doesn't cover
Cyber insurance can cover a variety of liability gaps, but there are some situations when insurance won’t cover a breach or cyber attack. These can include:
- Injury or property damage: Bodily injury or property damage claims do not fall under cyber insurance. To protect against these claims, businesses will need general liability insurance.
- Loss of property: Loss of property is typically covered under commercial property insurance. So if an employee loses a laptop with sensitive data, that may not be covered under cyber liability insurance.
- Criminal or intentional acts: Cyber insurance won’t cover damages that result from intentional, dishonest, or criminal acts by a business.
- Utility failure: If a utility system goes down, cyber insurance likely won’t cover any resulting losses.
- Weak security posture: With cyber threats increasing each year, insurance companies are starting to require security mitigation efforts before covering a business. This means that companies that don’t take minimum steps to protect themselves through best practice security measures may find their provider won’t cover losses that result from weaknesses in their security posture.
How Much Does Cyber Insurance Cost?
Cybersecurity insurance costs vary greatly depending on the size of the policy and other factors such as
- Company size
- Company revenue
- Company industry
- Level of access to data across the company
- Amount and sensitivity of data
- Level of network security
- Previous claims made
While exact rates differ between insurers, businesses can expect to pay anywhere from a few hundred to several thousand dollars, with premiums typically ranging from $10,000 to $25,000 a year for business cyber insurance.
Does Cyber Insurance Have a Deductible?
Yes. Like traditional insurance policies, cyber insurance also includes a deductible. This refers to the amount the company must pay out of pocket after a cybersecurity incident before the insurer will cover the costs. In addition to other industry and risk factors, premiums will differ depending on the size of the deductible but typically have minimums from $1,000 to $5,000 for policies with a $1 million total limit.
Can Cyber Insurance Replace Your Security Strategy?
While cyber insurance can protect companies from catastrophic losses, it doesn’t replace a strong prevention strategy. As a result, most providers now require good cybersecurity hygiene from clients before they will cover them. And often, the better the security, the lower the rates to insure. This means businesses must take steps to achieve a robust security posture.
How StrongDM Helps You Reduce Cyber Risks
Only 43% of businesses feel financially prepared to face a cyber-attack.
Businesses must adopt better security postures in order to access cyber insurance policies. StrongDM’s comprehensive Infrastructure Access Platform enables companies to streamline access management while implementing best-practice security policies. This includes endpoint detection and response (EDR), multi-factor authentication (MFA) network access, data encryption and protection, regular backups, and audits.
With StrongDM, you can make sure that the right people have the right access to your most sensitive information at the right time—helping your business meet regulatory compliance standards and reduce cyber risks so you can qualify for the best cyber insurance policies.
Get started today with StrongDM.
About the Author
Andrew Magnusson, Director, Global Customer Engineering, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.