Every business faces cyber risk. Ineffective cyber risk management increases a business’s susceptibility to cyber breaches that bring heavy financial costs, regulatory fines, operational disruption, and reputational damage. This equation won’t change, so how will you change your business to better withstand cyber attacks?
Cyber breaches and costs reached all-time highs in 2021. The Identity Theft Resource Center (ITRC) reported 1,862 data compromises in 2021, up 68% from 2020 and 23% from the previous all-time high in 2017. IBM’s 2021 Cost of a Data Breach Report tracked the average total cost of a data breach at $4.24M, a nearly 10% increase from 2020 and another all-time high. As remote work grows and businesses become more reliant on technology to support operations, these numbers will only rise. Just one breach can have massive impacts on your finances, reputation, and operations — Deloitte’s 2021 “Future of Cyber Survey” found wide-ranging impacts.
Against this backdrop, cyber liability insurance is quickly becoming essential for many businesses. These insurance policies can be expensive, but the protection they offer can be invaluable in helping your organization withstand and recover from a breach. Here’s how cyber liability insurance works, why you need it — and three ways you can reduce your premiums.
What Is Cyber Liability Insurance?
Cyber liability insurance is an insurance policy that offers various levels of financial protection for businesses in the event of a cyber attack. These insurance policies can provide financial relief relating to pre- and post-breach response activities including breach prevention, assessing the impact of events, and improving cybersecurity posture post-breach. When exploring cyber liability insurance, organizations often discover that they need to better protect themselves from attacks, enhance remediation processes, help businesses notify impacted customers as required by law, recover and restore compromised data, and repair systems.
How Does Cyber Liability Insurance Work and Who Needs it?
After a business determines the need for cyber insurance, the insurer will customize coverage based on an organization’s risk profile and levels. These policies take on many shapes and sizes and can include coverage of expenses related to legal and regulatory defense, reputational crisis management, customer notification, data recovery, forensic investigation, IP infringement, extortion/fraud, claims/settlements, lost income, and more. As these policies can vary greatly, it is important to understand exclusions pertaining to your specific coverage.
Cyber liability is often excluded from general liability coverage. If your business handles sensitive data, it is important to understand the potential impact of a breach and consider whether cyber liability insurance is right for your organization.
Three Ways to Effectively Manage Cyber Risk and Reduce Cyber Liability Insurance Costs
Similar to auto insurance, underwriters consider several factors when calculating cyber liability insurance premiums, including ways to reduce premiums. Just like there are auto insurance discounts based on behavior (e.g. good driver, low mileage) or safety (e.g. new vehicle, anti-theft devices), there are also methods to reduce cyber liability premiums. Cyber liability insurance is designed to support an organization in effectively managing its financial, reputational, and operational cyber risk.
1. Financial: Understanding Your Organization’s Data, Supporting Processes, and Relevant Risks
The first step to managing your cyber risk is to identify, inventory, and classify the data your organization captures, stores, and shares. An organization will also need to understand their internal cybersecurity processes (e.g. encryption, multi-factor authentication, access, monitoring, training). Different data types bring different exposures and compliance requirements. You can use a combination of software/technologies, internal assessments, and physical audits to perform this step. Compliance frameworks like NIST CSF, ISO 27001, and CIS controls offer guidelines and best practices on how to effectively manage security around sensitive and confidential data.
Cyber Liability Insurance Impact: Organizations that adhere to security best practices and frameworks will have an advantage when shopping for cyber liability insurance. Insurers tend to reduce premiums for organizations aligned to cyber risk management best practices and adherence to accepted frameworks.
2. Reputational: Obtaining Third-Party Cybersecurity Certifications
To provide current and prospective customers assurance, consider seeking relevant cybersecurity certifications. These certifications are only available via independent third-party assessments, which allows them to be trusted and relied upon for their objectivity. The assessments also offer insight into how an organization manages risk and where additional resources should be deployed.
Cyber Liability Insurance Impact: A certification issued by a third-party assessor may significantly reduce premiums by offering evidence that your cybersecurity and IT compliance program operates within the guidelines of reputable governing bodies.
3. Operational: Implementing Software and Technology to Support Cybersecurity Processes
Managing cybersecurity and compliance can be time-consuming and challenging. A purpose-built technology solution can help organizations centralize, streamline, and track compliance efforts. Purpose-built solutions can reduce manual processes, provide insight into the development and effectiveness of a compliance program, as well as provide support to manage an evolving compliance landscape.
Cyber Liability Insurance Impact: The right technology solution makes it easier to provide evidence of effective cyber risk management and IT compliance to underwriters, as well as third-party assessors. Overall, this helps to reduce workload and premiums while enabling you to do more with less.
Getting Ahead of Cyber Risk While Keeping Costs Down
Cyber attacks are only getting more common and costly, and as a result, cybersecurity and compliance won’t get easier. More cybersecurity regulations and requirements are on the horizon, with the SEC proposing new disclosure requirements. It is important to make sure you’re using the right assessments, independent audits, and solutions to gain insight into the effectiveness of your cybersecurity program, and consider cyber liability insurance as another layer in sound cyber risk management.
Michael Condon, CISA, CIA, Certified Blockchain Expert, is a Manager of Compliance Solutions at AuditBoard. He brings over 7 years of experience in the IT Compliance and Cybersecurity industry helping organizations build, maintain, and support their compliance programs. Connect with Michael on LinkedIn.
Madison Dreshner, CISA, is a Manager of Compliance Solutions at AuditBoard. Madison joined AuditBoard from PwC, where she specialized in external reporting for a wide array of clients, including SOC 1 & 2 reporting, as well as SOX compliance. Connect with Madison on LinkedIn.