Xamin and the Couch Braunsdorf Insurance Group recently came together to discuss the convergence of cyber insurance and cybersecurity. In a webinar, we examined the cost of a data breach, today’s cyber insurance landscape, and how a proactive approach to your cyber insurance policy can help build a better security foundation.
Below are the highlights from our conversation. If you’re a business owner or leader, we encourage you to view the full webinar here, which includes more examples of tested cybersecurity controls and the ins and outs of insurance claims.
The cost of a data breach
Reaching an all-time high, the cost of a data breach averaged USD 4.35 million in 2022. This figure represents a 2.6% increase from last year, when the average cost of a breach was USD 4.24 million. The most costly country for a data breach? The United States—for the 12th year in a row.
Targets of data breaches tend to be organizations who hold valuable client data and are highly regulated and reputation sensitive. Healthcare has been the highest cost industry for 12 years in a row, with the average data breach costing $10.10 million USD in 2022.
The three primary ways in which attackers access an organization are stolen credentials, phishing, and exploitation of vulnerabilities. Use of stolen or compromised credentials remains the most common cause of a data breach (19%) and takes the longest to recover from—but phishing tends to be the costliest.
Understanding the importance of cyber insurance
Because of the heightened risk, any business that deals with sensitive information—including credit card numbers, medical information, social security numbers, or any other personal information—should have cyber insurance in order to protect customer information, industry relations, and business reputation.
However, the concept of cyber insurance is both relatively new and ever-evolving, and many business owners—especially small business owners—might see the cost as unnecessary. Although, small businesses may not have the resources to invest heavily in cybersecurity, they are not immune to cyber threats. In fact, small businesses are often targeted precisely because they are perceived as easier targets with lower security and more to lose, thus making them more open to negotiation with those holding their data for ransom.
In the case of a cyber attack, cyber insurance will help to recoup losses, pay for investigations, and cover legal costs. With those costs mitigated, having cyber insurance gives you the resources to get your organization back in business following a cyber-attack.
Generally, a cyber insurance policy can include coverage for the following:
- Damage to your IT infrastructure as a direct result of a cybercrime, including:
- Payment of ransomware
- ID restoration and credit monitoring
- Data restoration
- PR expenses
- Legal expenses, including any incurred due to breach of contract with a client
- Business interruptions as the direct result of a breach
- Replacement hardware damaged by malware
If you are currently covered under a cyber insurance policy, you should look closely at how cybersecurity threats are assessed in your plan. Employees can often be the cause of breaches, and some policies might not cover accidental actions caused by falling for social engineering attacks like convincing phishing emails. Additionally, if there is a large breach that affects many people from many different industries, some insurance policies will deny coverage as they only cover targeted attacks where your organization was specifically sought out for a breach.
The impact of cyber insurance on cybersecurity
Only one thing helps decrease the cost of cyber insurance: stronger cybersecurity. Even as the cost of cybersecurity has continued to mount, many carriers have decreased what their policies will cover—and been more selective about the risks they’re willing to take on by creating stricter criteria for those who want to sign up for coverage.
With greater barriers to entry, organizations who understand the risk but do not yet have strong cybersecurity systems are being turned away for coverage. And with limited resources, small businesses need to be strategic about where they invest in cybersecurity.
But as businesses grapple with the escalating financial and reputational costs of cyber attacks, the insurance market has transformed into a powerful catalyst for change, encouraging businesses to embrace the following tactics:
- Heightened sense of awareness
- Framework for industry best practices
- Better response planning
- Thorough third-party vendor assessments
- Emphasis on continuous improvement
By providing organizations with financial protection against cyber threats and incentivizing proactive security measures, the rise of cyber insurance has encouraged businesses to invest more in safeguarding their digital assets. As cyber threats continue to evolve, the synergy between cyber insurance and cybersecurity will remain a critical aspect of modern risk management, emphasizing the need for constant adaptation and improvement in both realms to stay ahead of the ever-changing threat landscape.