The drumbeat of cyberattacks grew louder in 2017. The number of U.S. data breach incidents in 2017 hit a new record high of 1,579, according to the Identity Theft Resource Center (ITRC) and CyberScout®, a 44.7 percent increase over 2016. And the capper to that record breaking year was undoubtedly the September announcement by Equifax, a credit reporting agency, that more than 145 million records had been compromised.
Of the five industry sectors that ITRC tracks, the business category topped the list for the third year in a row with 55 percent of the total number of breaches, while the medical/healthcare industry followed in second place with 23.7 percent. Yet most businesses don’t carry cyber insurance. According to The Council of Insurance Agents & Brokers (CIAB), about 31 percent of respondents’ clients purchased some form of cyber liability and/or data breach coverage in the last six months of 2017, compared to 32 percent in its May 2017 survey, and 29 percent in October 2016.
Given the escalating number of attacks and increasing financial costs (the average cost of a data breach in the U.S. in 2016 increased to $7 million, according to the Ponemon Institute), the rate of cyber insurance adoption is somewhat surprising. We believe there are three myths about cyber insurance that are keeping more businesses from adding these policies.
Myth #1: We don't need cyber insurance
Business leaders at large companies may have a false sense of security because they employ smart people and devote significant resources to security measures such as firewalls and encryption, or they incorrectly believe that they are not liable for data handled by a third-party or stored in the cloud. But what they often fail to take into account is that the cyber criminals also have significant resources and are focused day-in and day-out on finding any crack in a company’s armor.
Meanwhile, small and medium sized businesses (SMBs) are often under the very wrong assumption that they are too small to be targets. A survey by Nationwide found that a majority of SMBs (57 percent) do not have a dedicated employee or vendor monitoring cyberattacks and another 34 percent do not believe they will be the target of an attack.
But in reality half of all SMBs in the U.S. experienced a data breach in 2016 and 55 percent experienced a cyberattack, according to the Ponemon Institute. In the aftermath of an incident, SMBs spent an average of $879,582 due to damage or theft of IT assets, based on extrapolated calculations. In addition, disruption to normal operations cost an average of $955,429.
Despite the severe financial consequences, many SMBs do not have the budget and inhouse expertise to protect their systems and networks against potential threats. Only 14 percent of small companies rated their ability to mitigate cyber risks, vulnerabilities and attacks as highly effective, according to Ponemon.
Myth #2: We already have coverage
Another major reason that companies choose not to investigate cyber insurance is that they believe they are already covered under the general liability policy, and they are often unclear about stand-alone cyber insurance options.
According to the Insurance Information Institute, most traditional commercial general liability policies do not cover cyber risks, such as property damage, personal and advertising injury claims arising from access or disclosure of confidential information. Since traditional insurance policies do not cover these risks, insurers have developed policies to bridge the gaps. Typical cyber-related coverages can include:
- Data breach response and liability
Covers the expenses and legal liability that arise from a data breach.
- Computer attack
Covers damage to data and systems caused by a computer attack, such as a virus or other malware attack or denial-of-service attack.
- Network security liability
Provides defense and liability coverage for third-party lawsuits alleging damage due to the insured inadequately securing its computer system.
- Media liability
Covers defense costs and damages for claims asserting copyright infringement and negligent publication of media while publishing content online and via social media channels.
- Funds transfer fraud
Covers losses from the transfer of funds as a result of fraudulent instructions from a person purporting to be a vendor, client or authorized employee.
- Cyber extortion
Covers the “settlement” of an extortion threat against a company’s network, as well as the cost of hiring a security firm to track down and negotiate with blackmailers.
Myth #3: Coverage is not affordable
Another myth surrounding cyber insurance is that it’s not affordable. According to The Insurance Information Institute, premiums can range from a few thousand dollars for base coverage for small businesses (less than $10 million in revenue) to several hundred thousand dollars for major corporations looking for comprehensive coverage.
As part of the application process, some insurers offer an online and/or on-site security assessment free of charge regardless of whether the applicant purchases the coverage. This assessment is critical since cyber insurance is hardly a one-size-fits all type coverage. Different industry sectors represent different levels of exposure. For example, a small convenience store is a relatively low hazard compared to a medical doctor’s office. In addition to a simplified limit and deductible structure, different credits may apply if certain security procedures are in place, such as employee training.
Ironically, given the concern about price, is that cyber insurance prices have actually been declining. According to the CIAB, 62% of respondents said premium prices generally decreased over the last six months of 2017.
And, according to Marsh, US cyber insurance rates decreased 1.1%, on average, in the third quarter of 2017, the third straight quarter of decline.
Cybersecurity risks can seem very intangible, especially compared to risks such as fire, flood and bodily injury, but thousands of companies have already found that these risks can suddenly become all too real. Given the pace of cyberattacks and their financial repercussions, businesses of all sizes should ignore the myths around cybersecurity and seriously consider adding this coverage to protect operations.