Cyber Insurance FAQs for Small and Medium Business
For small and medium-sized businesses (SMBs), evaluating cyber insurance needs can be a process fraught with plenty of questions but few answers that address the specific needs of their company. Many underwriters and insurers do not have proper visibility into the realities of running a small business, nor the challenges many SMBs face trying to protect their organizations from cyber-attacks. This has created a confusing situation for both SMBs and those seeking to provide them coverage.
At the Cyber Readiness Institute (CRI), we’ve been working with insurance providers, brokers, experts in both cybersecurity and insurance, regulators, as well as SMBs, to help bring some clarity to this situation. This FAQ addresses some of the most pressing concerns we have heard from these various stakeholders.
1. What is Cyber Insurance?
Cyber insurance is insurance that provides financial protection to businesses (and individuals) in the event of a cyber-attack or data breach.
2. How do I know if I need cyber insurance?
If you own a business that collects or stores sensitive information, such as customer/supplier data or financial information, you may be at risk. Cyber insurance can help protect you from the financial consequences of a breach of these data and a disruption of your business.
3. What does a cyber insurance plan cover?
Cyber insurance can protect against a range of cyber threats, including costs related to phishing attacks, malware infections, ransomware attacks, and data breaches. Policies can also provide coverage for business interruption losses resulting from a cyber-attack.
This may include legal fees, notification expenses, public relations costs, and even lost income or revenue. It’s important to note that the availability and coverage of cyber insurance policies may vary by location and industry, so it’s recommended to compare policies and coverage options from multiple providers before making a decision.
4. Are there any exclusions or limitations to cyber insurance coverage?
Yes, there may be exclusions or limitations to cyber insurance coverage, depending on the policy. For example, some policies may not cover losses resulting from social engineering attacks, intentional acts by employees, or attacks launched by a foreign nation.
5. Does cyber insurance cover ransomware?
Ransomware protection is often covered as part of cyber liability insurance. To date, there is no ‘standard’ policy. Specifics can vary significantly depending on the cyber insurer. However, many insurers are increasingly offering standalone coverage that may be especially useful to businesses in industries that may be most at risk for this type of attack.
6. If I have standard business insurance do I need cyber insurance as well?
Standard business insurance typically covers physical damages to property, liability claims, and some aspects of employee-related incidents. However, it may not fully cover losses or damages related to cyber incidents. Cyber insurance is designed specifically to provide protection against cyber risks.
7. How much does Cyber Insurance cost?
The cost of cyber insurance depends on several factors, including the size of the business, the type of coverage needed, and the level of risk. The average cost of cyber insurance for a business is between $500 and $5,000 per year. The average annual premium for personal cyber insurance is between $300 and $1,200, depending on the level of coverage and the specific deductible you choose.
8. How do I choose the right cyber insurance policy for my business?
When choosing a cyber insurance policy, it’s important to assess your business’s unique risks and needs. You should also compare coverage options and pricing from different providers to find the policy that best fits your budget and requirements.
9. What steps can I take today to achieve lower rates?
The minimum controls for protecting information assets that carriers want to see implemented focus on well-known causes of cybersecurity incidents. Here are just a few simple steps you can take today to lower cyber insurance costs:
- Invest in cybersecurity awareness & training: Employees remain the weakest link in the cybersecurity chain, but they don’t have to be. Regular cybersecurity awareness training can equip them with the knowledge and skills they need to defend themselves and your company. The Cyber Readiness Program is one program that can help—and it’s free!
- Enable Multi-Factor Authentication (MFA): MFA provides for secure access to better validate the user’s identity and defend against account compromise.
- Documented Backup & Recovery procedures: Develop a robust and well-documented backup plan and regular testing.
- Access Management: Implement greater control of user access by identifying authorized users, while prohibiting unauthorized ones.
- Secure your email: Email is the biggest attack vector for malware. Spam filtering and other basic email security elements can go a long way in making email safer to use for everyone.
- Regularly patch all software: Unpatched software may contain easily exploitable security vulnerabilities, so regular patching is a must. Patch management tools can keep your software up to date, so it doesn’t have to be a burden.
10. How does cyber insurance fit into a broader risk management strategy?
Cyber insurance is just one component of a comprehensive risk management strategy. Other components may include cybersecurity measures, employee training, and business continuity planning. By combining these strategies, businesses can better protect themselves from cyber threats and minimize the financial impact of a cyber incident.
11. What is the process for filing a cyber insurance claim?
The process for filing a cyber insurance claim will vary depending on the policy and the insurance provider. Generally, you will need to provide documentation of the incident and the resulting damages or expenses.