5 Tips to Maximize the Benefits of Cyber Liability Insurance
Changes in costs and consumer demands in the past decade have accelerated the adoption of cloud-based infrastructure. Over 80% of small businesses now declare cloud computing important to their business, alongside an even larger share of medium-sized and enterprise companies.
Unfortunately, a larger web presence leads to increased risk from cybersecurity threats that have grown in complexity over the years. Cyber liability insurance is a common solution to help mitigate potentially crippling recovery costs.
However, as with any type of insurance, there are limitations that can reduce claim payouts or lead to outright claim denials. Take these five steps to ensure you’re as protected as possible by your cyber liability insurance policy.
1. Carry enough coverage for your exposure risk.
Controlling overhead costs is understandable, especially for businesses that operate on historically thin margins. Nevertheless, under-insuring on cybersecurity threats could cause your business to completely shut down if you can’t afford the recovery costs and absorb the temporary loss of revenue.
In its 2020 Cost of a Data Breach Report, IBM found that while the cost of data breaches dropped marginally from 2019 to 2020 (1.5%), the total cost was still exorbitant. Businesses should expect to pay an average of $146 per record in total response and recovery costs.
Those costs also vary depending on whether breached records contained personally identifiable information and whether the breach stemmed from a malicious and targeted attack. When malicious intent is involved, that per-record cost can rise to an average of $175, ( $171 when the data stolen is anonymized).
The size of the data breach further complicates costs, because the increase is exponential. For example, the average cost of a breach in which 100,000 records or fewer are exposed or stolen is $3.86 million. But when the breach hits 1 million to 10 million records, the average increases to $50 million (25 times higher).
This makes carrying too little insurance a huge financial risk, especially for smaller businesses. Your insurance coverage should more than compensate for your level of exposure.
2. Understand cyber insurance terminology that can impact coverage.
Think about the last time you shopped for health insurance. Policies can be confusing, and each insurance provider may have different coverage limitations that can get pretty granular. Thankfully, health insurance is far more regulated regarding what providers have to cover, resulting in many similarities across providers.
This is not the case with cyber liability insurance. Policies may have similar baseline coverage limits and use similar language. But how terms are defined can differ enough to significantly impact how effectively the policy mitigates your risks.
First-party and third-party coverage
Cyber insurance policies are often (but not always) designed to operate like a combination of commercial and general liability insurance, only extended to digital property and liabilities unique to the web.
First-party coverage under a cyber liability insurance policy may include business interruption for server downtime, ransomware payments or data recovery costs. It can also include other expenses directly related to where the business is exposed and impacted.
Third party coverage will help mitigate costs where the company is found at fault for a third party’s losses. This includes covering legal fees that result from the fallout of a data breach, such as defending against a class-action lawsuit or paying customers if you’re found to be at fault.
Ensure that first- and third-party coverage limits written into the policy protect you against your biggest risks or where the financial strain could hurt the most. For example, the aforementioned IBM data breach study found that 40% of the cost of data breach was due to lost business and down time.
Data “loss” vs data “misuse” vs data “leak”
Many cyber liability insurance policies will distinctly define “data loss,” “data misuse” and “data leak.” Providers will treat events differently, depending on whether they fall into one of those categories.
Data loss is more broadly considered a complete loss of access to the data you hold. A ransomware attack or a malware attack that deletes or corrupts data are examples of data loss.
Data misuse occurs when the data you’re responsible for is taken and then used for improper purposes. An example of this would be a data breach in which customers’ credit card information is stolen and subsequently misused.
Data leaks occur when the data you hold is exposed in such a way that individuals who had no right to see that data gained access to it. This could occur accidentally or through malicious intent. Unsecured cloud servers are often sources of data leaks.
It’s common for cyber liability insurance providers to only cover claims for data misuse and not losses or leaks. Even when the incident doesn’t result in misuse, your business could still be sued by customers or face regulatory investigations. If that happens, your business would still have to absorb the cost of responding to litigation or governmental investigation.
Defining your “network”
Cyber liability insurance providers often vary in how they define a network. This is important, as most may only provide coverage when your network as defined by the provider is impacted by a breach or loss event. To that end, make sure that the provider’s definition effectively covers where your business may be exposed.
3. Use high-level security standards to maintain insurance compliance.
The purpose of any insurance is to offer liability protection for recipients who take adequate protection of themselves or their assets. This is why a car insurance provider may choose to deny a claim if you get into a car accident while speeding or driving while impaired. The provider needs these reasonable restrictions in place to avoid the cost associated with high-risk policyholders.
Cyber liability insurance is no different. Providers will likely require you to take certain precautions to actively minimize security threats. Failing to do so could result in a claim denial.
Poorly configured cloud servers are an example where providers may choose to reject a claim. A large number of data breaches and exposures in recent years has been connected to Amazon Web Service (AWS) S3 buckets that are poorly or improperly configured. These Infrastructure as a Service (IaaS) providers utilize what’s called a shared responsibility model. They provide the infrastructure, which they protect and optimize for security. However, the client must perform their own due diligence in properly configuring the server to prevent inappropriate access.
Nevertheless, reports have found that 7% of AWS S3 buckets are completely unrestricted, while 35% are unencrypted. Many others may simply be misconfigured—meaning the businesses paying for the server may believe the server is protected properly when in reality, its security settings are easy to crack.
When a breach happens, the cyber liability insurance provider determines whether lax data security policies and procedures were the cause. If the provider finds that the insured company failed to protect its data or infrastructure properly before the loss event occurred, they might reject the claim or reduce the claim payout. This risk can be mitigated by hiring professional IT security staff or a managed IT service to implement and maintain your network and data security.
4. Consider retroactive coverage and discovery time.
Whether a breach is malicious or unintended, there’s often a large gap of time between when it occurs and when it’s discovered. IBM’s data breach cost study found it takes companies an average of 207 days to discover a data breach, followed by 73 days to contain it. This puts the lifecycle of a data breach at 280 days on average; this can also vary widely by industry.
Cyber liability insurance providers understand this gap between discovery and recovery. They might also have limits as to how long they will extend coverage. This gap can also be problematic when you’re purchasing cyber insurance for the first time. The provider may not offer retroactive coverage for events that occurred too many days or weeks prior to policy activation.
5. Who is at fault may influence the claim result.
Cyber liability insurance providers consider who is at fault for the breach before determining whether a claim is covered. This extends beyond just your company having improperly configured AWS S3 buckets. The insurance provider might not honor claims if the cause of the breach is a single employee’s malfeasance, or if a vendor who had access to the data was at fault.
If these are concerns for your business, look for policies from providers that include coverage for incidents arising from rogue employees and vendors.
Be a Proactive Cyber Liability Policyholder
Despite dramatic improvements in data security over the years, the web is still a bit like the wild west. There are laws, to be sure, and there are law keepers. But criminals (cybercriminals, in this case) are craftily inventing new methods and innovating old ones to infiltrate systems and steal data.
Outside of completely eradicating any web presence and cloud infrastructure, your business will always have some exposure to cyber threats. Your cyber liability insurance is an asset against the high cost of data breach recovery. So review policies carefully, know your company’s protection needs and shop around for providers. Additionally, consider employing high-level security standards to reduce the likelihood claims are denied or reduced by the insurance provider.
If you’re unsure about a policy’s terms or whether it will meet your needs, check with an experienced IT consultant.