We often say that it’s not a matter of if you’ll experience a security breach, but when. Security technologies, practices and methods all help to mitigate the risk of cyber crime, but it’s never possible to be 100% secure. That’s because the nature of cyber crime is always evolving with new methods and techniques that develop as quickly as new technologies emerge. So despite the availability of advanced preventative measures, cyber crime can still cost an organization plenty in financial, organizational and reputational losses.
This is why organizations should brace themselves—and prepare for the inevitable. One way to do that is through cyber crime insurance. But before we dive in, let’s review what actually constitutes cyber crime.
Crime in the cyber realm
Cyber crime is crime committed online, whether on the Internet, on networks or on computers. It can happen on any digital device, including PCs, laptops, smartphones, tablets, IoT devices, truly any connected device. It also refers to any crime that is executed using a computer system.
While monetary gain can be seen as the biggest motivator behind cyber crime, cybercriminals are also driven by information; after all, information is power in this day and age. And when we speak of lower-scale attacks, another motivator can simply be to prove they can, for bragging rights.
Cyber crime can be divided into three major categories: individual, property and government. Depending on the category, the methods, techniques and skills needed to execute the attacks can vary.
Individual cyber crime involves attacks on individuals, which include cyberstalking, credit card fraud, identity theft, online slander and trafficking.
Property cyber crime is similar to real-life crime that involves the possession of an individual’s property; in this case it would be against a computer or server. This type of cyber crime includes DDoS attacks, typosquatting, copyright infringement, malware infection, and the like.
Government cyber crime, as its name implies, is committed against a government and is an attack on that nation’s sovereignty. This is often seen with cases of cyber espionage, cyber terrorism, the accessing of highly confidential information, etc.
We do have a blog post that’s fully dedicated to different types of cyber crime, but for the sake of clarity and scope, let’s go over a few of the more common ones. The most common types of cyber crime are social engineering - manipulating people to get them to divulge sensitive information, cyberstalking - a form of cyberbullying that involves cybercriminals harassing or threatening other individuals over the Internet, identity theft where cybercriminals steal an individual’s identity to commit fraud, online scams offering fake goods and services, among many others.
For more detailed information, we highly recommend you check out the full post.
Clearly, the scope of cyber crime runs far and wide, presenting different risks that organizations must face. What, then, can they do to prepare for a worst-case scenario?
What is cyber crime insurance?
Commercial general liability insurance is used by organizations to protect against potential losses such as property damage, theft, worker’s injury, natural disasters and other misfortunes. However, this form of general insurance doesn’t cover cyber crime risk, as it is focused on tangible assets and the concept of cyber crime itself is relatively new. Still, products that cover cyber crime are out there, and are specialized to help organizations lessen the risk of being adversely affected.
Cyber insurance is a line of insurance products meant to protect organizations from cybersecurity risks including those related to information privacy, information governance and information technology infrastructure. This type of insurance limits the damage caused by cyber attacks on an organization’s business data, whether that means proprietary, customer, employee or any other sensitive information. Cyber crime liability policies can also offer data recovery and business interruption recovery, which addresses the first steps to take after suffering a cyber attack.
Why you need cyber crime insurance
If a breach is unavoidable, then why would you even need cyber crime insurance? And if you’re a small company in a niche industry without, you might think, much data to attract attackers, do you really need it? How great is the chance that you’ll fall victim to a data breach, one that would require insurance?
The truth is that cyber crime insurance is important for all organizations. More, in fact, than it might seem.
Cyber crime can affect all data
All data is at risk. While payment information, health information and PII such as social security numbers, birthdays and addresses are the most highly sought-after data, it’s important to remember that almost every organization holds this type of data in their online premises. And while you might think the data you hold doesn’t warrant being targeted by cybercriminals, the black market value for such data is remarkably high, especially when in bulk. PII belonging to one person can be worth anywhere from $0.20 to around $10 on the black market, which adds up when attackers have access to a database of a couple hundred individuals’ information.
Cyber crime affects all industries
It’s a common misconception that some industries are void of cyber risks. Or even that small and medium-sized businesses are somehow less attractive to attackers. That may have been true in the past, but today’s attacks are almost more frequently targeted to smaller organizations than to those with revenues in billions of dollars. In the end, cybercriminals often see the same value in attacking a smaller business as they would a larger business. Chalk that up to smaller organizations having weaker defenses and more vulnerabilities in their systems and networks, with less focus on safeguarding their data and fewer resources for that purpose.
Additionally, while some industries are more susceptible to cyber attacks, many security incident-related insurance claims are reported by healthcare, financial, retail, education, nonprofit, technology, manufacturing, hospitality and professional services as well as public entities. And these industries cover a gigantic number of companies of any size. With this in mind, we can see that almost no industry, and no organization regardless of their size, is exempt from the risk of cyber crime.
Cyber crime recovery is expensive
New research is in: the average cost of a data breach in 2020 is $3.86M. While that figure is slightly lower than it was in 2019, is it worth the risk? These numbers also involve organizations with mature security programs, while those lacking incident response and other security technologies and practices might suffer more greatly.
The costs related to a data breach include crisis services, legal defense and settlements, digital forensics, notifications, and public relations, to just name a few. Managing the impact of cyber crime can get really expensive really fast, and investing in cyber crime insurance as part of your mitigation strategy can help immensely in post-breach recovery.
Cyber liability insurance coverage
There is no one-size-fits-all cyber liability policy that will work for all organizations. Most cyber policies will contain a similar combination of coverage elements, and the basic insuring agreements will offer coverage to the full policy limits, but most policies are flexible and allow organizations to choose the type of coverage they need.
Cyber liability insurance policies usually include two coverages: first-party coverage and third-party liability coverage.
First-party coverage take on expenses the organization directly sustains as a result of a data breach and protects against losses that occur directly to the insurance holder. These include:
- Data loss or damage: In the event of cyber crime that affects an organization’s data (whether by altering, damaging or stealing it), first-party coverage will cover the costs to replace or restore data and programs, hire experts to help recover the data and all costs associated with it.
- Business and operational disturbance: Today’s organizations rely heavily on their infrastructure and technologies to operate properly. First-party coverage provides a solution to organizations facing operational disturbances and system failures due to security incidents, by covering the costs to recover lost profits and any extra expenses resulting from business and operational impacts.
- Cyber extortion: Ransomware is everywhere and is one of the oldest and most dangerous types of cyber crime around. It refers to cybercriminals breaking into a system or a network and holding sensitive data, or even the entire system, locked from the system’s owner and demanding ransom payment to return access. There are also other types of cyber extortion that involve attackers breaking into a system and simply threatening the system owners with a malicious attack unless a specified sum is paid. First-party coverage will extend to the payment demanded in said extortion, along with all expenses involved with responding to and recovering from the attack.
- Notification cost: Once an organization suffers a data breach, they are often required by law to notify all parties involved of said breach. This coverage will cover the cost of notification to all third-party vendors, contractors, customers and all others possibly affected.
- Crisis management: First-party coverage policies will often cover the costs of repairing any reputational damages that occur due to a cyber attack, in what is known as crisis management.
Third-party liability coverage
Third-party liability coverage policies are designed to protect and cover the claims that are made against the organization that has suffered the breach, whether those filing claims were affected by the breach itself or by the failure of the organization to act. An example would be a client suing for negligence after cybercriminals stole his sensitive personal information from the organization’s system. Third-party liability coverage would cover the costs associated with that claim.
Take note of these types of third-party liability coverage:
- Network security liability: While important for first-party coverage, this is also important as a policy for third-party liability. This type of liability coverage covers the costs of claims and payouts made by third parties affected in a security incident that occurred as a result of network security failure, such as a data breach, malware, cyber extortion, ransomware, etc.
- Privacy liability: Liabilities that arise due to a cybersecurity incident or privacy law violation are covered by third-party liability coverage. The covered costs include fines or penalties imposed by regulatory agencies and investigations by the government and law enforcement, as well as those from liabilities required in a contractual obligation. It would also cover defending the organization from consumer class action litigation, funding a settlement and covering all legal expenses involved.
- Media liability: This provides coverage for lawsuits regarding intellectual property infringement, copyright infringement, slander and defamation, invasion of privacy and domain name infringement due to internet publishing whether via website, email, and the like.
From another perspective, cyber insurance underwriters are tasked with determining the potential policy buyer’s risk profile and accurately price policies in a way commensurate with the risk but not prohibitively expensive. If you’re interested in learning more about how to improve one’s cybersecurity insurance underwriting, we recommend you check out one of our posts exploring that topic.
Organizations operate with data—managing, storing and transferring data in all of their operations—meaning security is of the utmost importance. Every organization should implement all methods of effectively safeguarding that data, from proactive to reactive mitigation techniques and practices, including cyber insurance.
The cyber insurance market is booming, with reports that it’s expected to reach $22.8 billion globally by 2024. With this rate of exponential growth, we can see that there is a need for this type of mitigation method. If anything, it can provide peace of mind that even in a worst-case scenario, organizations have something to back them up.