There has been a 70%+ increase in the average cost of a cybercrime to an organization over five years to $13mn and a 60%+ increase in the average number of security breaches, a recent report reveals.
Losses resulting from external incidents, such as DDoS attacks or phishing and malware/ransomware campaigns, account for 85% of the value of claims, followed by malicious internal actions (9%) – which are infrequent but can be costly.
To select suitable cyber insurance for your business, you need to think about a variety of factors. We’ve talked to several industry professionals to get their insight on the topic.
Corinne Hammond, Cyber Underwriter, AXIS Insurance
Cyber insurance has developed significantly over the past decade, driven by the increasing threat landscape and expanding legislation. As one of the greatest threats facing businesses today, coverage has adapted. With many options available, here are three key things to help you select the correct product:
Scope of cover
Most cyber policies cover liabilities following an incident including regulatory costs, reimbursement for business interruption, reconstitution of data and support through a ransomware incident. They can also address reputational harm, supply chains and property damage. It’s important to think about the risks specific to your business and ensure your selected product addresses those risks.
Best in class cyber insurance will help reduce your risk and include:
- education, tools and training for all people in an organization
- tabletop exercises to engage key personnel and prepare for an unforeseen event
- experienced support to assist quickly in the event of an incident, complementing internal expertise for ransomware negotiations, obtaining crypto currency or legal advice
With larger and more frequent losses it is ever more important to partner with a strong insurer with proven cyber experience, particularly in paying claims. Your broker can help you select a well-established insurer with global expertise and products to best fit your risks.
Lindsey Nelson, Cyber Development Leader, CFC Underwriting
When selecting affirmative cyber insurance coverage, I’d recommend that CISOs vet the insurer’s cyber claims expertise before diving into policy language.
An insurer with a well-staffed, in-house cyber incident team with ample experience dealing with cyber threats is a must as these experts bring additional skills that complement what a firm’s own IT department already does very well in the event of a cyber incident.
They will be the experts on the other end of a call who bring a well-rounded wealth of expertise from technical to legal assistance.
They will know the most about ransomware variants and ransom demands, recovery from compromised business email accounts, and privacy obligations. And this knowledge and experience from a technically led approach ultimately leads to quicker recovery and less material impact to the business.
Questions CISOs should ask include:
- Is the insurer well established in cyber insurance?
- Do they have global reach?
- Do they have internal cyber claims capabilities or is everything outsourced to a third party or law firm to triage?
- Is cryptocurrency kept on hand to ensure a timely ransom can be paid if the insured makes that decision?
- What process does the firm have for checking sanctions to determine whether the attacker is a sanctioned entity?