You see cyber breaches in the news quite frequently today, and we know all organizations are at increased risk of cyber attacks. The US President has even stepped in to bolster the US cyber threat response. However, most small-to-medium sized businesses do not have cyber insurance and don’t think they need it.
But what is cyber insurance, and why do you need it? NetGain sat down with Bill Dotson, a cyber insurance expert, to learn more. Bill is a virtual CIO and IT advisor at Rocker, a consulting firm helping organizations mitigate their technology risk and prepare to purchase cyber insurance from existing insurance providers. Bill has been in the technology industry since his early twenties, and has founded and sold multiple tech companies before starting Rocker with his business partner.
Bill’s philosophy on security and privacy: “There is no perfect door or gate to protect against every risk, we can only manage security and privacy.” Each company has to determine where their most sensitive information is and what is acceptable risk. For the remainder that you don’t take care of through technology or training, there is cyber insurance, or technology insurance, to manage your exposure.
What is Cyber Insurance?
“Every business is a technology business”. No matter what industry you are in, you utilize email, computers, and likely much more. Technology means cybersecurity risks, so taking precautions to protect yourself from these risks is imperative. Cyber insurance offers assurances from different kinds of breaches, such as ransomware, or a financial fraud occurring through tricking people into giving up login credentials. Like other insurance policies, such as your car insurance or homeowner’s insurance, you can get reimbursed in the event of a breach. This gives you peace of mind knowing there is support and coverage for your business.
Dotson says that now is the time for increasing or buying cyber insurance, due to recent cyber breaches. Companies with sensitive data, such as those in the medical or legal industries, or organizations with lots of employees, should consider investing in cyber insurance. If a peer company has been breached, this is also a good time to leverage cyber insurance or bolster your current coverage, as you may be at higher risk.
In order to begin evaluation for your cyber insurance needs, it is a best practice to have an assessment performed in order to understand your organization’s risk, as well as how to tailor your insurance policy to your business. You also need to understand what state or federal government requirements your business may be subject to.
Misconceptions and Mistakes
Now that we’ve answered the question “What is cyber insurance?”, we should explain some things that most people don’t understand about it.
Many organizations already have a business owner’s insurance policy, but Dotson explained that business owner’s policies only have a minor amount of technology coverage compared to technology insurance, if there is any coverage at all.
One mistake Dotson often observes is when a company wants insurance and only involves internal or external IT professionals. Since there is sensitive data and risk across the organization, every department, including those like HR and Accounting, should be involved in the policy application and regular reviews.
You should also be sure that your funds transfer coverage on the policy is adequate – for example, your plan may cover if your bank account is hacked through phishing, but you should ensure that the dollar amount covered for this event is acceptable to your business. This will be a number you will have to determine.
Always check policy requirements. This is essential. Dotson mentioned, for example, that some scenarios require organizations to implement multi-factor authentication. If you do not follow requirements, you may not get full coverage from your policy in the event of an incident.
Many people think cyber insurance will be very expensive, but the cost depends entirely on the size and scope of your business. Dotson says the typical range he sees is between $3,000 and $27,000 per year, depending on the organization risk factors, annual revenue, and desired coverage.
Dotson strongly advocates for cyber insurance, as it can protect your business from a variety of threat vectors. The important part is to understand your organization, your policy, and what requirements you will have moving forward, so that in the event of a breach you are adequately prepared and can be helped by your insurance policy.