In his TechRepublic article IBM finds cyberattacks costing companies nearly $4 million per breach, Jonathan Greig mentioned, “On average, breaches now cost organizations $3.86 million per attack, with the United States having the highest average cost per breach and healthcare being the most heavily hit industry.”
That was nearly a year ago and many tech pundits, including Rob Sobers in his Varonis article 134 Cybersecurity Statistics and Trends for 2021, suggest that 2021 ain’t gonna be any better. One statistic that hits home to most business owners is Gartner’s forecasting that the worldwide information security market will top $170 billion by 2022.
So what’s a business owner to do—spend money on the latest and greatest cybersecurity platform, that may or may not prevent a cybersecurity event, or just keep the business from being the lowest fruit on the digital tree and cover the resulting risk with cyberinsurance?
SEE: Shadow IT policy (TechRepublic Premium)
It seems business owners are electing to cut losses by investing in cyberinsurance. However, since cyberinsurance is relatively new, some business owners are concerned about what’s involved and if it makes sense.
Adrian Mak, CEO of AdvisorSmith, a business insurance consulting firm, has pulled together a Cyberinsurance Cost report that looks at what to expect. Besides the size, location and nature of a business, there are other factors that affect cyberinsurance premiums. The following considerations are those Mak deems most important:
Coverage level affects the cost of cyberinsurance: This one is obvious. The higher the limits of your cyber coverage, the higher your premiums will be. “However, additional coverage usually costs less per dollar of coverage compared with the base coverage,” mentioned Mak. “For example, the first $250,000 of coverage costs an average of $739 in our example below, while the next $250,000 of coverage only costs an average of $407, for a total cost of $1,146.”
Although obvious, this is an important consideration. “It is important to choose a level of premium that is affordable for your business,” explained Mak, “but you also want to ensure that the liability level is high enough so that in the event of a data breach or hack, you may be able to avert financial disaster.”
Deductibles affect cyberinsurance costs: In the event of a cyber event, the cyberinsurance deductible is the money not covered by cyber liability insurance and the responsibility of the victimized organization. “Choosing a lower deductible means you’ll pay less in the event of a breach, but it also means your premiums will be higher,” added Mak. “When choosing your deductible, you should consider the impact of a loss on your business, and the amount of losses you’d be able to absorb in the event of a breach or cyber event.”
Business size and revenue affect the cost of cyberinsurance: Mak suggests that most insurers base cyberinsurance rates on the company’s revenue. Other insurance companies use the number of employees to determine a company’s premiums—more employees mean higher premiums.
Number of sensitive records affect cyberinsurance costs: Amount and sensitivity of stored customer data impacts cyberinsurance premiums. Most insurance companies segment businesses into different tiers based on type and sensitivity of the data retained.
- Lowest risk (lowest premium): Companies do not store much third-party information nor business data records.
- Moderate risk (moderate premium): Companies have more customer data, but the data is not considered highly sensitive.
- Highest risk (highest premium): Companies store sensitive information such as social security numbers, dates of birth or other financial and personal information.
In-place security measures affect the cost of cyberinsurance: Another obvious factor is the quality of the company’s current cybersecurity platform and policies. Mak asserted that insurance providers will ask for a complete digital security assessment, and the more measures in place, the lower the insurance premiums.
Some of the security measures that receive special attention are:
- Hardware and software network security
- Data-loss prevention procedures
- Multi-factor authentication and encryption
- Software is current with regard to vulnerability patches
- Third-party firms are used for security assessments and audits
- Third-party vendors with network access are monitored
There are a lot of variables to consider when pricing cyberinsurance. Mak believes the best approach is getting quotes from reputable insurance companies.
With quotes in hand, the next step is an honest assessment of the amount of acceptable risk versus amount of cyberinsurance to purchase—not an easy task, but vitally important for surviving a cyberattack.
Information pertaining to the survey
The AdvisorSmith study involved reviewing publicly available rate filings published by insurance companies to The System for Electronic Rates & Forms Filing in all 50 states and the District of Columbia. The study uses quote estimates and rate filings from more than 43 insurance companies nationwide. The premium quotes, ranging from $650 to $2,357, were based upon liability limits of $1 million with a $10,000 deductible, and $1 million in company revenue. The average cost of cyberinsurance is $1,485 per year in the U.S.
Disclaimer: AdvisorSmith seeks to provide accurate and up-to-date information for business owners. However, we are not acting as licensed professionals, and all information is presented without warranty.