Part of a comprehensive cybersecurity program is making sure you have the right backup. Yes, pun intended. Certainly, your data needs to be backed up. But your staff and finances also need extra support. We’ve previously written about how a Managed Service Provider (MSP), also known as an outsourced IT vendor, can provide support for implementing robust cybersecurity controls. Today we’ll talk about cyber liability insurance – what it is, why you need it, and how to get it (and get it cheaper).
What is Cyber Liability insurance?
Cyber Liability Insurance, more commonly just called cyber insurance, is a type of insurance that protects your business if it’s targeted by a cyberattack like a data breach or ransomware. Good cyber insurance coverage doesn’t just help with the losses associated with data breaches, ransomware, and other attacks. If you’re attacked, your insurance provider can offer help from experts in forensics (computer crime investigations and data recovery) and legal advice to guide you through the recovery process. For most small and medium businesses, these extra services would otherwise be out of reach financially. Many businesses used to get cyber insurance combined with Errors and Omissions (E&O) insurance, which covers other types of business mistakes or oversight. However, it is becoming more and more common to get cyber insurance sold as a standalone policy.
Why does your business need it?
The costs associated with a successful cyberattack against your company can be staggering – and they are growing every year. According to the 2024 IBM Cost of a Data Breach Report, the average cost per record exposed in a cyberattack rose to $173 and the average total cost of a data breach is $4.88M. According to the 2023 Verizon Data Breach Report, small businesses (defined as less than 1000 employees) accounted for approximately 58.5% of all successful cyberattacks. According to the SBA, in 2020 there were over 700,000 attacks against small businesses amounting to nearly $3B in total damages. The frequency of attacks and total damages are increasing annually. For most small businesses, a breach with costs like this would mean the end of operations. And yet, only 17% of small businesses have cyber insurance.
What's holding you back?
Roughly 31% of small businesses are not concerned about cyberattacks. So it’s no surprise that many SMBs don’t carry cyber insurance — but why? Headlines and recent reports are enough to scare the socks off of leaders, mainly because the likelihood of being targeted has skyrocketed lately. Cybercriminals know precisely where the low-hanging fruit is; hint, it’s among the 3.1 million small businesses without coverage. Still, SMB leaders don’t recognize their vulnerability. And we’ve figured out how these leaders end up with a bullseye on their back — here’s how to prevent your company from being targeted.
Get in the Know. According to AdvisorSmith, 64.2% of SMBs are either unsure of cyber insurance or don’t know what cyber insurance covers. This alarming statistic highlights just how important education is in driving better behavior.
Beef Up Best Practices. Many SMBs are denied coverage outright. Because SMBs tend to under-invest in their cybersecurity, many cyber insurance providers will simply deny them coverage. Indeed, according to a 2022 survey, 47% of companies with fewer than 50 employees do not have any dedicated cybersecurity budget. Another 2022 survey showed that 51% of small businesses don’t have cybersecurity measures. Given these statistics, it’s no wonder that cyber insurance providers would opt out of providing coverage.
Budget Cyber Costs Correctly. Some SMBs opt to decrease cyber coverage or even drop cyber insurance entirely. And, of course, some forgo purchasing the insurance whatsoever. Many times, the cost of coverage is what sways leaders away from this purchase. While cyber insurance premiums have increased over the past several years, leaders don’t always have to settle for skyrocketing prices. (More on this below.)
Unscramble the Cyber Puzzle. Cybersecurity has become complex, with ever-changing best practices and increasingly savvy cybercriminals. Many insurers are pouring money out for claim payouts and evolving their product to keep pace with the threats. For example, some carriers have transitioned some elements (i.e., ransomware) from standard coverage to a rider or provision. Naturally, these changes create a confusing landscape for SMB leaders to navigate.
How can you become eligible and/or lower your rates?
Luckily, there is hope for SMBs who want cyber insurance coverage but have either been denied access or are being priced out of the market. There are some simple measures SMBs can take to make them eligible for coverage and decrease their costs. These all center around reducing the business’ risk profile – after all, a more secure / lower risk business is less likely to need a payout from the insurance carrier, so the carrier is more likely to write the policy. So, what can you do?
Adopt a security framework. A popular choice is the NIST Cybersecurity Framework (NIST CSF), which is widely viewed as more approachable than other frameworks while still being robust enough to secure most businesses. NIST CSF provides a set of security controls that, when adopted, help a company improve its overall defensive posture. Other security frameworks include NIST 800-53, NIST 800-171, Cybersecurity Maturity Model Certification (CMMC), and ISO-27001. These are typically only required as a company seeks to work with the US Federal Government or expand internationally. All of these frameworks have a few things in common – they require a company to have various information security policies in place and to implement a defined set of controls to safeguard their business. Fully implementing a cybersecurity framework can take time, which is why it’s important to have a roadmap and cover the most important aspects first.
Comply with relevant regulations. In addition to security frameworks, many industries are becoming more heavily regulated. For example, Healthcare companies and their affiliates are required to comply with HIPAA, any company dealing with credit cards needs to comply with PCI-DSS, financial services and insurance companies in New York are subject to NYCRR part 500 (including the November 2023 updates), and publicly traded companies need to comply with the new SEC cybersecurity rules. These regulations apply regardless of the size of business and exist to safeguard businesses and their employees and customers.
Train staff on the fundamentals of digital safety. The overwhelming majority of breaches are the result of human involvement, typically because of social engineering (including phishing) and human error. By training their staff on cybersecurity best practices, companies can reap massive benefits in terms of overall security of their business while also seeing benefits to their insurance premiums. This is perhaps a redundant element since most security frameworks and regulations require regular security awareness training but is still worth calling out separately.
Develop an incident response plan (IRP). A good IRP details out the processes followed and people necessary to respond to a security incident. These people include not just the “first responders”, like the IT team, who will be directly involved in mitigating the incident, but also the communications, legal, forensics, executive, and other teams necessary to be successful in fully resolving an incident. The plan itself should include steps to identify, mitigate, resolve, and communicate the incident. IRPs should be tested regularly so a company isn’t finding out in the middle of a crisis just how well their plan works. Like security awareness training, a good incident response plan is a requirement of most cybersecurity frameworks and regulations but is so critical that it bears repeating.
Conclusion
We recommend all SMBs start out by aligning to NIST CSF and any relevant regulatory frameworks. While it can be challenging to even know where to start with this journey, we’ve made it very simple – and cost effective – for businesses to start their cybersecurity journey. In our user-friendly tool, we’ve packed everything you need to get started, get yourself compliant, and secure your business.
📜 Customized Security Policies that align with the frameworks and regulations you need.
📆 Regular updates to security policy templates throughout the year (you can choose when and if to adopt those changes).
🧑🎓 Engaging and practical security awareness training for your users.
✅ Personalized, prioritized roadmap for moving towards compliance.
⚠️ Tools to look at organizational risk holistically including cybersecurity risk.
📈 Track policy acknowledgement and training progress.
