High profile digital stick-ups have regrettably become commonplace. But for every multimillion dollar attack on a Microsoft or a Colonial Pipeline, there are many incidents that don’t quite warrant front page status. This steady drumbeat of less costly, less splashy attacks on smaller or more vulnerable companies is what keeps information technology (IT) professionals up at night.
Although cyber attacks have grown in their scale and destructive power, there are more options than ever before to insure against losses from data breaches, ransomware, and other cybersecurity threats. But compared to insurance policies for other types of business risks, cybersecurity insurance coverage is not as widely adopted.
Business.com continues to build on our body of research into the risks to the growing number of companies that operate online. Our latest study of IT professionals – who are often a company’s first line of defense against digital attacks – revealed much about the current cyber insurance market. We’ll also help you explore cyber insurance options to protect your business and your customers’ data.
Key Findings
- Nine out of ten IT professionals had at least some level of concern that their company could be the victim of a cyber attack, with 39 percent being “very” or “extremely” concerned.
- 45 percent of IT professionals from companies that were mostly remote said they had been recently attacked, compared to 33 percent of those working onsite.
- Although the majority of IT professionals (63 percent) said they were either very or extremely confident in their company’s ability to resolve a cybersecurity incident, not all companies currently have a response plan in place.
- Nearly one in five IT professionals have not heard of cyber insurance, suggesting that a chief obstacle to greater adoption of cyber security coverage is a lack of awareness.
Table of Contents
- Cyber Insurance Awareness and Adoption
- Which Businesses Need Cyber Insurance?
- What Does Cyber Insurance Cover?
- Factors in Cyber Insurance Cost
- How to Choose A Cyber Insurance Plan for Your Company
Cyber Insurance Awareness and Adoption
Before a company decides to purchase cybersecurity insurance, they must see cybercrime as a threat worth protecting against. We found that the overwhelming majority (90 percent) of respondents had some level of concern that their companies would be attacked digitally in the next year. A significant portion of IT professionals were very or extremely concerned about potential attacks.
How concerned are you that your company could be the victim of cyber crime in the next 12 months? | |
Extremely or very concerned | 39% |
Slightly or somewhat concerned | 51% |
Not at all concerned | 10% |
Although the majority of IT professionals said they were either very or extremely confident in their company’s ability to resolve a cybersecurity incident, not all companies have a solid response plan in place.
If your company were to be the target of a cyber crime in the next 12 months, does your company have a response plan in place? | |
Yes | 67% |
No, but the company is devising a plan this year | 15% |
No, and there is no sign of a plan being formed this year | 6% |
I'm not sure | 12% |
Over 40 percent of IT pros said their companies had experienced some form of cyber attack. Although companies of all sizes had experienced attacks, companies with remote teams had unique vulnerabilities. Nearly half of IT professionals from companies that were mostly remote said they had been recently attacked, compared to 33 percent of IT professionals working onsite.
Many IT professionals had some level of familiarity with cybersecurity insurance, but nearly one in five said they had never heard of it before our study. Considering that these are the experts who can push executives to adopt such coverage, cyber insurance firms may still need to increase awareness of their plans among this key market.
How familiar are you with cyber insurance? | |
Never heard of cyber insurance | 18% |
Somewhat familiar | 59% |
Very familiar | 23% |
More than half of IT professionals said their company already has a cyber insurance policy. And as attacks continue to rise, another 18 percent reported their company is considering purchasing such insurance in the future.
Does your company currently have cyber insurance? | |
Yes | 57% |
No, but the company is considering it | 18% |
No, and the company has no plans to purchase it | 6% |
Unsure | 19% |
Our study also revealed that companies who have experienced a cyber attack in the past are more likely to accept cyber insurance as a necessary cost of doing business. Almost three-quarters of those companies currently have cyber insurance coverage.
Which Businesses Need Cyber Insurance?
The World Economic Forum’s 2021 Risk Perception Survey found that respondents considered cybersecurity failures to be a “clear and present danger” to businesses in the next two years. Out of 35 economic, environmental, geopolitical, and technological risks surveyed, cyber concerns were above average in terms of both their likelihood and their impact.
Since so many businesses today have some level of exposure to cyber risks, it is hard not to recommend cyber insurance to just about all types of companies. Unless no transactions, internal communications, or financial information are ever transmitted over a network (including local networks), a company will have at least some level of cyber risk.
Damage from cyber attacks can vary widely, but a report from IBM estimated the average cost of a cyber attack in 2020 was nearly $4 million. Without insurance, cyber attacks can be devastating to companies of all sizes.
Of course there are certain categories of businesses that could particularly benefit from the peace of mind that a good cyber policy can bring. Broadly speaking, these higher-risk businesses are concentrated among app developers, software programmers, social network companies, and so on. A general rule of thumb is to begin by asking if your company relies particularly heavily on data, networks, and private customer information. If the answer is yes, then cyber insurance is an option that you should at least consider, regardless of the size of your business.
What Does Cyber Insurance Cover?
Like any insurance policy, what cyber insurance covers will depend on your insurance provider, their specific plans, and your coverage limits. But we can still broadly break cyber insurance into two broad categories: First-party cyber insurance is meant to ease or eliminate the financial burdens that may fall on your company if it is the victim of a cyber attack. Third-party cyber insurance will cover other parties besides the company which was attacked, such as customers, clients, government regulators, or business partners. And of course there are certain categories of fallout from a cyber attack that will just not be under the purview of most cyber insurance policies.
First-party liability coverage
First-party cyber insurance is meant to cover the direct costs a business may incur following a cyber attack. Some of the expenses that first-party cyber insurance would cover are the costs associated with informing customers of a data breach, the costs of recovering data, the expense of new servers, and even costs associated with public relations in the aftermath of a cyber attack.
This kind of policy can often be added to your company’s general liability insurance coverage, and is offered through several major insurance companies such as Allstate, State Farm, or Progressive. An example of a company that could benefit from first-party cyber insurance would be a firm that has internal trade secrets but does not transfer client data or use client networks.
Third-party liability
Third-party cyber insurance can help pay for the effects of an attack on a business’ network, especially the lawsuits that can result from an attack. This comes from the general expectation customers have that, if a business requests their information, that business is responsible to keep that information safe. For example, if customer data is exposed in a cyber attack, and those customers sue the business that was storing their data, third-party insurance would cover the legal costs of such a lawsuit.
Business people such as IT consultants, software and app developers, web designers, or web hosting companies necessarily collect and store client data. A company that holds on to people’s payment details, home addresses, health information, or other private data, would benefit from third-party insurance. Third-party coverage could be critical for their IT teams to be confident they can secure and recover the data they are responsible for.
This kind of coverage, often packaged with a tech professional’s errors and omissions insurance policy, can help those companies stay in business safely. Some traditional insurers, such as The Hartford and Travelers, offer these kinds of policies.
What is not covered
Cyber insurance policies can generally be customized to meet almost any client’s needs, but there are broad limits on what this kind of insurance will cover. Upgrades to a company’s systems following a data breach are usually not covered. Also, cyber insurance does not generally reimburse a company if its valuation drops following a cyber attack. Finally, losses of future profits resulting from a data breach or cyber attack are generally not covered. And if an act is covered by a different kind of insurance the company has, cyber insurance will likely not pay to double reimburse the company.
Here are some examples of scenarios that could likely be absent from your coverage:
- Software updates: Company X has avoided updating much of its software, so as to avoid the steep and never-ending cycle of costly upgrades. One day, a piece of malware creeps onto the firm’s systems by way of one of these outdated, and therefore vulnerable, programs, and leads to a major data breach. The company pays its deductible to file a claim and the insurance provider jumps into action. The insurer covers the costs to inform Company X’s customers of the data breach, credit monitoring for those customers, and even protects the firm from the legal expenses, court fees, and settlement payouts that follow. But when Company X decides it must protect itself from future attacks by updating all of its systems, it finds that it is on the hook for those expenses.
- Stock market devaluation: Company Y has years left on its patent for a groundbreaking – and extremely lucrative – medicine. After a cyber attack in which the culprits hacked into the publicly-traded company’s research and stole the blueprints for the new treatment, Company Y lost its monopoly on the medicine. Once the news gets out, investors panic that the company will falter or even fail, and the business sees a significant chunk of its valuation wiped out overnight. Most cyber insurance policies will not protect against this type of loss.
- Damages to physical property loss: Cyber attackers find a vulnerability in Company Z’s network and gain access to an employee’s account. Using the information they find, they manage to unlock the brick-and-mortar office. The criminals burgle and ransack the office, and destroy the company’s servers. Even though the criminals gained access to the building using digital means, this incident would likely be covered by the business’ other insurance policies. For example, property loss, such as stolen computers, would be filed under the company’s property insurance; robbery, theft, and other criminal incidents stemming from the cybersecurity problem would be covered under a commercial crime policy; property damage or injury would be covered by general liability insurance
Factors in Cyber Insurance Cost
The primary factor that will determine how much cyber insurance will cost your company is its level of engagement with data and networks that can be externally accessed. For example, retail companies and health companies have higher risks because they have access to customers’ payment details and patients’ health information. This leads to higher premiums for those kinds of businesses.
Other kinds of companies, such as those in the tech sector, are often legally and ethically required to take responsibility for the cybersecurity of their clients.These kinds of businesses would not only pay more for the same level of cyber coverage compared to another kind of company, but it could be prudent for them to insure beyond the potential damages to their own business. It would be beneficial to seek a third-party policy that could cover some of the damages owed to clients, partners, or regulators.
The same goes for healthcare businesses – just as we expect tech companies to keep our passwords secret, we expect anybody dealing with our medical information to keep those private details of our lives private. In addition to health information, some providers will store patients’ Social Security numbers, addresses, or other non-medical sensitive information. A business that stores these kinds of details can expect to pay more for a cyber insurance policy.
On the whole, though, cyber policies are affordable even for most small businesses. Insureon, a policy quote aggregator that partners with Travelers, Liberty Mutual, and other major insurers, finds that the median cost of cyber insurance for small businesses is $140 a month, or $1,675 a year, regardless of policy limits.
How To Choose A Cyber Plan for Your Company
Choosing cyber insurance will largely depend on a company’s needs and its relationship to the data of its customers and clients. If a business’ main concern is the integrity of its own data, first-party insurance may be enough for its needs. This may be the case for a firm that has internal trade secrets but does not transfer client data or use client networks. If so, first-person coverage may suffice, and that company may benefit by first asking their primary insurer if they have this available as an add-on to their regular coverage.
If that coverage is not enough, a company could ask itself what exactly the policy is lacking. If it is simply how much it will reimburse you, perhaps the solution is a more robust first-party insurance policy. But some companies could decide it deals so much in client data that it would have significant legal exposure if that data was inappropriately accessed. In this case, the next step would be to find an insurer that offers third-party cyber liability insurance that works for that company’s size, reach, and needs. A third-party policy will generally cover some or most of what first-party cyber insurance includes, in addition to financial security from lawsuits related to a cyber attack.
Conclusion
As cyber crimes increase in frequency, scope, and cost to businesses, we can expect companies to seek out insurance coverage that helps protect against cyber attacks. Our research shows that the majority of IT professionals are concerned that their company may be attacked in the coming year, and shows that most companies already have cyber insurance or are considering adding it.
A consistent theme in our research has been that those who have been attacked before are more likely to take the measures necessary to prepare for another attack. If cyber crime continues to rise and affect more individuals and companies, we can expect similar growth in demand for cyber insurance.
Our Data
Business.com conducted an online survey of 348 information technology professionals living in the United States in August 2021.