Cyber risk has become as ubiquitous within the American lexicon as apple pie, yet few truly understand it or even worse how truly exposed to it they are. Over the past few years insurance brokers and firms have done a great deal of work to raise the visibility of programs to combat cyber risk, particularly cyber insurance. This rush to market by carriers, coupled with the ever-increasing rate of cyber-attacks, has created a lot of misinformation and myths around how cyber insurance should be utilized.
Myth 1 | All cyber insurance programs are the same.
This is probably one of the biggest myths out there. Insurers trying to capitalize on this growing market segment were quick to develop programs. This has resulted in a wide array of cyber “Frankenstein” policies which add limited coverage endorsements to existing business owner’s policies. These types of programs give the insured a sense of false confidence while leaving them exposed to some of the more perilous cyber threats.
Insureds need to opt for stand alone cyber insurance policies that will cover them across the full spectrum of cyber risk, ranging from the required regulatory notification and remediation components to business interruption and reputational harm to the business itself. Unless a standalone policy is in place, these types of threats are not usually covered, which can lead to denied claims.
Myth 2 | My company does not have a cyber risk exposure
Unless an organization conducts business completely outside of the internet they are susceptible to cyber risk. High profile breaches in the news are misleading. Companies and individuals believe that their smaller organization is not at risk because they do not have a treasure trove of records and data on hand. In reality, data breaches are just one facet of cyber risk. Cyber extortion and ransomware incidents are much more common and highly focused on small businesses. Companies that think they are not a target or do not have a cyber exposure truly do not understand how vulnerable they really are.
This problem is compounded when considering how interconnected devices and the Internet of Things factors into this equation. In 2017, the North American Casino was breached because of an automatic fish tank feeder that was connected to an executive’s laptop. Due to this non-secure device, hackers were able to enter the system and abscond with company data.
Myth 3 | Cyber Insurance is cyber security
A dangerous misconception by most small to mid-market organizations is that cyber insurance is the same as cyber security. This is simply not the case.
Cyber insurance is a great resource and should be used by all organizations to help put a fixed price on the uncertainty of cyber attack and data breach costs. Stand alone cyber insurance policies also bring with them breach response resources that can facilitate the mailing of notifications to affected parties, manage crisis communications and carry out remediation efforts to get a firm’s systems back on line. Cyber insurance includes reactionary components in response to a breach, and functions as a tool to transfer the financial losses associated with a cyber attack off the organization’s P&L and into the insurance markets’.
Cybersecurity aims to prevent successful attacks in the first place. Pro-active cybersecurity initiatives are required to protect an organization’s IT infrastructure and data. These can range from technology solutions to training employees around proper cyber hygiene.
Myth 4 | All that I need to protect is Personally Identifiable Information (PII) records
It is true that PII is a key data set that needs to be protected by organizations. Regulators have been quick to develop notification requirements and impose fines if firms fail to protect these records. Yet for businesses and organizations, their digital assets go well beyond employee data. A breach that exposes a firm’s intellectual property, for example, could render that business worthless. Firms that do not consider the enterprise value of their data are putting their businesses at risk. This is increasingly the case for larger entities. Firms like Google that rely solely on data for their core offerings will have a much different risk profile than a firm like CSX, whose business model still relies on hard assets. These types of considerations need to be considered as organizations are carrying out their cyber risk assessments.
Myth 5 | My firm is too small to carry cyber insurance
Most cyber-attacks focus primarily on small businesses because they know they are the most vulnerable. Small businesses often lack the IT resources or budgets to develop robust cybersecurity defenses. This makes it easier to cyber criminals to enter their systems and wreak havoc. According to the U.S.’ National Cyber Security Alliance recent study, 60 percent of small companies that suffer a cyber-attack are unable to sustain their businesses, often closing within 6 months. This is a direct result of the expenses related to a cyber-attack.
The average price for small businesses to remediate a cyber-attack is approximately $690,000; and for middle market companies, over $1 million[1]. These types of financial losses are not sustainable for the bulk of businesses, let alone small enterprises with limited budgets. Having a cyber insurance policy in place can mitigate these types of financial exposures, making firms more resilient to withstanding a cyber-attack.
Today small business adoption of cyber insurance is still under performing, however recent trends have shown a slight uptick. Creating accessible cyber programs and customer awareness should not just be the focus of the insurance industry, but rather a national interest. With businesses who suffer a cyber-attack going out of business at a rate of 60%, creating cyber resiliency is a top economic priority for the country.
[1] Ponemon Institute