Risk Management · December 05, 2022

Is Cybersecurity Insurance Worth It?

In recent years, cyberattacks and security breaches against businesses have increased in frequency and severity, leaving many organizations wondering how best to protect themselves against these threats. According to Forbes, the world saw a 105% surge in ransomware cyberattacks in 2021. In this environment, cybersecurity insurance is a must-have. A policy providing data breach insurance coverage and cybersecurity insurance coverage can help manage the impact of a cyberattack or data breach protect businesses from financial damage, safeguard customer information and minimize downtime.

Is it really worth it to get cybersecurity insurance?

Yes! Any business that stores sensitive data—whether on a network or in the cloud—should have a cyber insurance policy.

Any business that relies on technology to operate, particularly one that sends or stores electronic data, should consider cyber insurance—which is, basically, every business.

All data saved or stored on a network is tempting to a cybercriminal and could be at risk of being stolen. That includes personal contact data for staff and customers, financial information of a business and intellectual property. Even healthcare data saved on a medical device can be weaponized for profit.

What is cybersecurity insurance coverage?

A cyber insurance policy generally offers protection for a business to recover from a data breach or other cyberattack, as well as legal claims resulting from the breach. Cybersecurity or cyber insurance can help minimize business disruptions caused by a data breach or a phishing scam and its financial aftermath. In the case of a ransomware attack, it can also provide coverage for financial costs and help a business recover more quickly.

However, there are some things that a cyber insurance policy won't protect against. Most importantly, an insurance provider can't alert a business owner of a pending cyberattack. Businesses need to have their own cybersecurity measures and monitoring procedures in place. In fact, a certain level of measures will need to be in place in order to obtain a cyber insurance policy. Although security specialists and consultants work to prevent cyberattacks before they happen, cybersecurity insurance policies provide coverage in case breaches occur.

What's included in a cybersecurity insurance policy?

Many of the most common cyberattacks are included in cyber insurance policies, such as ransomware, fraud attacks, malware and phishing scams.

In most cases, a cyber insurance policy will ofer coverages for the costs of investigating and remediating security failures, including data recovery, system forensics, legal fees and any customer compensation. In the instance of ransomware, a cyber insurance policy can include the ransom demand, even though most cybersecurity specialists and law enforcement officials warn against this practice, noting that it only encourages more ransomware attacks.

Types of cybersecurity insurance coverage

First-party coverage

First-party coverage usually covers the immediate and direct expenses that result from a cyberattack. These include:

  • Notifying employees and customers
  • Legal expenses resulting from the data breach
  • Repairing or replacing any damaged software or hardware
  • Business interruption or lost business opportunities while your network is down
  • Credit monitoring for customers
  • Any ransomware or extortion payments

Third-party coverage

Third-party coverage helps the company defend against lawsuits brought by customers and other parties as a result of the cyberattack or a data breach. This policy covers:

  • Consumer class action lawsuits or potential settlement funds
  • Legal fees and fines resulting from a regulatory investigation
  • Media liability claims, such as libel or slander
  • Breach of contract or negligence claims

Cyber and data risk insurance doesn't, however, include coverage for costs associated with damage to the business brand, loss of revenues after normal business operations resume or drops in share price or market shares that may have resulted after the cyberattack or data breach.

What to look for in a cybersecurity insurance policy

First, a business owner should review their existing insurance policies to see if they already have cyber insurance in place, and be sure to look at the policy or endorsement wording to understand the coverage being provided. Alternatively, check other policies to determine if they specifically exclude cyber-related incidents. In recent years, policies that previously extended to cyber-related issues have been changed to exclude them given the rise in claims.

When looking at cyber insurance policies, it pays to ask good questions, like the following:

  • Does it address the most common security network failures, including business email compromise or phishing scams?
  • Does it address business interruptions and costs incurred while a network is down?
  • Does it have strong privacy liability clauses to protect the business from third-party investigations?
  • Does the policy address legal defense costs or fees resulting from lawsuits brought by affected customers?

Managing liability risks

One thing to keep in mind when exploring cyber insurance policies is what personal information is covered and how it's defined. After all, the biggest reason to invest in a cyber insurance policy is to address your company's liability for privacy or identity theft injuries, including the disclosure of private information or failure to comply with privacy laws.

Some policies will list specific personal information that it covers, such as name, address, social security number, health information, financial information and more. A better, more future-proof approach is a policy that covers a broad definition of personal information, encompassing anything used to identify a specific individual or subject to privacy law, including the Fair and Accurate Credit Transactions Act and the Health Insurance Portability and Accountability Act, or HIPAA.

Cost considerations

A number of factors are considered in the cost of a cyber insurance policy, including the size of the business and annual revenues. The type of sensitive data that the business manages, its history of previous cyberattacks and the overall security of the network are other factors that could come into pricing.

The industry that a business operates in could also be a factor. Industries that typically deal with sensitive or personal financial, legal or health data, for example, could find themselves paying more for cyber insurance or have difficulty accessing it at all.

Peace of mind—a big benefit of cybersecurity insurance

According to the FBI's annual Internet Crime Report, cybercrime cost US businesses and individuals $6.9 billion in 2021. For most businesses, the cost of even a single cyberattack can make or break a company's future and reputation with its customers. Investing in the peace of mind of cybersecurity insurance can be a relatively small price to pay when weighed against the possibility that a data breach might occur and its associated costs.

Given the increasing frequency of data breaches, ransomware attacks and phishing scams, cybersecurity insurance can be a sound investment for companies operating in today's cyber environment. Your business banker can connect you with an insurance professional to learn how you can take action to safeguard your business.


Financial insights for your business

No results found

This information is provided for educational purposes only and should not be relied on or interpreted as accounting, financial planning, investment, legal or tax advice. First Citizens Bank (or its affiliates) neither endorses nor guarantees this information, and encourages you to consult a professional for advice applicable to your specific situation.

Links to third-party websites may have a privacy policy different from First Citizens Bank and may provide less security than this website. First Citizens Bank and its affiliates are not responsible for the products, services and content on any third-party website.