Organizations have always carried some form of business insurance to protect against things like property damage, theft, and physical injuries. As cyber attacks and data breaches become more expensive and more prevalent — according to Coalition’s own policyholder data, claims severity increased 56% for small businesses during the second half of 2022 — forward-thinking companies are moving beyond general liability (GL) insurance and adding cyber insurance coverage to protect their businesses from threat actors.  By doing so, they can ensure they’re able to resolve incidents as quickly as possible — or, better yet, prevent them from happening in the first place by mitigating cyber risk.

Not all cyber insurance policies are created equal. Although cyber insurance policies are similar to traditional lines of insurance, the uniqueness of each policy lies in the immediate expert attention dedicated to the insured toward identifying, preventing, and mitigating cyber incidents because when a threat actor attacks, time is of the essence. Not only do the best cyber insurance providers help you rapidly respond to cyber incidents, they also take a proactive approach to cybersecurity to keep bad actors from infiltrating your network. As you begin shopping cyber insurance companies, it’s important to seek customizable coverage solutions that offer broad protection. Here’s a sampling from our cyber insurance coverage checklist with specific coverage options to look for in your policy:

• Funds transfer fraud, which occurs when bad actors send money where it shouldn’t go.

• Cyber extortion and ransomware remediation, which helps businesses restore digital assets and avoid making hefty ransom payments to access their data and applications.

• Emerging digital risks, including service fraud (also known as cryptojacking) and computer replacement coverage, which occurs when malware renders devices unusable through a process known as bricking.

• Network and information security liability and regulatory defense and penalties, which enables organizations to protect themselves against penalties that may stem from a third-party liability (e.g., a software provider you use to store sensitive customer data getting hacked).

• Bodily injury and property coverage, which protects against potential physical damage that occurs after someone hacks a system (e.g., a medical device or piece of connected machinery).

While comprehensive cyber insurance policies provide plenty of protection against cyber threats, there are specific exclusions that might not be covered — just like most insurance policies. Such exclusions might include loss of future revenues, brand damage, and employment, discrimination, and directors- and officers-related claims. However, organizations and small business owners can purchase separate types of insurance to cover these kinds of occurrences.

As the prevalence of and costs associated with cyber attacks continue to increase, businesses of all sizes that rely on technology — regardless of the type of business — need cyber insurance. According to Coalition’s 2022 Cyber Claims Report, the frequency of ransomware attacks has increased 54% in the last year while funds transfer fraud incidents have risen 40%.  With businesses losing an average of $89,000 per phishing attack, $118,000 per funds transfer fraud attack, and $330,000 per ransomware attack, companies simply can’t afford to roll the dice on cyber insurance coverage. To play it safe, they should at least purchase insurance that offers high enough coverage limits to absorb these costs.

In today’s dynamic market, the cost of cyber insurance is changing. According to a report published by Advisor Smith, the average U.S. business spent $132 per month on cyber insurance, or $1,589 per year, in 2021.  However, due to a myriad of factors — including rising inflation, legal costs, the increased prevalence of incidents, and how sophisticated they’re becoming (e.g., ransomware attacks) — insurance quotes and deductibles may become pricier with each passing year, much like health insurance and homeowners insurance premiums increase over time.

What is the average cost of cyber liability insurance?

Much like health insurance costs are often based on the individual’s age, location, and salary, several factors influence the overall cost of any organization’s cyber insurance policy. To give you a better idea of how much a policy might cost your organization, here are some factors to consider:

• The types of technology you use - while traditional insurance companies rely more on the organizational data (industry, revenues, etc), modern cyber insurers use scanning technology in their underwriting models to assess potential vulnerabilities in an organization’s tech stack. Thinking like a threat actor allows the insurer to gain better insight into potential risk exposures (which could lead to a cyber insurance claim).

• The size of your organization - Generally speaking, the more employees your organization has, the higher premiums you can expect to pay. After all, more employees means more potential attack vectors, as bad actors can target each team member with social engineering attacks.

• The amount of money you make - While bad actors don’t discriminate between small businesses and large enterprises, companies that generate lots of annual revenue and have deep pockets are more likely to entice cybercriminals for obvious reasons.

• Your claims history - You might have to pay more for cyber insurance if you have a history of making claims against your cybersecurity policy.

• The industry you operate in - Riskier industries may come with higher premiums due to the nature of the business. For example, bad actors might be particularly keen on attacking financial firms and healthcare providers because they may get a bigger payout.

• The kind of data that is protected - The more sensitive your data is, the more likely threat actors will be interested in it — and the more money it will cost to protect. In most cases, companies that process sensitive data — like credit card numbers, medical information protected by HIPAA, and other personally identifiable information (PII), including Social Security numbers — can expect to pay more for coverage than businesses that don’t collect much sensitive information.

• The amount of coverage you opt for - Like other forms of insurance, your cyber insurance cost will be influenced by how much coverage you’re seeking. For example, a $1 million policy will be more affordable than a policy that provides up to $15 million in protection.

There are a lot of factors when determining cyber liability insurance costs, and every insurer uses a different methodology to figure out appropriate packages for each client. Coalition, for example, uses a proprietary data platform that assesses an organization’s infrastructure to determine potential risks and uses that data to inform the underwriting process, extrapolating pricing from there. We do our best to look at our clients the same way threat actors would to create the most accurate depictions of risk possible. What impacts cyber insurance costs?

Cyber insurance costs are influenced by several factors, including:

• Increasing demands in coverage

• Enhanced challenges stemming from ever-sophisticated attack methods

• Increasing costs associated with cyber incident remediation

• Threat actors evolving techniques for cyber attacks

Additionally, your cyber insurance premiums may also become more expensive upon renewal if you’ve experienced a cyber attack within the previous year — not unlike your car insurance premium increasing after an automobile accident. The good news: increasing costs on your cyber insurance premium can be remediated if you put the right security controls and protective measures in place, such as multi-factor authentication (MFA), closing off remote access (RDP), and utlizing endpoint detection (EDR). This is also why it's important to take proactive cybersecurity measures throughout the lifetime of your cyber insurance policy rather than reacting after your organization experiences a cyber incident.

The higher your cyber insurance coverage amount is, the more you can expect to pay on cyber insurance premiums. When you’re shopping for car insurance, you might choose to reduce your monthly payments by buying collision insurance, which only protects you in the event you’re in an accident with another vehicle or structure. If you want more coverage than that — e.g., protection from vandalism, theft, and weather incidents — you’ll likely spring for a comprehensive insurance policy, which costs more. The same concept holds true in the world of cyber insurance. Depending on the size of your business and the scope of your operations, you may be willing to try to get by on the most bare-bones cyber insurance policy there is. But if you really want to protect your business, it may make more sense to purchase a comprehensive cyber policy that includes coverage for emerging digital risk exposures, including:

• First-party coverage, which you incur when a security failure leads to property damage, which then results in a covered loss (e.g., damage to industrial controls).

• Service fraud, or financial losses incurred from the fraudulent use of business services (including cryptojacking).

• Computer replacement costs that occur when systems are permanently impacted by malware. 

• Reputational loss, including net profits that would have been earned in the absence of a public negative media event.

To lower the cost of your cyber insurance liability policy, your company should follow as many cybersecurity best practices as possible. In all likelihood, more best practices will translate into a better premium.

• Strong password policies. When an attacker steals an employee’s password, it’s that much easier for them to wreak havoc on your environment. One of the easiest things you can do to reduce the chances that happens is by implementing strong password policies and encouraging employees to create randomly generated passwords (e.g., X7k2nmbOp*x54kn) or long passphrases (e.g., ilikegoingtothemoviesonthursdayafternoons) and never reuse them. Worried that your team might forget such passwords? Don’t be. Using a password manager like 1Password or Dashlane will enable your employees to store these passwords in a single encrypted account, making logins a breeze.

• Multi-factor authentication (MFA) for all employee accounts. No matter how weak or strong your employees’ passwords are, bad actors can still gain access to them by guessing or using automated tools designed to crack into accounts. Implementing MFA can help protect against such occurrences by adding an additional authentication layer on top of the standard username and password. Using authenticator applications like Google Authentication or Duo Security, employees can automatically receive a PIN code on their mobile device after logging into their account. After entering the correct credentials, the user will be prompted to enter that PIN code as a second factor. They’ll only gain access to the account if they enter the correct code.

• Closed network ports. Computers use network ports to communicate with each other. Each port is assigned a numeric value between 1 and 65535, but some port numbers — like web servers, which typically run on port 80 and port 443 — are standardized. Unfortunately, threat actors tend to have a good idea of which ports are most vulnerable. As such, it’s a good idea to examine your environment to determine which ports are open and shut any that are unused.

• Security awareness training. If your employees don’t know what phishing attacks look like or are still using the same password to access every single account they own because they don’t know better, can you really blame them if a threat actor finds their way into your network through them? Prioritizing security awareness training and updating your team when new threats emerge can go a long way toward protecting your network from cybercriminals.

Due to the high-stakes nature of cybercrime — and the potential expenses your organization would incur if you were the victim of an attack and lacked cyber insurance coverage — price shouldn’t be the only thing you consider when shopping for a policy.  As you begin searching for a cyber insurance solution, here are some things to look for:

• Comprehensive coverage that’s broad, foundational, and designed for all kinds of cyber attacks, including ransomware, phishing, and funds transfer fraud.

• Favorable coverage features, including “pay on behalf of” provisions, free breach response services, breach response costs outside the limit, employee-owned device coverage, and more. 

• Active Risk management solutions, with continuous monitoring and alerting for emerging threats and vulnerabilities (e.g., Coalition Control)  

• Dedicated technical support, with pre-claim assistance, in-house claims, and incident response forensic specialists who respond in minutes — not hours or days.

• Limitations of exclusions and package policies, since you need to be mindful of exclusions, such as fraud and prior knowledge.

Beyond these considerations, you may want to look for comprehensive cyber insurance that also pays for:

• Sales loss during downtime or business interruptions

• Losses incurred before a waiting period ends

• Third-party coverage

• New hardware

• Software upgrades

• Social engineering attacks

• Bodily injury or property damage

• PCI fines

• Reputation damage

• Loss from account takeover schemes

Cyber attacks are on the rise, with no signs of slowing down. Due to how much damage bad actors can inflict on your business, cyber insurance has become essential for companies that wish to remain operational for the foreseeable future. Ultimately, it’s not about cyber insurance cost. It’s about the protection you get in exchange for what you pay.