Today, the exciting topic of insurance! Seriously, though – insurance. You gotta have it.
However, while cyber insurance has become increasingly common, it is still clear that many organizations do not view this kind of insurance as a fundamental part of their risk management, as they might view liability insurance or commercial property insurance. Statistics are all over the map on cyber insurance coverage, but even if best-case estimates are accurate, about a third of SMBs do not have a cyber-specific insurance plan.
The reality is that cyber insurance is an essential part of any organization’s risk management strategies. At BIT Services, we recommend that all our clients purchase cyber insurance coverage, no matter their size or type. Obviously, the level or type of coverage may vary by business field, size, and circumstance, but an appropriate cyber insurance plan ought to be an essential business expense in our present threat environment. The cost and consequences of service disruptions and data breaches can cripple businesses of any size and of any type.
If you are successfully targeted in a cyber breach, insurance is a vital tool that can potentially cover a wide range of expenses. For example, a simple plan might cover forensic services and customer notifications expenses (which are often required by state law), as well as expenses related to rebuilding IT infrastructure or customer credit services. Other plans might include coverage of lost income, ransomware payments, and fees or penalties related to compliance problems created by the breach. Of course, you’ll want to make sure to understand the exclusions of any policy. Exclusions might include things like failure to maintain appropriate internal cyber hygiene, or acts of war, or internal fraud committed by an employee.
Note also that an insurer may incentivize or require particular policies and practices related to a business’s cyber procedures. These are best practices regardless of whether or not your insurance coverage requires them. These practices might include:
- regular training for employees on essential cyber hygiene practices
- implementation of MFA (multi-factor authentication)
- management of appropriate access to IT systems
- running regular software updates / patches
- emphasizing and ensuring credential security
There is nothing exciting about insurance, but we all know that it is a backstop against crippling events. The false belief that cyber criminals only target large national companies often prevents SMB owners from accurately assessing their own risk. The reality is that any effective risk management plan must include cyber insurance.