What does Cyber Insurance Cost ?

For many people, the cost of cyber insurance is about two distinct issues.

Firstly is the actual cost of insurance in cash terms, relative to the coverage provided and secondly is the question of whether it is worth having cyber insurance at all.

Any business or organisation needs to break the cost issue down into three specific areas.

Firstly is to decide what level of risk they believe that business is at. Secondly what they can do by way of cyber governance to reduce any risk and thirdly whether or not they need cyber insurance at all depending  on what other types of business insurance they already have.

This is one area of insurance where it is well worth considering using an insurance broker, which will not increase a businesse’s cost at all, but can provide invaluable information both about cyber risk modelling, as well as cyber insurance policies and their costs.

In terms of  cost in cash terms, like any type of insurance, it is very difficult to generalise. However reports by Reuters and others seems to suggest that rates have increased by anything from 30 to 50% over the last two or three years, that the size of deductibles has also increased and the amount of coverage has been significantly reduced.

Cost of a Data Breach

What can be more easily quantified is what a data breach can cost a company.

Reuters recently reported the cost to MERCK of a data breach costing its insurers around US $ 275 million.  The cost to Target, the well-known retailer, of a data breach in 2013 was estimated to have been US $ 264 million.

Research by the Journal of Cyber Security in 2016 estimates the total cost of cyber events at approximately US$8.5 billion annually. They go on to suggest that the most common type of  data breach is where customers credit card numbers and healthcare information have been compromised.

Any company or organisation holding this type of information is therefore more likely to be at risk, and be charged higher premiums.  Their research also  points to certain industries being most at risk, namely retail, information, manufacturing, finance and insurance.

Insurance premiums  for these sectors of business are likely to be higher than others.

Cyber Liability Insurance Cost

Any insurance policy is about risk. An insurance company offering cyber insurance will look at a business or organisation, and try to assess the level of risk and then decide how much to charge for the coverage they are offering.

As Warren Buffett recently said,  trying to assess the risks of cyber security is almost impossible, partially because it is such a relatively new area of insurance, and partially because it is  inherently difficult to assess the level of risk.

There are however a number of major insurers are offering cyber insurance, such as Hiscox, AIG, Travelers etc. Their assessment of risk will be focused on a number of areas including type of business, revenue, number of employees, cyber security governance etc.

Premiums do vary widely, and anecdotal evidence available suggests premiums can vary from US$ 500 / 6oo  a year up to US$100,00 a year and more. The insurance rates charged for the policy will largely be determined by the coverage limit of the policy, and what deductible is applied.

Cyber Attack Cost to Business

The second question is in a way that easier to address, as it is normally focused either on the question of whether or not there is any risk, and if so if that risk is already covered by some type of e and o insurance, or a general business or liability insurance policy that the company or organisation already has.

Any business or organisation of any size is potentially open to a cyber attack or data breach. What they need to work out is what it would cost them if they had one, and below are some of the areas that would incur most of the cost.

Unsurprisingly, these are the areas of coverage that most cyber insurance policies provide, and in a way to make it easier for a business to assess whether or not it needs to pay for a specific cyber insurance policy.

  • having to restore lost data
  • having to fix or replace any network system or software, including hardware, that has been damaged
  • dealing with the fallout in terms of reputational damage, and having to hire some type of PR company to help fix
  • offering  to pay for any customers to have some type of credit monitoring system as a result of a breach
  • the cost of bringing in any outside experts necessary to investigate and possibly fix  what caused the breach
  • potentially massive costs of lawsuits from customers/clients etc
  • any regulatory fines or penalties that may be imposed
  • loss of business due to inability to trade whilst network systems are being restored and investigated

Cyber Governance

Cyber Governance is a phrase given to the structure, policies and procedures that any business or organisation has in place (or does not) that reflects its understanding of and approach to dealing with cyber security.

The level of cyber governance will to a large extent  be reflected in the cost of any cyber insurance policy, or any restrictions that the insurance company puts in place on such a policy.

A really good tip for any business or organisation is to get hold of a cyber insurance proposal form, such as that from Hiscox, which asks numerous very detailed and specific questions about a company’s approach to cyber security.

This tells you their thinking more than anything else. Their thinking reflects both the experience of cyber security, and their understanding of the best way to prevent any cyber attack.

Using any proposal form as a template for a companies cyber governance plan  is a good way to structure such an approach, and also a good way to realistically reduce the cost of any cyber insurance policy that may be taken out,  either with Hiscox or any other insurance company.

Comments are closed.