Cyber Insurance Requirements: Everything You Need to Know in 2024

Unfortunately, scenarios like these are increasingly common. Faced with a steady rise in malware, ransomware and cybercrime, more and more companies rely on cyber insurance in order to protect themselves from the financial damages associated with digital threats. In this article, we’ll look at how cyber insurance can protect your business, what types of coverage are available and the cyber insurance requirements your company must meet in order to qualify for a policy.

Cyber insurance or cyber liability insurance protects companies from damages and liabilities that arise as the result of hacks, malware attacks or data breaches. As a relatively new branch of the insurance industry, there is no clear standard for what a cyber insurance policy must and must not include. Policies typically cover costs that are directly associated with a security breach: documenting and investigating the attack, data recovery and hardware repairs, notifying consumers and regulatory agencies, crisis management and PR damage control, etc.

Depending on your provider, cyberinsurance plans may also offer additional forms of first-party and third-party coverage, including paying for the lost income of your business or covering fines, legal fees and settlements that result from a breach. How much protection your company needs depends on your line of business, whether you store and process sensitive data and how rigorous your cybersecurity measures are, among many other factors.

The growing need for cyber insurance results from a huge rise in cybercrime over the past years. While hacks, data breaches and even ransomware are nothing new, their effect on the global economy has increased massively due to combination of factors: the cryptocurrency market providing hackers with untraceable cash flow, the COVID-19 pandemic accelerating the adoption of remote work and cloud services and even war in Ukraine fueling state-based cyberattacks.

Put all of it together and you are left with a 38% increase in cyberattacks year-over-year in 2022, resulting in a combined cost of eight trillion dollars. On an individual level, even a single successful attack can bring a company to its knees: lost revenue and production, the cost of replacing affected hardware and software, the loss of consumer trust, possible fines and legal fees, etc. Without the safety net provided by cyber insurance, the damages caused by malware infections or employee data theft can prove catastrophic and leave your business unable to recover.

Cyber attacks affect companies of all shapes and sizes. While large enterprises are high-value targets for hackers and criminals, the limited IT security of many small and medium businesses can make them just as attractive to bad actors. Certain industries, like technology and financial services, are more at-risk than others. However, protection from digital threats has long since become a universal need: Any company that receives, stores and sends digital information can benefit from insurance and risk management.

In fact, the rising demand for cyber insurance shows that there is growing awareness of this issue: In a survey of 5,400 businesses conducted by the insurance provider Hiscox, 41 percent reported having a cyber insurance policy in place, which represents an 8% increase compared to the previous year. So if you do decide to buy cyber insurance, you’re in good company.

Premiums for cyber insurance vary depending on the strength of your cybersecurity measures, the types and amount of coverage included in your policy and the size of your business (number of employees, annual revenue, etc.), i.e. the factors that influence the size of a potential insurance claim. The cost per year of cyber insurance typically ranges from around $1,000 for small businesses to tens of thousands of dollars for bigger companies.

However, as a relatively new field, the cyber insurance market is considered very volatile. The lack of long-term data makes it difficult for providers to assess the level of risk they are taking on. With increased demand for coverage alongside a steady rise in cyber-crime, the price of cyber insurance has been rising quickly. The risk management firm Marsh, which has been tracking the cyber insurance market for a while, routinely reports yearly premiums surging 50% to 100%, though the rate of increase appears to be slowing down.

Alongside higher premiums, the growing threat of cybercrime has led many insurance companies to rethink the forms of coverage they want to offer. Many providers are lowering their cap for payouts, draftings stricter exclusions, as well as enforcing harsher cybersecurity requirements as part of the underwriting process. For example, in response to recent conflicts, insurers have been rewording war exclusions to bar coverage for attacks from state-sponsored groups. Others are questioning whether cyber insurance can even remain a sustainable business model, such as Zurich’s CEO Mario Greco, who claimed that cyber risks may “become uninsurable”.

Recognizing that risks may become too large for private insurers to shoulder, President Biden’s new cybersecurity strategy includes plans to explore a potential federal cyber insurance backstop. Government support would provide certainty to the insurance market, helping providers take on new policies and making it easier for businesses to find adequate coverage.

However, it is currently unclear whether the government is going to take action and what form it would take, with proposals ranging from federal insurance policies to a backstop fund that would cover large-scale attacks. Similar, state-backed models already exist for other catastrophic forms of risk like hurricane or flood insurance.

Like all forms of insurance, cyber insurance allows businesses and individuals to offload a financial risk – in this case the damage caused by a hack or data breach – onto their insurance provider. How big that risk is depends on many factors: the size of your company, your line of business, how extensively you rely on web-based tools and services and so on.

Ultimately, it’s up to you to decide whether cyber insurance is worth the cost or if you would rather take the risk of covering your own losses in the event of a breach. It’s worth noting, however, that the potential cost of hacks may be larger than you think. According to the Hiscox Cyber Readiness Report, the average cost of a cyber incident for businesses with 50 to 249 employees is $184,000. Companies with between 250 to 999 employees face an average cost of $715,000.

In order to determine your premium, coverage limits and whether you even qualify for cyber insurance in the first place, insurance providers will carry out a cyber insurance risk assessment as part of their underwriting process. Depending on the size of your company, this process can range from a self-assessment questionnaire to third-party audits carried out over multiple weeks by a cyber security firm. Regular check-ups and reassessments are also possible.

To keep risks at an acceptable level, policyholders are required to meet basic IT security standards in order to qualify for cyber insurance. At a minimum, a company interested in buying cyber insurance must have the following safety measures in place:

Organizations that do not meet the requirements for cyber insurance may still end up with an active cyber insurance policy. In some cases, this can be the result of deliberate manipulation (i.e. lying during evaluations or on attestation forms), but the more common scenario is that a business showed the required level of security during the initial assessment period, but then fails to uphold safety measures over the entire duration of the policy.

This is incredibly risky. Not only are the requirements for cybersecurity insurance common sense safety measures that businesses should be following anyway: If you file an insurance claim and your provider discovers that the safety requirements of their policy were not being followed at the time of the attack, your claim is likely to be denied.

The reason insurance providers enforce these basic safety standards is that some companies see buying cyber insurance as a way to get around improving their IT security. After all, if your losses in the event of an attack are covered, why should you take extra steps to prevent data theft and keep out hackers? This is a short-sighted approach to cyber security, since the loss of critical or sensitive data can harm your reputation and disrupt your workflow, even if you face no direct financial damages.

In reality, cyber insurance should serve as an extension to your existing IT security measures, rather than a band-aid solution for lacking safety standards. Taking additional steps to improve IT security not only helps prevent attacks, but can also lower your insurance premiums. Your provider may be able to suggest improvements you can implement based on your initial risk assessment. It’s important to remember, however, that any security system is only as strong as its weakest link. For example, employee education often plays a major role in ensuring that safety standards are followed within your organization.

To be eligible for cyber insurance, your company must keep track of who has access to different files and resources. This process, also referred to as User Lifecycle Management, ensures that your employees have the all the permissions necessary to complete their tasks, but no unnecessary permissions that pose a security risk. Managing user access rights from one central platform not only helps you qualify for insurance, but is also a key step for many industry-specific compliance standards.

Compliance regulations that directly specify or greatly benefit from an identity and access management solution include the Sarbanes-Oxley Act (SOX Compliance) in the financial industry, the Health Insurance Portability and Accountability Act (HIPAA) and TIXAX certification in the automotive industry. It is also a component of the ISO 27001 information security standard.

By following the principle of least privilege, only providing permissions and access rights that are absolutely necessary and regularly reviewing privileges through user access reviews, you can greatly reduce the amount of damage a hacker can cause to your organization should they gain access to a company account.

The only problem? Manually tracking permissions and users is a time-consuming process that leaves a lot of room for user error. In fact, it is one of the top 5 access management risks. To ensure that every change is tracked and documented, you need to automate this process.

As employees are assigned to new projects or move to different departments, they need access to new files and resources in order to do their job. So far, so good. Unfortunately, businesses rarely remember to remove permissions that are no longer needed, say because a project has ended or a user has left their old department. As a result, many employees end up with way more permissions than they actually need. This kind of privilege creep not only enables employee data theft, but also makes it easy for malware infections to spread across your entire system.

While IAM software cannot prevent an attack, it stops attackers from easily accessing every device in your network. A hacker that manages to bypass your security measures only gains access to the files and resources that the account in question had access to. Stopping privilege creep at your organization, combined with securing endpoints and connected devices, thus minimizes the damage of cyber attacks and data breaches.

IAM solutions like tenfold allow your organization to quickly and easily assign permissions to users, manage access to IT resources and document changes in accordance with compliance standards. As an added benefit, identity and access management eliminates many of the weaknesses and vulnerabilities exploited by cyber attacks.

tenfold is a simple, yet comprehensive IAM solution that is perfectly tailored to meet the needs of mid-sized businesses and offers a variety of plugins that make it easy to integrate into your existing software environment. All this and more makes tenfold the IAM software of choice for midmarket organizations.

When it comes to cyber insurance, one key distinction is between first- and third-party coverage. First-party insurance covers damages your company faces as the result of an attack. This includes the cost of repairs, data recovery, lost revenue and so on. Third-party insurance, however, covers legal expenses for privacy lawsuits, claims of negligence and similar suits. In general, a comprehensive cyber insurance policy should cover both first- and third-party damages. The specific terms of your policy depend on the provider and insurance plan you choose.

First-party damages are damages to your business caused by the loss or theft of data. A typical plan covers everything from attacks by hackers to insider threats and even accidents like power surges or hardware malfunction. Costs that are covered by first-party cyber insurance include:

Third-party damages are claims made against your company following a security breach. If sensitive data or personal information was exposed during a cybersecurity incident, your business may find itself in hot water with consumers, business partners and government agencies. Third-party cyber insurance helps protect your company by covering the cost of your legal defense in cases such as:

A business that suffered a data breach not only faces financial damages, but also damages to its reputation. Whether a breach was caused by negligence or a hacker gained access to your systems despite your best efforts, the result can be the same: the loss of your customers’ trust. Effective crisis management and clear communication are essential to minimizing the public fallout after an attack and restoring your company’s image.

In order to help you respond to an attack quickly and effectively, some insurance contracts cover services like data breach coaches, who help you meet the legal requirements for documenting and reporting cyber attacks, and specialized PR firms, which can assist you with your crisis communication.

Ransomware payments are a controversial issue. Following a ransomware attack, many companies ultimately decide to pay out in order to regain control of their systems, because the alternative would be weeks of standstill or the permanent loss of critical data. Similarly, insurance companies often see a ransom payment as the lesser evil compared to covering the cost of large-scale repairs and recovery. Many providers help affected companies negotiate with hackers and reimburse clients for the ransom payment. As of today, a typical cyber insurance policy does cover ransomware payments.

However, experts believe that ransomware coverage and the willingness to pay attackers has led to a vicious cycle: companies that give in to ransom demands may be able to recover their data, though this is far from guaranteed. In doing so, however, they essentially finance cybercrime and the continued operation of the ransomware business.

Over the past years, both the number of ransomware attacks and the amount of ransom demanded by hackers has increased significantly. Given this trend, insurance providers may have to revisit their policy of covering extortion payments. The insurance industry is already facing growing pressure from regulators and governments. Following a Senate roundtable on the topic of cybercrime in 2021, AXA announced that it will stop paying for ransomware in France. Similarly, in the US, law enforcement strongly discourages ransomware payments by affected businesses.

Commercial general liability (CGL) insurance is a key part of any company’s risk management strategy. However, businesses that expect their existing insurance to cover the damages caused by hacks and data breaches may be in for a rude awakening. Take Sony, for example: Following a hack in 2011, Sony filed an insurance claim with Zurich American under their commercial general liability policy. Zurich denied the claim and filed suit, leading to a lengthy legal battle that was eventually settled out of court in 2015.

The problem is that general liability insurance, property insurance and other types of coverage were not written with cyber attacks in mind. As a result, the language used in these policies can be open to interpretation. For instance, typical policies cover the loss of “tangible property”. Whether data qualifies as tangible for the purposes of insurance coverage has been argued in court many times, with no definitive result. But even if a judge might ultimately rule in your favor: After an expensive cyber attack, most companies simply don’t have the time or resources to argue their case in court.

Cyber insurance is specifically tailored to cover hacks, data breaches and similar incidents, meaning businesses can be certain they will get the help they need after an attack. Insurers, likewise, are aware of the risk of ambiguous language in CGL and property insurance. In order to address loopholes and silent cyber (unintended cyber exposure in traditional insurance), many providers are adding specific exclusions to their contracts, which rule out reimbursement for the loss of data or hardware damages.