Page 164 - Cyber Defense eMagazine January 2024
P. 164
requires every car owner to carry auto insurance. This forces owners to take responsibility and mitigate
the costs of a disaster themselves. Cyber insurance fills a similar role, enabling organizations to both
take financial responsibility and protect themselves from data breach costs that could otherwise put them
out of business.
In the same way, some lenders now require organizations to carry cyber insurance to make sure they
can repay their business loans. Some businesses now require cyber insurance in contracts with supply
chain partners to ensure their security and stability. The government has a similar interest in making sure
organizations representing key infrastructure can survive a cybersecurity event. Some managed service
providers (MSPs) even now require that their clients carry cyber insurance, declining the risk of working
with businesses that don’t.
However, many SMBs—and even the MSPs they rely on for expert guidance in cybersecurity matters—
still don’t fully grasp the importance of adequate cyber insurance and the tremendous risks they face
without it. These organizations and their partners may similarly have inaccurate notions of what size of a
cyber insurance policy is appropriate, the lengths they must go to demonstrate effective cybersecurity
practices, and how to vet cyber insurance providers to ensure trust.
Let’s set these misconceptions straight.
SMBs, look out
In general, small- and medium-sized businesses require a wake-up call to shatter their false sense of
security. Although cyberattacks on SMBs don’t make media headlines like major enterprises, the fact is
that cyber attackers actually prefer to go after SMBs, because they’re usually soft targets.
SMBs often falsely believe they’re not on attackers’ hit lists, or that an incident such as a ransomware
attack will only impact their systems for a few hours. In reality, they are attackers’ prime targets, and most
ransomware attacks lock up systems for days or weeks. The bottom line: 75% of SMBs would go out of
business if struck with ransomware. Effective cyber security and cyber insurance mitigate that extinction-
level risk for SMBs.
How much cyber insurance does an organization need?
Cyber insurance policies are broad, and choosing the right coverage is essential to an organization’s
survival in the aftermath of an incident. MSPs and cybersecurity experts can offer crucial guidance in
selecting effective policies and making sure that organizations meet all policy requirements.
As a best practice, businesses should carry coverage equaling at least 15% of their annual revenue, or
$1 million minimum. Policies may include first-party coverage for the company’s costs caused by an
incident, and third-party coverage for costs relating to their customers or other parties. Policies may
include sub-limits and exclusions as well. A policy with $1 million dollars in coverage might have a sub-
limit of just $50,000 for ransomware incidents. A policy with an exclusion for social engineering-based
attacks—an exceptionally effective method for attackers today—would leave a business covering its own
Cyber Defense eMagazine – January 2024 Edition 164
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
