Cyber insurance, also called cyber liability insurance or cybersecurity insurance, covers financial losses that companies have as a result of ransomware attacks, data breaches and other cyber incidents.
In the same way that car insurance pays for vehicle damage and bodily harm in the event of an accident, cyber insurance policies pay for damaged computer systems, lost revenue, legal expenses and other cyberattack costs.
Security breaches are growing more common and more costly. According to IBM’s Cost of a Data Breach report, 83% of organizations have had more than one data breach, and the average breach costs USD 4.35 million. Cyber insurance can lessen the financial impact of these breaches, making it an important part of risk management for businesses today.
Get insights to better manage the risk of a data breach with the latest Cost of a Data Breach report.
Register for the X-Force Threat Intelligence Index
Any company that stores customer information or relies on technology, which includes most businesses, faces cyber risks. Security teams can take steps to mitigate cyber threats, but they cannot prevent them entirely. According to the Travelers Risk Index (link resides outside ibm.com), 57% of business leaders think cyberattacks are inevitable.
Standard business insurance products, like general liability coverage and errors and omissions policies, typically don’t cover losses from cyber events, leaving companies vulnerable for the full cost of ransomware attacks, business email compromise scams, and other cybercrimes. These attacks can have a heavy financial toll. For example, the average ransomware attack costs USD 4.54 million, not including ransom payments.
Cyber insurance policies arose to close this coverage gap. By covering ransom payments, malware remediation and other costs, cyber policies can help companies limit their damage, recover more quickly and raise their overall level of cyber resilience.
Cyber insurance coverage can vary based on what the business needs, the types of data the business stores and the business’s industry. Many cyber policies offer options for first-party and third-party coverage. First-party coverage pays for the business’s direct losses, like the costs of recovering data and restoring systems. Third-party coverage pays for damage suffered by parties outside the business, like consumers who had their data stolen.
When it comes to specific losses, many cyber policies pay for things like:
If a company loses revenue because a cyberattack takes computer systems offline, cyber policies may cover some or all of those losses.
Insurance may pay for incident response, system repairs, forensic investigations and other services needed after a cyber event.
Cyber policies may help pay for litigation arising from a cyberattack, such as lawsuits filed by customers. Some insurance companies may supply legal representation for the insured company.
When hackers steal personally identifiable information (PII) or other sensitive information like credit card or social security numbers, cyber policies can help cover the costs of notifying customers and providing services like credit monitoring.
Cyberattacks may lead to regulatory investigations, especially in highly regulated fields like healthcare and financial services. Cyber policies may cover the costs of complying with these audits, including any fines the company must pay.
A company may need to hire a public relations firm or take other steps to repair its brand following an attack. Some cyber policies will help defray these costs.
Many cyber policies cover ransomware payments, but some insurance providers are ending or limiting this coverage because of the high costs of ransoms.
While cyber policies can cover a lot, there are some incidents they won’t pay for. These are called exclusions. Common exclusions include:
A company can have its data stolen or services disrupted when vendors and other partners are breached. Cyber insurance doesn’t always pay for these losses, but some insurers offer third-party breach coverage for an added cost.
Because social engineering attacks like phishing manipulate people into compromising cybersecurity from the inside, cyber policies don’t always cover these losses. However, social engineering coverage is often available at an additional cost.
Losses caused by insider threats like malicious or negligent employees are rarely covered.
Many cyber policies consider these attacks acts of war and will not cover them.
If hackers exploit a flaw the company knew about but didn’t fix, many cyber policies will deny the claim.
Most plans do not cover outages caused by misconfigurations and other internal errors.
While demand for cyber insurance is high, rising cyber insurance costs are making it hard for companies—especially small businesses—to find coverage. According to Marsh McLennan (link resides outside ibm.com), cyber insurance prices rose by 110% in the first quarter of 2022.
According to 451 Research (link resides outside ibm.com), cyber insurance may contribute to increasing ransomware attacks. As more businesses buy cyber policies, they become more comfortable paying ransoms because insurance will cover them. Hackers, in turn, feel encouraged to keep asking for ransoms. One new strain of ransomware, HardBit (link resides outside ibm.com), even asks victims to share the details of their cyber policies so the hackers can calculate a ransom the policy will cover.
Price turbulence is also fueled by the fact that cyber insurance is relatively new compared to other insurance products. Insurers have limited historical data on cyberattack costs, which makes it difficult to create accurate risk models and set stable prices.
As insurance companies see their losses climb, they respond by raising premiums and limiting coverage. Insurer AXA has stopped covering ransomware payments (link resides outside ibm.com) for policies issued in France. Lloyd’s of London (link resides outside ibm.com) will no longer cover state-sponsored cyberattacks, another source of major losses.
Insurers are also setting stricter network security requirements for insured companies. Some underwriters won’t even offer an insurance quote unless a company has multi-factor authentication, data encryption, zero trust or similar policies in place. Some insurance companies are taking on a more consultative role, giving policyholders and business owners access to security tools and service providers to help them improve security posture. Some experts predict that cyber insurers may become key figures in enforcing standards like the NIST Cybersecurity Framework, as companies that follow these standards will be less costly to insure.
Protect enterprise data across multiple environments, meet privacy regulations and simplify operational complexity.
IBM Security® provides enterprise cybersecurity solutions to help you thrive in the face of uncertainty.
The annual Cost of a Data Breach Report, featuring research by Ponemon Institute, offers insights gained from 550 real breaches.
Cyber resilience is an organization's ability to prevent, withstand and recover from cybersecurity incidents.
Data security is the practice of protecting digital information from unauthorized access, corruption or theft throughout its entire lifecycle.