What Is Cyber Insurance and How Does It Impact Cybercrime?

Alex Popa

By Alex Popa . 5 August 2024

Cybersecurity Journalist

Miklos Zoltan

Fact-Checked this

With cybercrime becoming more common than ever before, businesses are turning toward cyber insurance to take away some of the risks associated with conducting business online.

Cyber insurance or cybersecurity insurance provides a robust protection again online security threats and data breaches.

Here’s a summary of the benefits of cyber insurance:

  • They protect against cyber risks by offering timely assistance in mitigating cyberattacks
  • They provide network-wide security coverage against any cyber threats, including cyber terrorism
  • They cover financial damage occurring because of cyberattacks, including fees for investigations, legal responsibilities, credit monitoring services, and more
  • They provide compensation for business interruption or loss of revenue in the case of a cyberattack
  • They offer legal assistance in the aftermath of a cyberattack, paying for legal counsel and any lawsuits that appear because of privacy violations or data breaches
  • They guarantee the financial stability of a business even in the event of severe cyberattacks
  • They improve the reputation of a business by highlighting their dedication to protecting client data

While cyber insurance does not replace cybersecurity good practices, it brings peace of mind and mitigates much of the aftermath of a successful cyberattack.

According to Embroker, over 70% of businesses were attacked with ransomware variants.

In 2016, a business was attacked by a ransomware every 40 seconds. This has turned to 11 seconds in 2021, according to a report by Cybersecurity Ventures. It’s a 72.5% increase in ransomware occurrence.

In the first quarter of 2023, there were 831 victims of ransomware, which is a higher victim count compared to Q1 2022 (763 victims).

There’s also been a noticeable surge in the global cyber insurance market size from 2018 to 2021, as shown by Statista:

  • 2018 – $4.7 billion market size
  • 2021 – $9.2 billion market size
  • *2025 – $22.1 billion market size (prediction)

Clearly, businesses have started to realize the importance of preemptive protection!

What Does Cyber Insurance Cover?

Image of an umbrella in cyberspace

Cyber insurance comes in many forms, just like auto or home insurance. There are different policies, services, and coverage depending on which insurance you get.

Here’s a summary of what most cyber insurances will cover:

  • Customer notifications in the event of a data breach. In the EU, the GDPR requires all businesses to notify their customers about a data breach, while the US is a bit more complicated with different data privacy laws (HIPAA, GLBA, FISMA, etc.) These notifications are costly, and a cyber insurance will shoulder the costs
  • Data breach expenses. If a data breach occurs and personal data is stolen, there’s bound to be financial damage involved. The insurance will cover this, offer legal assistance, and more
  • Personal identity restoration. When the customers of a business lose their personal identities through a data breach, the insurance will help restore them
  • Ransomware demands. In the event of a ransomware demanding a fee, the cyber insurance covers the costs of such demands if the company decides to pay it
  • System repairs. Following a cyberattack, it’s likely that computer systems have been damaged. The insurance covers the cost of repairing these systems
  • Data recovery. The insurance can pay for any costs associated with recovering the data lost during a cyberattack
  • Cyberattack mitigation. The insurance can shoulder the costs of cyber-forensic experts that will assess the damage, mitigate the damage, and recover the lost data
  • Legal fees. Following a cyberattack, a company may be found guilty of violating privacy regulations and policies, incurring various legal fees. The insurance can pay these fees and offer legal assistance
  • Business interruption and loss of revenue. Cyberattacks often leave businesses crippled, leading to a loss of revenue and the interruption of business operations. Insurances can provide credit monitoring services and financial assistance for responding efficiently to a data breach

That’s not all, though. Cyber insurances offer coverage for a wide number of cyberattacks, including:

  • Data breaches
  • DDoS attacks
  • Computer fraud
  • Cyber extortion
  • Network security liabilities
  • Zero-day exploits
  • Doxing

A robust cyber insurance can make the difference between near-bankruptcy and just another easily-avoidable crisis.

Small and large-scale businesses alike will benefit significantly by acquiring a cybersecurity insurance to protect against the increasing risk of cybercrime.

No defense is ever impregnable, and this applies to cybersecurity too. Whether through social engineering, security faults, or zero-day exploits, every business will fall prey to cyberattacks at one point.

That’s the idea with cyber insurance – when you do get attacked, you’ll have a fallback protection plan to mitigate the damage inflicted by criminals.

What Isn’t Covered by Cyber Insurance?

Image of an umbrella on a circuit board

Knowing what isn’t covered by your insurance can better prepare you for unforeseen events.

Here’s what a cyber insurance doesn’t cover most of the time;

  • Human error: most cyber insurances won’t offer coverage in the case of attacks caused by your employees
  • Prior data breaches: cyber insurances don’t offer coverage for data breaches that occurred before purchasing the insurance
  • Poor security: if the cyberattack is caused by the business’ poor security system, the insurance will become void
  • Insider attacks: if one of your employees steals data from the company (insider attack), the insurance won’t cover your losses
  • Preexisting vulnerabilities: any data breaches caused by a previously-known vulnerability will turn the cyber insurance void, even if the data breach takes place after getting the insurance
  • Infrastructure damage not caused by cyberattacks: the cyber insurance will not cover any failure of infrastructure that wasn’t caused by a cyberattack, even if the damage is technological in nature

Essentially, a business has to prove that they’re acting in good faith to benefit from cyber insurance coverage.

This could mean having a good cybersecurity system, actively trying to prevent cyberattacks, and implementing employee cyber-awareness.

Tips for Choosing an Adequate Cyber Insurance Policy

Image of cyberspace

Cybersecurity insurances differ based on their coverage, pricing, and the scale of the protection offered.

This last aspect is dependent on the insured entity’s organization size, annual revenue, industry, and extent/type of coverage required.

Depending on these factors, cyber insurance premiums can range from $500 to $5,000 per year.

Here are a few tips you should consider when choosing a cyber insurance:

  • Submit to a security audit or offer documentation after assessing your business with an approved assessment tool. Insurance companies will need to see that your business meets their requirements
  • Find out what costs you will shoulder in the case of a data breach and what the insurance covers
  • Find out if the insurance covers cyber extortion and ransomware costs
  • Learn if the insurance offers legal assistance, privacy liability coverage, and litigation in the case of a breach of confidential personal data
  • Understand the cybersecurity risks that your business is facing so that you can select a specialized cyber insurance coverage
  • Consider your risk tolerance and understand what you need and don’t need from your cyber insurance
  • Look at how much it costs per month in premiums and deductibles

It’s important to know that not all cyber insurances are a fit for your business. Pay attention to how they’ll assess your cybersecurity risks.

Questionnaires are extremely inefficient because often, the person answering the questions doesn’t have enough knowledge to comment on complex cybersecurity topics.

Instead, the insurance company should have an expert perform on-site analytics and gather telemetry data to understand how your organization operates online. They should consider your current cybersecurity systems and account for possible data leaks or vulnerabilities.

Impact of Cyber Insurance on Cybercrime

Image of a shield in cyberspace

In this section, I’ll show you two sets of data from Statista:

  • Share of global ransomware incidents in 2021 where the costs were covered by cyber insurance, by industry
  • Share of global ransomware incidents in 2019-2021 where the costs were covered by cyber insurance, by type of payout

These stats will reveal the significance of implementing a cyber insurance on your business, and how it can help you mitigate cyber threats.

1. Global Ransomware Incidents Paid by Cyber Insurance in 2021, by Industry

Industry Insurance Paid Out Insurance Paid Clean-up Costs Insurance Paid the Ransom Insurance Paid the other Costs
Average 98% 77% 40% 27%
Higher Education 100% 87% 36% 20%
Distribution and Transport 100% 83% 45% 29%
Business and Professional Services 99% 78% 40% 23%
Media, Leisure, Entertainment 99% 82% 40% 27%
Central/Federal Government 99% 74% 46% 29%
Lower Education 99% 58% 53% 27%
Construction and Property 98% 78% 36% 23%
Retail 98% 82% 35% 29%
Healthcare 97% 81% 47% 26%
IT, Technology, and Telecoms 97% 76% 37% 28%
Manufacturing and Production 97% 75% 30% 34%
Energy, Oil/Gas, and Utilities 96% 77% 44% 23%

The clean-up costs consist of expenses necessary to restore functionality and operations to the organization.

The “other costs” refer to the cost of downtime, lost opportunities, and other expenses suffered because of a cyberattack.

As you can see, in most industries, insurance companies paid over 72% of organizations the clean-up costs required to get back up and running.

Less than half of the organizations across most industries (except Lower Education) got their ransoms paid out by the insurance company.

And less than 30% of organizations across all industries got “other costs” paid out by the insurance company.

2. Global Ransomware Incidents Paid by Cyber Insurance in 2021, By Type of Payout

Year Insurance Paid Out Insurance Paid Clean-up Costs Insurance Paid the Ransom
2019 95% 67.5% 44%
2021 98% 77% 40%

This survey was conducted in September 2022 and had 5,600 respondents from 31 countries participate.

There’s a noticeable increase in payments made by the insurance company, including clean-up costs from 2019 to 2021.

However, there was a decrease of 4% in the number of cases that insurance companies paid the ransoms to clients.

Judging by this statistic, it seems that insurance companies recognize the negative impact of paying ransoms to criminals.

It’s true that paying the ransom only emboldens criminals to keep launching attacks because they make a profit out of it.

Who Should Get a Cyber Insurance?

Image of a lock on a circuit board

The first question asked by many entrepreneurs is “Do I need a cyber insurance?”, and it’s one that deserves a detailed answer.

First of all, all companies and businesses have a legal responsibility to safeguard their customers’ personal data.

This information is often sensitive, like Social Security Numbers, credit card information, names, addresses, health data, and so on.

The question is “what are the lengths you should go to in order to protect that data?”, and the answer is “anything and everything”.

Neither your client nor the law care about how you protect the data as long as it stays protected. If there is a data breach, it means you haven’t done enough to protect it.

This is where cyber insurance comes to your help. It assumes that your business will be attacked by cybercriminals and you will end up using customer data, which will incur hefty legal fees, operational recovery expenses, and so on.

Here’s a list of businesses that will benefit from cyber insurance:

  • Startups and Tech Companies – These companies are heavily digitized and deal with a lot of sensitive customer data that they store on their digital infrastructure. Hence, they’re exceptionally vulnerable to cyberattacks, which lead to severe financial and reputational damages
  • Financial Institutions – Companies like banks and insurance companies deal with highly-sensitive data, financial transactions, and so on. Cybercriminals prioritize these types of companies with ransomware attacks, identity theft attacks, and unauthorized transactions
  • Professional Service Companies – Companies like law firms, dentistry businesses, accounting firms, all deal with sensitive user data and/or intellectual property. Cyberattacks will often try to steal this data, causing a data breach that will cost these companies a lot of money
  • Healthcare Providers – Health data is classified as sensitive data, and it’s very attractive to cybercriminals. Health records and personal information are valuable commodities on the Dark Web, so hospitals, private clinics, and healthcare providers should expect more cyberattacks than usual
  • Small and Medium-Sized Businesses – It’s a mistake to believe that small-scale businesses are less targeted by cybercriminals. It’s quite the opposite, in fact. Small businesses don’t have as many financial or operational resources to allocate to cybersecurity, so they’re more vulnerable to attacks

Already, we can see that the Financial, Health, and Legal industries are included in this list. It’s not a coincidence that these industries are the most targeted by cybercriminals due to the high-value data stored on their servers.

Is Cyber Insurance Worth It?

Image of a man holding an umbrella in an office overlooking the cyberspace

In our analysis, cyber insurance is more than worth the costs of the monthly (or yearly) premiums paid. Just like how a home or auto insurance are also worth their costs in the long-term.

The reason for this is the impossibility of implementing impenetrable cybersecurity protection. There’s no airtight security system that can’t be broken.

Even the CIA has data leaks. Just look at the Vault 7” debacle, which has been calledone of the most brazen and damaging acts of espionage in American history” by prosecutors.

If you’re a financial institution and you don’t have cyber insurance, here’s what could happen:

  • You get hacked and lose sensitive user data, resulting in unauthorized transactions and fraud
  • You get sued by several customers and lose the court trial
  • You’ll have to pay legal fees and reimburse your customers for the stolen funds
  • You may be penalized by the Data Privacy laws in your country and you’ll end up paying a fine

All of this can cripple your business, leading to unexpected substantial losses, damaging your reputation, and impacting your financial stability and operational status.

Having cyber insurance can provide significant financial protection, acting as a safety net in case of a data breach.

When disaster strikes and your company is overwhelmed with fees and expenses, the insurance company will be there to support you.

It’s even more important to consider cyber insurance with the emergence of cybercrime-as-a-service!

Sources

Embroker2023 Must-Know Cyber Attacks Statistics and Trends
CyberintRansomware Trends Q3 2023 Report
StatistaGlobal Cyber Insurance Market Size in 2018 and 2020, with Forecast for 2025
FortinetWhat Is Cyber Insurance? Policies, Services, and Coverage
Privacy AffairsGDPR Fines Tracker & Statistics
Privacy Affairs Cybersecurity Deep Dive: Everything About DDoS Attacks
PrivacyAffairsThe Art of Cyber Deception: Social Engineering in Cybersecurity
ProWritersWhat Does Cyber Insurance Not Cover?
TechTargetCyber Insurance
StatistaShare of Ransomware Incidents Where Cyber Insurance Covered the Losses Worldwide in 2021, by Industry
StatistaShare of Ransomware Incidents Where Cyber Insurance Covered the Losses Worldwide in 2019 and 2021, by Type of Payout
EmbrokerCyber Liability Insurance
ForbesFormer CIA Staffer Convicted for Massive Data Breach to WikiLeaks
Justive.GovStatement of U.S. Attorney Damian Willians on the Espionage Conviction of Ex-CIA Programmer Joshua Adam Schulte
Privacy AffairsCybersecurity Deep Dive: What Is Cybercrime-as-a-Service?

Leave a Comment