cyber liability insurance cost factors

5 Cyber Liability Insurance Cost Factors You Should Know About

Cyber liability insurance cost is affected by many factors, however, five factors matter more than most. 

The following five factors will determine what your business pays for cyber liability insurance:

  1. Factor 1: Type of cyber liability insurance you buy
  2. Factor 2: Limits of coverage
  3. Factor 3: Type of business you have
  4. Factor 4: Size of your business
  5. Factor 5: Security of your business environment

By knowing these five factors, you can be smarter about buying cyber liability insurance, which can reduce your cost in a data breach or cyber attack by as much as $160,000. 

5 Factors That Affect Cyber Liability Insurance Cost

Seventy five percent (75%) of businesses today are buying some form of cyber liability insurance. 

They are protecting themselves because they recognize that doing business online is a necessity that comes with risks. 

You should be knowledgeable about what factors can affect the cost of your cyber liability insurance. 

The following are the five main factors that affect the cost of cyber liability1

Factor #1: Type of Cyber Liability Insurance You Buy

There are two categories of cyber liability insurance:

  • 1st party coverage: Protects the assets of your business.
  • 3rd party coverage: Protects you against claims by 3rd parties where you are held liable for a cyber related event, such as a cyber breach.

An example of a first party coverage would be coverage for cyber extortion or ransomware. First party cyber insurance would pay the ransom (fiat or cryptocurrency, such as bitcoin) if your computers were locked up and held hostage. 

Another example of first party cyber coverage is business interruption. 

First party cyber liability can also help with forensic data recovery in the event of a hack or malware attack or for funds transfer fraud due to spoofed emails or funds transfer. 

Examples of first (1st) party cyber liability coverages include, but are not limited to:

  • Paying ransom (if hit by ransomware aka “cyber extortion”)
  • Business interruption
  • Funds transfer fraud
  • Malware
  • Phishing attack
  • Cryptojacking
  • Bricking
  • Computer replacement
  • Data restoration
  • Reputational harm/loss
  • Crisis management and PR

An example of third party coverage would be governmental fines, or regulatory penalties related to a breach of sensitive customer data. 

Another example is paying for damages to third parties who suffered because of your data breach or exposed confidential information, such as trade secrets or intellectual property.

Examples of third (3rd) party cyber liability coverages include, but are not limited to: 

  • Data breach
  • Network and information security liability 
  • Multi-media content liability
  • PCI fines and assessments
  • Regulatory defense and penalties
  • Bodily injury and property damage

The broader your first and third party cyber liability coverages are, the more you will pay for your policy.2

Factor #2: Limits of Coverage 

The second factor that affects cost of cyber liability is the amount of coverage you require, or the limits of coverage.

The limits of your policy is the maximum amount of money the insurance company will set aside for claims. 

Claims may include legal defense, settlements, public relations fees, forensic analysis, etc., and usually start at $1,000,000 per occurrence for cyber liability but can reach $50,000,000 of coverage, or higher, for large businesses.

Limits are comprised of primary and aggregate limits, as well as sub-limits. Sub-limits are smaller amounts of coverage that are less than the primary and aggregate limits.

The higher the limits, the more you will pay for your policy. 

Factor #3: Type of Business You Have

The third factor that affects your cost of cyber liability insurance is your type of business.

The type of data your business collects has a lot to do with what you will pay.

There are three types of sensitive consumer data that your business may collect that need to be protected:

  1. Personally identifiable information (PII)
  2. Protected health information (PHI)
  3. Payment card industry data (PCI)

If your business collects these, you are at a higher risk in the event of a cyber breach.

Personally Identifiable Information (PII):

The definition of personally identifiable information varies, in some cases from state to state. However, the National Institute of Standards and Technology (NIST) defines PII as:

"any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information."

National Institute of Standards and Technology

In the event of a data breach, or even a suspected data breach, cyber liability insurance can help pay for the cost of notifying customers who were affected, as may be required by law in states where your customers reside.

PII is any information that can be used to trace a person’s identity. 

PII also may include email addresses, telephone numbers, account numbers and mailing addresses. If you’re an online retailer, or have a physical store, or have employees, you may be collecting and storing PII.

Indeed, the broad definition of PII creates security and privacy challenges because even suspected data breaches must be reported quickly to authorities.

PHI and PCI are sub-sets of PII, as described below.

Personal Health Information (PHI):

PHI is a sub-set of PII that specifically covers protected health information and patient data… 

PHI covers any and all information gathered to provide health services and must be protected according to the Health Insurance Portability and Accountability Act (HIPAA).

If your business is not health related, but if you provide health insurance and other benefits to your employees, you likely collect and store PHI records in addition to PII.

According to a recent Wall Street Journal article, cyber criminals may be more interested in the personal information (such as social security numbers) than the health data that accompanies it. 

Payment Card Industry Data (PCI):

PCI is payment card industry information and includes information related to credit cards, debit cards or other payment cards. 

This data is governed by the Payment Card Industry Data Security Standard (PCI DSS) and failure to protect user payment data can result in fines or even class action lawsuits.

Even if your business uses a third party, such as Stripe or PayPal, to process payments, you may still have backups of credit card records or customer orders stored somewhere.

If you have a custom billing system, or accept ACH or wire transfer payments, or if you have employees and you provide benefits for those employees, you may have exposure for all three types of these records.

The more types of PII, PHI and PCI data you process and store in the course of your business, the more you can expect to pay for cyber liability insurance.

Factor #4: Size of Your Business

The fourth factor in what you pay for insurance is the size of your business. 

If you have a small business (one with less than $10,000,000 in annual revenue) you will pay less for cyber liability insurance than you would if your business is medium sized or large. 

A large business has more exposure – a broader attack surface (i.e. more employee devices, credit card transactions, more customer interactions, more records, more ways to enter your computer network) – for a cyber criminal to attack. 

Exposure may be measured in sales or revenue or the number of PII records, the number of credit cards you process in a year, or the number of employees you have. 

The larger your business, the greater the risk in an attack, and the more you can expect to pay for cyber liability insurance.

Factor #5: Security of Your Business Environment 

The fifth factor in cyber liability cost is the security of your business environment. 

When evaluating your company for a policy, cyber insurance carriers will often conduct a remote scan of your business. 

This includes your website URL, email accounts, IP address and other publicly available information. 

Remote scans can evaluate website security, look for open ports and malware, scan for publicly available company email addresses, server configuration problems and for company information on the dark web. 

The following are good security practices to have in place:

  • Policy for two individuals to sign checks
  • Using a firewall
  • Use valid HTTPS encryption certificates for your website and use SSL if you process payments online
  • Regularly educate your staff on phishing techniques
  • Encrypt all digital files in storage and transmission
  • Require the use of two factor authentication for all business accounts 

Collecting credit cards or storing or processing protected health information, or both, means your business has obligations to comply with 3rd party PCI Security Standards (PCI DSS) and HIPAA, respectively, in your state. 

PCI has 12 compliance requirements that mirror best security practices that should be present in any organization managing sensitive data.

Basically, the more secure your environment, the less you can expect to pay for cyber liability insurance.

Summary

By understanding the factors above, you can get a better handle on what you may pay for cyber liability insurance.

Your business has cyber exposure if it has a website, if you use email, provide health benefits to your employees, store data electronically, use software or take online payments…

Even if you have a good security system to protect your business, remember that employees are the weakest link. 

Most cyber attacks on business involve some sort of employee error or phishing attempt. 

As mentioned above, having cyber liability insurance can reduce the cost of a data breach by as much as $160,0003

cost of data breach factors 2019 ponemon ibm report cyber insurance

These five factors impact cyber liability insurance cost more than most. 

If you have questions about cyber liability insurance for your business, schedule an appointment with me or give me a call at 203-200-0445.

Footnotes

  1. Other cost factors include the number of claims you have had, the state your business is located in, the age of your business and the reason you want cyber liability insurance (such as is it required by contract with a 3rd party), but these are the five listed above are the major ones that will affect what your company pays.
  2. A standalone cyber liability insurance policy will usually be broader and provide better coverage than "add on" cyber liability. "Add on" cyber is a term for some limited cyber coverage that is added on to another policy, such as errors and omissions (aka "E&O" or professional liability). If you are unsure what type of cyber liability insurance you have, read your policy carefully, or schedule an appointment with me.
  3. According to IBM Security and Ponemon Institute's 2019 Cost of a Data Breach Report.
.

Insurance Checklist for Solar Contractors 3D cover iPad

Free Download

Contractor's Energy Savings Insurance Project Checklist


Solar Developer Insurance

NATIONWIDE SOLAR INSURANCE AD-01-Rob Freeman

Passive House Guard

Passive House Guard Insurance