Cyber insurance cost is based on historical, current and expected future risk. Underwriters price cyber exposures and set premiums to be less than they expect to pay out in claims.
What Does Cyber Insurance Cost?
What cyber insurance ultimately costs you is based the price of risks that are covered in your insurance policy. Cyber insurance underwriters will estimate your risk, price it, and (hopefully for them) charge more in premiums than they pay out in claims.
When underwriting a risk, underwriters will collect historical claims data from you, as well as business operations information, such as formal employee computer and mobile phone policies and procedures, whether you provide training on cyber risk for employees and systems (such as anti-virus software, use of firewalls, backup systems, off site storage, password policies, etc.) in place to protect sensitive data.
The problem with pricing cyber liability insurance is that the amount of historical data available to underwriters of cyber policies is relatively small (when compared to other types of insurance that have been around for much longer). Underwriting cyber exposures is more difficult than some other exposures because 1) cyber risks are constantly changing as technology evolves and 2) cyber exposures can occur nearly instantaneously across a widespread geographic area.
A common cyber coverage type involves the breach of personally identifiable information. Well known examples of third party breaches are Equifax, Target and Home Depot. Research indicates that a cyber breach can cost over $200 per record breached1 and NetDiligence reports that the average breach cost was $665K and the median breach cost was $60K. As I write this, Equifax has just been reported a record breach of up to 143 million customer records. As reported by Bloomberg, the insurance coverage limits of $100-150 million that Equifax holds may be much less than what they need to adequately address this issue with their customers. However, even a breach with only a few records can be very costly.2 NetDiligence reports that one event in their dataset of cyber attack costs involved only 1 record but the breach cost that company between $1.5-2.0M.
SMBs do not have the financial resources that bigger companies may have, which means that they may lack up to date security software, IT security infrastructure protection or the manpower to maintain constant vigilance. Because of these potential gaps in security, small business are becoming more popular for hackers.
According to the most recent Cyber Claims Study by NetDiligence, a cyber risk assessment firm, the average claim payout for a large-company data breach saw a whopping increase from $2.9 million in the 2014 study to $4.8 million today. A report from Kaspersky Lab, an Internet security research group, shows that on average recovering from a cyber security breach costs small businesses $38,000.
However, the reputational risks to small businesses can be worse.