Cyber insurance: Is it worth the investment?

While cyber liability insurance policies are complex and proving claims can be daunting, CIOs in the midmarket space agree access to resources provided in the policies make the investment worthwhile.

Last year, Aon Inpoint reported about 80 percent of buyers of stand-alone cyber premiums were medium-sized to large companies. However, smaller firms are increasingly assessing their cyber exposure risk as concerns about the potential impact of a cyber incident continue to rise.

“The majority of breaches worldwide occur at companies with 1,000 employees or less because they’re low-hanging fruit for hackers,” explained Ed McGuire, director of specialty insurance at FBinsure. “These companies have minimal IT staff and moderate budgets.”

Prior to this month’s long-anticipated GDPR laws going into effect, the healthcare, financial, and retail industries have been the most frequent targets for highly publicized cyber attacks. Nearly a third of global breaches occur in the healthcare field because patient data is so valuable, and fines for failing to disclose a known breach can climb well into the millions.

Aon Inpoint estimates that non-PII industry segments such as manufacturing and energy will see some growth in cyber premium purchases as they begin to better understand their exposure to a cyber event and the impact it could have on operations.

When you have insurance — what happens when a cyber attack occurs?

Only a few months before they were hit with a crippling malware attack in early 2013, Dead River Company, a Maine-based fuel oil and propane provider, enrolled in a cyber insurance policy. Even though the coverage was incomplete and included only specific categories of expense, Dave Widener, director of IT and project management, said he was glad the policy was in place.

“It created structure for us during a time when pandemonium and panic were ruling the day,” he recalled. “It did cover approximately half of our expense outlays for remediation, and the access to world-class cybersecurity resources and tools as part of the coverage also made remediation and network recertification much easier.”

Those resources could include a breach coach, typically an attorney well-versed in privacy laws that are subject to vary across state lines in the U.S.

McGuire explained that with companies outsourcing the servicing of their massive amounts of data that’s become too cumbersome to manage internally, they have to know their vendors are protecting that valuable information. State laws dictate that the onus falls on the owner of the actual data, not necessarily the party that allowed the breach to occur.

“Insurance is the back stop when a company is facing financial litigation,” he explained. “It could be when a system failure occurs, not necessarily a cyber attack, that results in lost income and expenses to rebuild destroyed data assets.”

Addressing the vulnerabilities

As nearly all CIOs can attest, the weakest link for any employer is its employees.

McGuire said on average, more than 12,000 mobile devices are left behind at airports across the U.S. each day, so the increasingly mobile workforce makes organizations even more susceptible to a data breach. Companies, especially in the midmarket, can no longer risk the reputational damage of a public, large scale data breach.

He pointed to wardriving, the act of locating open Wi-Fi hotspots like those often available at coffee shops, as a common practice among cyber criminals easily carried out with software available for purchase on the dark web.

Swisher International CIO Eric Tewey called the cyber insurance enrollment process daunting, noting that if assessments and declarations are not 100 percent accurate, providers may opt to deny a claim.

But Harrison Lewis, CIO at Northgate Markets based in Anaheim, California, said, “We have leveraged many of the services provided in the cyber insurance policy, including data breach incident response planning and tabletops."

He believes his experience with the cyber insurance over the past four years still justifies the investment — despite never having had to file a claim.

NEW! Download the Fall 2018 digital issue of CIO