The missing piece

Imagine it: you’ve finally bought the car of your dreams, complete with every bell and whistle the dealer offered, and are convinced you’re driving the safest, most high-tech thing on the road. And since you have an immaculate driving record, you felt comfortable increasing the deductible or narrowing the coverage on your auto insurance. Then you drive off the lot and – WHAM! – you’re T-boned by a distracted driver and your expensive new toy is totaled in an instant.

This is essentially what growing businesses do when they leverage new digital technologies to improve results but don’t buy cyber insurance – a common trend these days. In our modern, connected society we cannot assume technology will prevent 100% of the threats facing our digital infrastructure. Businessowners must start thinking about their company’s network like they do a shiny new car and protect their investment with insurance.

Modern vehicles come with myriad technologies to keep us safer than ever before. Adaptive cruise control, lane departure assist and automatic emergency braking reduce risks behind the wheel, and teen driver alerts and stolen vehicle tracking software remotely warn us of risks to loved ones or the car itself. Drivers must also be licensed and are expected to follow applicable traffic laws.

Only 2 U.S. states do not require car insurance, and while not every state that does mandates you buy collision or comprehensive coverage, personal injury protection or uninsured/underinsured motorist coverage, many drivers do because they recognize that unforeseen events beyond their control can impact their well-being, and that to be truly protected they need technology, governance AND insurance.

Unfortunately, many businessowners haven’t yet come to this same realization about their network – despite the more direct, calculated threat - instead focusing almost exclusively on technology when designing a cyber risk strategy. In a recent survey, 67% of respondents said they plan to spend more on cybersecurity technology and mitigation in the next three years, 53%will spend more on staff training and 40%will spend more on cyber event planning and preparation. Only 34% plan to spend more on cyber insurance.

Despite this continuing trend, the cybercrime industry generated $1.5 trillion in profits in 2018, which would rank it 13th in GDP if it were a country, and cyberattacks are projected to cause $6 trillion in damages by 2021. Clearly technology and governance are not adequately addressing this issue on their own, and for growing businesses who may lack the resources to buy advanced software or expensive IT talent, the risk is heightened.

These businesses must begin considering cyber insurance and strive to achieve what Cysurance refers to as the Cyber Risk Management Trifecta. Robust cybersecurity technology and corporate policies to raise awareness and address responsibilities are critical pieces of the Trifecta, but a broad, standalone cyber insurance policy is overlooked by 91% of small businesses.

In some cases, this is due to the misconception that cyber exposures are covered in traditional insurance policies such as a property or general liability policy, when in fact these products are increasingly excluding or significantly limiting coverage for cyber risk. In others, businessowners may not understand what truly drives a cyber loss. While they fear ransomware payments, damaged servers, or legal costs after an event, business interruption and incident response costs are typically more volatile and far greater.

Cyber insurance can reimburse insureds for ransom payments and new hardware, but more importantly it covers business interruption costs resulting from downtime after a breach. It also covers forensic firms to determine the type of breach and what systems were compromised, public relations firms to manage reputational damage and call centers and credit monitoring services to notify and protect affected stakeholders.

As cyber risks evolve, states are also passing more rigorous privacy laws The California Consumer Privacy Act, which went into effect on January 1, 2020, allows for fines up to $750 per customer, per data breach – even if no actual loss is suffered. As a result, many supplier contracts now include cyber insurance mandates to protect against vendor negligence in protecting consumer data, furthering providers’ need for broad cyber insurance.

Today, companies understand the need for firewalls and employee training to manage cyber exposures. However as new threats develop and with employee error remaining a leading risk, businessowners must apply the lessons of the auto industry and purchase cyber insurance,  because just like the best technology and a clean driving record doesn’t guarantee protection from a drunk driver, cybersecurity and training can’t prevent all cyberattacks.

Kirsten Bay is CEO and co-founder of Cysurance, which protects growing businesses with a ordable cyber insurance. She has more than 25 years of experience in risk intelligence, helping to develop next-generation analytics and attack detection technologies.