The soaring costs of recovering from a security incident or data breach is driving interest in cyber insurance.
While cyber insurance is typically viewed as a product mainly for large organizations seeking coverage and protection against state-sponsored attackers, criminals, and politically motivated hackers, it is also valuable to small and midsized companies and independent contractors.
Regardless of size, a cyber insurance policy can cover the costs of a ransomware attack or a business email compromise, business losses stemming from an outage resulting from the breach, and expense incurred in rebuilding compromised systems.
While the Federal Trade Commission and the National Association of Insurance Commissioners have issued guidance suggesting small businesses consider cyber insurance as a means of resilience against cyberattacks, the fact remains that classic cyber insurance is expensive.
It is often too difficult for small businesses to qualify for those policies.
To address this situation, companies are increasingly rolling out new products for work-from-home employees, SMB, and micro companies with 50 or fewer employees.
Earlier this year, Internet of Things platform provider Pepper partnered with Embedded Insurance to offer policies covering IoT networks and mobile devices.
Ai only covers traditional end-point products, such as computers and laptops, and does not include mobile devices.
In order to ensure potential customers have adequate security controls in place to qualify for a policy, eSure.
Ai requires that applicants go through a managed services provider - the product itself is sold through the MSP channel.
It is unreasonable to expect this group to have the security wherewithal and resources to install and maintain the necessary security controls, says Chase Norlin, CEO of Transmosis and president of eSure.
Last year, Transmosis launched a program to cover SMBs for losses they may incur from a cyberattack, but since that program's contracts are not underwritten by an insurance company, it is not an actual insurance policy.
Rather, it is more like a financial liability protection program or a contractual indemnity, where the company selling the protection is on the hook for any losses the policy holder suffers up to the value of the coverage.
One of the challenges SMBs could face when considering cyber insurance-type offerings from companies that are neither insurance brokers or carriers is distinguishing between actual insurance versus the warranty/guarantee model.
As not all warranties and guarantees are the same, those who opt for this model need to determine what coverage is offered and comparing the warranty coverages to traditional cyber insurance.
Organizations that are supply-chain feeders to larger companies could be targets of cyber criminals, so those companies need to consider the risks.
Micro companies, such as law firms, accountants, healthcare offices and clinics, private equity firms, and other financial services companies that have few employees but are big targets for attackers, should also be looking closely at cyber insurance policies.
Most mom-and-pop companies likely would not require the same type of business insurance, Herdberg notes, since their risk profile might not justify the cost of cyber insurance.
A full cyber insurance policy is generally more expensive and provides far more coverage than most individuals will ever need, save for the high-net-worth prospects, says Jeffrey Brown CISO for the State of Connecticut, a member of the Board of Advisors to Cowbell Insurance, and the former head of information security, risk, and compliance at AIG. While having cyber insurance can be useful, becoming a better educated on how you can protect yourself is a better first step, Brown says, noting that training and awareness webinars can help individuals become savvier on cyber issues.
It's in everyone's best interest, the buyer and the seller on insurance, when nothing happens.
This Cyber News was published on www.darkreading.com. Publication date: Fri, 08 Dec 2023 21:25:05 +0000