Cyber security and cyber security insurance are hot topics right now, particularly with the recent headlines on ransomware attacks. Of course, everybody knows about phishing emails and the number of times social media accounts are getting hacked. You may be asking yourself, is my company big enough to be the target of a ransomware attack? And should I worry about cyber security insurance?
As with many business decisions, there is no single answer. The decision to invest in cyber security insurance is really a cost-benefit analysis that you must make as a company. First, it can be beneficial to understand one of the most common cyber attacks: ransomware.
What is a Ransomware Attack?
Ransomware is an example of malware, or malicious software, that employs encryption to hold a victim’s information at ransom. The malware can enter your system through a variety of ways. It can exploit a vulnerability in Remote Desktop Protocol, which is the most common way that hackers get on to your network. Alternatively, it may have found its way into your network via a phishing email, which means somebody clicked on a link in an email from an untrusted source.
If you are the target of a ransomware attack, chances are that you’re not going to be able to recover that data unless you pay the ransom. There is a high risk you’ll be taking for not paying the ransom because the attackers have multiple ways that they’re able to hold you hostage. Not only can they restrict your availability to data and interrupt your operations, but they could also leak the data leading to privacy concerns, or you could have your intellectual property sold to someone else.
Now, it is possible that you could pay the ransom and you might not be able to get your data back. Fortunately, the metrics right now are a little bit over 80% of people who pay the ransom actually do get their data back. So at least we have trustworthy criminals. 🤷
Now, when we go back to cyber security insurance. Again, depending on how much you can invest in your protection versus how much you want to pay to protect yourself. The average cyber security insurance pays 60% of the ransom. How much is this ransom? Average payout from mid-size organizations was $812,000 in 2021, up from $170,000 in 2020. You read that right.
How Does Cyber Security Insurance Work?
So how exactly does cyber security insurance work? Simply put, you undergo a risk assessment by filling out a checklist, they deem you eligible, make a contract with the insurance provider, and now you have cyber security insurance.
However, unexpected vulnerabilities may arise during this process. You may have to replace all the company computers or upgrade all of the software being used. Sometimes the insurance can defer those costs. You can work out the specifics with the insurance provider and what they cover.
Cyber Security Insurance: High Demand, Low Supply
One of the interesting prospects with cyber security insurance is they will have a checklist because the demand is so high for cyber security insurance right now, there’s actually a low supply.
If you don’t get cyber security insurance from AXA or AIG (larger cyber security insurance solutions companies), you’re probably just buying from a reseller of their cyber security insurance and paying more.
Because the supply is so low, companies often have a checklist of qualification items they look for in a company before accepting the risk to insure them. The checklist contains things such as:
- Does the company enforce multi-factor authentication?
- Is the company willing to back up their data?
- Is the company willing to fix current vulnerabilities?
If certain stipulations cannot be met, the insurance provider may not be willing to insure that company. It’s not unlike being a driver. If you have a poor driving record, it could be hard to find insurance. If you’re less trustworthy, if you have higher risk, your insurance will cost more, or you might not be able to find insurance at all.
Evaluate Your Risks
So, do you need cyber security insurance? You will have to consider your business’s risk tolerance and the cost-benefit that cyber security insurance can offer you.
Do you have a data backup?
If you have a data backup, a ransomware attack might not be a big deal to your company. If your data isn’t sensitive, you can simply restore everything and not worry about paying the ransom. You’ve got your data because you have a historical copy, and you can focus your efforts on fixing the vulnerability that led to the intrusion into your network in the first place.
Do you have the expertise to deal with cyber security?
If you have a lot of vulnerabilities and a lot of IT resources, it means that your attack surface is large. The larger your attack surface rate is the harder it is to defend yourself because you have a lot of things touching the Internet. The more things you have touching the internet, the higher the likelihood that you’ll be exploited.
If you’re not a big company, the prospect of paying a chief technology officer (CTO) or a chief information systems officer $150,000 or more a year to make sure that you are secure probably doesn’t sound great. So cyber security insurance could be a more attractive option.
Do you have the financial means to pay a ransom?
Despite all the actions you can take to prevent an attack, you need to consider: Will paying a ransom seriously derail or even bankrupt your company?
If you can afford an expert cyber security team and you have a good cyber hygiene policy, that probably also means that you have enough revenue and enough assets that you don’t necessarily need cyber security insurance, but your risk is also lower.
Now, if you’re a smaller company that can’t afford all of those things, then it’s probably a great idea to have cyber security insurance. It is also likely that your premiums won’t be as high and your attack rate is lower as a smaller company. The cyber security insurance company will give you a checklist of cyber security hygiene you have to complete to be eligible for the insurance. That checklist will reduce your risk because the cyber security insurance company also wants to reduce its risk of insuring you. So, the smaller the company you are, the better it looks.
Conclusion: A Cost-Benefit Analysis
Cyber security insurance probably fits your needs if you are a small to medium business and you don’t have a lot of professionals on your staff, or you have IT network administrators who may not be trained cyber security experts. If you don’t have the skills and the expertise, with cyber security insurance you’ll get a feeling of protection, and you’ll get a checklist of things to make sure that you have as good of hygiene as possible. In the event that you end up needing help to pay a ransom, you get up to 60% coverage from your cyber security insurance depending on your plan.
This decision requires a cost-benefit analysis, and if you have the right expertise, it might not be the right fit because you can give yourself some protection with backups and good cyber hygiene, but if you don’t have the expertise, it’s probably worth pulling the trigger.
Code of Entry Can Help
We know the fast pace of technology can be overwhelming, especially when you have a business to run. That is why Code Of Entry is here to help. Whether you need technical advice or are interested in letting us help you secure your network, business assets, and intellectual property, we can meet your wherever you need us.