Cyber Crime Costs are Increasing
As the scope and sophistication of cyber threats evolve, organizations of all sizes struggle to keep up. Cyber-attacks are becoming more sophisticated, with potentially severe financial consequences. Data breaches alone cost U.S. companies an average of $8.64 million in 2020, an increase from $7.91 million in 2018. On average, it takes 280 days to identify a breach. American firms also pay an average of $1.76 million in post-data breach response activities – the highest cyber-crime figure in the world.1
While cyber threats facing middle-market businesses are multifaceted–web-based attacks, ransomware, malware, compromised devices, phishing, and distributed denial of service (DDoS) attacks –all have the potential to cripple an organization. Consumer data breaches receive the lion’s share of media attention and have the potential to disrupt organizations by causing substantial financial and reputational damage. Cyber attacks can have massive implications causing business interruption and threaten the company’s ability to keep the business up and running.
System disruptions from cyber-attacks can represent a substantial financial loss, even for companies that have invested heavily in proactive defenses and their cyber risk technology infrastructure. Those most potentially at risk are organizations whose core revenue is derived from creating and distributing products and remaining operationally available (e.g., manufacturers, e-commerce firms, logistics-dependent providers in the transportation space, etc.) or businesses that are highly data-reliant.
Furthermore, we continue to see momentum around ransomware attacks. Ransomware is a form of malware that, when activated, encrypts or locks all of the files on a computer or network. To regain access to the files, the cybercriminal (also known as a ‘threat actor’) demands a ransom, typically paid with electronic currency such as bitcoin. It appears the next generation of ransomware is even more Machiavellian as it enables the software to be installed, the data encrypted even when the computers are offline, and then the software targets data stored in the cloud.
Evaluating and Understanding Cyber Insurance
Cyber insurance policies address a wide range of costs incurred by an organization in connection with a cyber event.
Policies typically cover both losses incurred directly by the insured (e.g., lost income, data restoration, extra expense, event management, costs spent on potential customer notification, etc.) and those incurred in connection with the insured’s potential third-party liability for damages, regulatory fines, etc.
Policies can cover lost income and extra expense resulting from a supplier or vendor cyber event, which doesn’t necessarily have to be tied to a malicious threat actor and can include unplanned system outages.
From a reputation standpoint, cyber insurance policies can also cover costs related to public relations and crisis management services needed in the aftermath of an incident, as well as ascertain determined brand damage.
The media liability portion of a cyber insurance policy can protect against online defamation and copyright infringement losses.
Leading organizations know that a crucial component to any cyber preparedness plan is the use of specialty insurance to mitigate financial risk by helping to cover anticipated business disruptions.
One of the most important roles cyber insurance can play is providing the financial protection and risk transfer needed to continue moving the company forward rather than letting cyber risks keep it behind.
Determining Your Coverage Needs: A Three-Step Approach
Because cyber insurance policies are complex and not standardized, companies should seek professional advice when considering their options. Cyber specialists understand, match,and align business exposures with the appropriate types of coverage. They can also determine how cyber coverage might overlap with other insurance lines, minimizing duplication and maximizing return on investment.
When working with specialists to evaluate their cyber insurance options, businesses should consider their cyber risk the way they consider any other risk exposure – something they can manage but never eliminate or eradicate completely. Businesses can better understand exposures and options to arrive at a coverage plan by adopting a three-step approach:
- Map Risks. Map out the range and boundaries of risk exposure. What are the threats based on the nature of your business? What are your cyber risk vulnerabilities based on your market presence, what you produce, intended audiences, and your supply chain? What are your core risks?
- Quantify Threats. To better understand the frequency and severity of cyber events that could impact your business, look at the financial cost of previous events in both your industry and more broadly. Also, try to quantify the potential impact of emerging risks or loss scenarios.
- Create an Integrated Plan. Cyber insurance should be a key part of your broader organizational cyber security plan, integrated with technology investments, enterprise risk management, breach response plans and incident response. Assess how much risk your company can offload via insurance and how cyber insurance coverages (and costs) mesh with your overall risk posture and appetite. The recent shifts in the marketplace mean that exceptional research is required to ensure that coverages are up to date and meet your expectations.
Achieving and Maintaining Resiliency
Once coverage is in place, companies should regularly review their cyber insurance policy to adjust for new threats and vulnerabilities, a necessity given the dynamic nature of cyber risk and business development.
Your insurance broker should be keeping pace with these rapid shifts, anticipating your needs, and acting as your advocate with insurance carriers. Threat actors are constantly evolving, and if your cyber risk awareness and preparedness is not keeping pace, the negative impact on your business could be devastating.
The objective of any optimal organizational cybersecurity strategy should be resiliency. From a business continuity standpoint, being cyber resilient means having the ability to take a punch, stand back up and minimize loss, downtime, and outages. Having the right cyber insurance coverage in place is a key component of this resiliency.
To learn more about Cyber Risk & Insurance coverages, contact M&T Insurance Agency today at 1-800-716-8314.
Cybersecurity and You
Protecting your information is one of our top priorities, which is why we at M&T Bank and Wilmington Trust (part of the M&T family), maintain an Enterprise Information Security Program.
But there are some things you can do to identify and manage cyber risks at home, in the office or on the go.
This article is for informational purposes only. It is not designed or intended to provide financial, tax, legal, investment, accounting, or other professional advice since such advice always requires consideration of individual circumstances. Please consult with the professionals of your choice to discuss your situation.
Insurance Products offered are: Not FDIC insured; not a deposit in, obligation of, nor insured by any federal government agency; not guaranteed or underwritten by the bank; not a condition to the provisions or terms of any banking service or activity.
Insurance products are offered by M&T Insurance Agency, Inc., not by M&T Bank. M&T Insurance Agency is licensed as an insurance agent and acts as agent for insurers. In case of excess and surplus lines, M&T Insurance Agency is an insurance broker and places insurance on behalf of our clients. Insurance policies are obligations of the insurers that issue the policies. Insurance products may not be available in all states.