Though cyber attacks have continued to grow in both scale and destructive power, there has also been an increase in the choices available to insure against the many types of cybersecurity threats and losses. But business decision makers might be wondering just how much cyber breach insurance coverage they need.
A quick answer is that your cybersecurity insurance coverage should be at least $1,000,000 to $5,000,000. As of Q3 of 2021, even low-cost attacks are running at least $500,000. In 2021, we have seen ransoms ranging from $300,000 to $20,000,000. And if you want business interruption coverage for lost revenue, you’ll want to make sure the total limit is around 10% to 20% of your annual revenue. As stated, this is a simple and quick answer, but there is a more thoughtful process of determining how much coverage you should buy.
You can look to the ransomware recovery cost calculator (discussed more below) for estimating how much a cyber breach is likely to cost your company when an event occurs. It is worth noting that the cost of ransoms and cybersecurity breaches is trending solidly upwards, so be prepared.
Certainly, ransomware attacks are not the only reason you would require cyber breach coverage, but we are choosing to use a ransomware breach as the best indicator for how much insurance coverage you should buy. This is due to the following:
- Ransomware is the most prevalent cyber breach incident that has significant cost implications.
- Ransomware attacks now commonly include an extortion demand, coming from the threat of releasing confidential information that was exfiltrated from the victims’ network.
- Ransomware attack cost components include every expense category involved in a cyber breach event:
- Legal counsel/breach coaching consultation
- Incident response
- Digital forensics
- Ransom negotiation
- Ejecting the threat actors and locking down the system
- Ransomware recovery services
- Working through extended containment list remediations
- Public relations services
- Possible expenses for credit monitoring services
- Possible regulatory fines
- Possible litigation costs
- Lost revenue
- Brand damage and lost customers
The key vendors for whom you will likely be writing a check to, or for which the cyber insurance carrier will be reimbursing, are the breach counsel lawyer (you can find some recommended lawyers HERE), the incident response/digital forensics firm, the ransomware negotiation specialist, and the ransomware recovery firm. The ransomware recovery firm is key to ejecting the threat actors, rebuilding the IT system in a way that keeps the bad guys out, and then decrypting and/or restoring the contents of the network so you can get back to work as quickly as possible.
The ransomware recovery cost calculator asks questions about how many users and servers you have, and to what extent they are affected by ransomware. Employee counts and the number of IT staff available to assist in a ransomware recovery also determine the scale of work required and the resources available to assist in the recovery effort. It then asks for an estimate of annual revenue. This figure is important, as it is essential for calculating revenue loss on the estimated days of downtime that the calculator produces. Most ransom demands are also calculated based upon the size of the company. The size is typically determined by the bad actors based on the company annual revenue, employee count, server and/or user count, the number of encrypted files or the number of gigabytes/terabytes encrypted. In some cases, the bad actors peruse the system to find out how much money the company has in the bank or the profit it produces. There are also cases where they will look for the insurance policy to see how much coverage you have. Based on this information, the calculator can estimate what your ransom is likely to be, and how much you will pay for incident response and ransomware recovery services. This estimate will not include brand damage, potential fines or legal services, PR costs and potential litigation costs.
The calculator calculates in real time. We encourage you to play with some differing values in some “What if” type situations. If you have questions or concerns, please call us or write to us via the web form on this page.
Some other important things to consider are the terms of your cyber breach insurance policy. For this, we have solicited the advice of an expert insurance broker, David McNeil, through the Q&A below. David is a Principal with EPIC Insurance Brokers & Consultants.
Contact Info: David McNeil
David J. McNeil, ARM
EPIC Insurance Brokers & Consultants
714.856.4221 cell | 909.919.7508 direct
Q: What method do you use to calculate how much cyber breach insurance a client needs?
This is an interesting question, because the answer varies so much. We are in an extremely volatile market for Cyber coverage. For the purposes of responding, I’m assuming that we are only addressing Information Tech (IT) rather than Operational Tech (OT). So, my responses are only regarding IT issues.
REALITY CHECK: Literally, the Cyber-insurance market is changing from day to day right now. Some recent numbers I’ve heard say that we have gone from an average $257k per cyber-claim to about $1.7m per claim. AND we’ve now reached an average of an incident happening every 39 seconds. SO, a huge increase in BOTH Severity AND Frequency. Either one would have a negative effect. But, BOTH at the same time is causing a tidal wave of activity. We have some carriers exiting the marketplace. Others are completely revamping their coverage; introducing sub-limits on certain exposures. Also, changing the rates dramatically.
What limits will the insurance carriers offer?
- As an example: I recently had a client renewal with existing policy limits of $5mm that was only offered $3mm at renewal. (They had no losses) AND their deductible went from $5,000 to $25,000. AND their premium went up 500%! Ultimately, we were able to get them a competitive quote from another carrier to retain their $5mm limits. But the deductible was still high and their premium went up “only” 300%.
What is your actual exposure?
- Many factors here. Of course, number of records, revenues, employees, servers, endpoints, how sensitive is the data, etc. The list goes on. What cyber-security and risk management practices are in place?
What can your company afford?
- My general statement here is that you insure enough to live to fight another day. Do not think that you want/need to insure to make yourself completely insulated by cyber-insurance to be whole. Frankly, in today’s market that is probably too expensive. My advice is that you have a longer conversation with your upper management to determine your tolerance of risk on your exposures. Then add your broker to the conversation.
- At the end, decide to adopt a corporate culture of solid Cyber-hygiene risk management. Make some reasonable assumptions of that impact on potential losses. Then insure for the rest. Again, acting in a manner to make sure that your company can Live to Fight Another Day.
Q: How about retentions/deductibles? What is the difference and what do you recommend for amounts?
You will still want to coordinate any claim with you and your carrier regardless of whether you have a Self-Insured Retention (SIR) or a Deductible. You may/may not get options for various levels of SIR’s or Deductible. That is underwriter specific. Obviously, the more of the risk/burden of payment that you are willing/able to absorb, the lower the premium.
With a Deductible, the carrier will usually pay (i.e. Legal bills) from day 1, then “deduct” your “Deductible” from the final settlement. So, in many instances you are not laying anything out of pocket.
Your reference to “Retentions” is short for “Self-Insured Retention” (SIR). Basically, this means that you are responsible to pay the SIR amount before the insurance begins to pay.
- So, let’s say that an initial bill comes to $19k for a covered peril. For our example, you have a $25k SIR. In this case, the carrier will look to your company to pay that $19k bill directly and/or immediately. They won’t be laying out the money first.
Q: We have seen policies stipulate differing coverage limits for various types of cyber losses, such as business email compromise, data extortion, DDOS extortion, ransomware attacks, etc. What advice do you have for negotiating the coverage limits in these areas?
If you see sub-limits or exclusions of any of these items, then you will want to look very closely to understand the exact “edges” of coverage…based on your tolerance of risk, risk management cyber-hygiene practices, and balance sheet. From there, I do have some basic minimum coverages I check/ask/negotiate for. The list varies depending on the client’s exposure or industry. But know that Definitions are extremely important.
As an example, regarding NOTIFICATIONS of affected parties, if the coverage language says something along the lines of… “We will pay notification expenses for which you are Legal Liable”, you need to know that. Here, a better alternative is “Voluntary Notification”. This means that YOU will have cost coverage to notify those potentially affected when YOU want to, if earlier than strictly the timeline set forth by your State. Without “Voluntary Notification”, then the carrier will not pay unless/until the State notification rules apply. This may not be beneficial for your brand and/or customer service.
Q: We have seen all sorts of various terms around how much or whether a ransom payment is covered by a cyber breach insurance policy. What advice do you have for this?
As a general statement, the answer is, YES, there will be coverage for ransom. That said, look for any sub-limits or exclusions. Again, the best answer is that you don’t have to deal with having the claim at all. With solid risk management practices surrounding cyber, you will not be the low-hanging-fruit. By far, those hit by Ransomware, are those who do not practice solid cyber-hygiene. For example, an incomplete list of basics could include Patching, Multi-Factor Authentication, Network Segmentation, good Password Policies, Log Management, Credential Management, blocking suspicious activities, and the list goes on. Even with just those listed above, my estimate is that you’ll be in the top 1%. That means that 99% of other business are lower-hanging fruit. You’ll never be bullet-proof, but you don’t have to be. Just be better than the next guy.
Q: Some policies have coverage for business interruption that reimburses the insured for lost revenue and profits during a covered event. What can you tell us to better educate us on this topic?
My short answer is that Business Interruption is insuring your revenue stream. That, normally, would include your profit, but not by definition. You will also need to add a number for Extra Expenses. Those expenses that you would not have if there had not been an event. Example: your network is toast, you may need to pay a 3rd party to work 24 hours/day to set up a completely new network, phone system, etc…EXTRA EXPENSE. Maybe you have to lease some equipment short term. Short-term rental/lease rates generally cost more…EXTRA EXPENSE.
Business Interruption estimates is half art/half guess. I’ve seen 22-page forms to calculate a Business Interruption number. And, I have seen two-line estimates basically saying: How long will you be screwed up? 30, 60, 90 days? Say, 90 days. That is 25% of your annual revenue. Add another 10% for Extra Expense. I say, discuss with the CFO, round UP, not down, and move forward. Overall, you won’t know the correct number until you need it. But decide how much you will want the insurance check to be for and take it from there.
Q: Some clients are faced with fines due to cybersecurity incidents. Will policies pay for those regulatory and contractual fines?
Again, YES, but…. In most cases, regulatory fines are covered. Not so much for private contract penalties. But turn it in and make them say NO. Also, there are some penalties (Punitive Damages) which insurance carriers are not legally allowed to cover. Otherwise, it insulates a bad-acting-company from feeling the “Punitive” part of the fine.
Q: Credit monitoring is often stipulated by law, or by a settlement of sorts when a cyber breach incident involves the release of personally identifiable information, credit card information or electronic medical records. Will cyber breach insurance policies cover these costs?
In almost all cases, YES. This is avoiding future claims/costs for the carrier. So, they are willing to pay for Credit Monitoring.
Q: Litigation is often a threat that emerges from serious data breaches and ransomware incidents. What recommendations do you have in this area for companies buying cyber breach insurance?
Of course, litigation is supposed that a 3rd party was damaged. So, the specifics of the case vary vastly. However, the Liability portion of your policy will rise to defend you. At least, up to the point where it hits the limit of the policy. OR, to the point where it is determined that the policy coverage does not apply.
Keep detailed records of actions, trainings, cyber-hygiene company policies, etc. You may end up defending your actions in court. If that happens and you can show a record of a solid, diligent, good-guy approach, that will work towards your benefit.
CompTIA has compiled a list of cybersecurity stats that illustrate the harsh realities of cyber breach incidents. Read the article, The Cost of a Breach: 10 Terrifying Cybersecurity Stats Your MSP’s Customers Need to Know.