by Scott Jack
Content Contributor, E-N Computers
Over 10 years of experience in healthcare IT and tech support.
Updated April 15, 2024
If you’re thinking about cyber insurance, one of your first worries may be the cost and whether than cost is worth it, especially if you are a small business.
Since cyber insurance is a relatively new product, let’s look at what it is, what it costs, and why it matters to small and medium-sized businesses.
QUICK ANSWER:
How much does cyber insurance cost?
For small businesses, annual cyber insurance premiums can range from $1,000 to $7,500. The median cost of a cybersecurity incident in a small business (less than 50 employees) is $8,000 to $12,000 but could hit $300,000. While insurance is a reactive measure, investing in your IT maturity and security measures is a proactive way to avoid serious incidents.
What is cyber insurance?
Cyber insurance is a specialized insurance policy designed to protect businesses from financial losses stemming from cyber-related incidents. It is designed to make you whole after being affected by cyber threats such as:
- network breaches
- data breaches
- ransomware
- data loss
- cyber extortion
- compromised email
Cyber insurance providers continue to adapt to new and changing risks. They use more refined risk assessment tools and expect more safeguards to be in place. Implementing your own safeguards is also important because there are things cyber insurance covers — and things it does not.
What does cyber insurance cover?
Before diving into the costs, it’s crucial to understand what a typical cyber insurance policy covers. Here are some key areas:
What’s usually covered
Data Breach Costs: If your business suffers a data breach, you’ll incur costs for legal consultations, notifying affected parties, and public relations efforts to restore your reputation. Cyber insurance can cover these expenses.
Ransom Payments: In the event of a ransomware attack, where hackers lock your data and demand a ransom for its release, cyber insurance can cover the ransom payment.
Business Interruption: If a cyber incident disrupts your business operations, the policy can cover the loss of income during the downtime.
Cyber Extortion: If someone threatens to release sensitive data unless you pay them, cyber insurance can cover the costs involved in dealing with the threat.
What’s usually not covered
Physical Damage: Damages to physical assets like computers are usually covered under general business insurance.
Loss of Intellectual Property: Theft or loss of intellectual property is often not covered.
Long-term Reputational Damage: While immediate PR efforts may be covered, long-term reputational harm is usually not included in standard policies. According to insurance firm Hiscox, “nearly a quarter of firms that were attacked (23%) cited bad publicity and its impact on the company’s brand and reputation. That is a sharp increase on the 14% who said the same” in the previous year.
Who needs cyber insurance?
If you’re wondering whether your business needs cyber insurance, the answer is often yes. Any business that uses digital technology, stores customer data, or conducts transactions online is at risk. Cyber threats don’t discriminate based on the size of a business. In fact, smaller businesses are often more vulnerable because they may not have robust cybersecurity measures in place.
How much does cyber insurance typically cost?
For small businesses, annual cyber insurance premiums can range from $1,000 to $7,500. This range is dependent on several factors, which we discuss below. A recent survey found that the majority of cyber insurance underwriters expect rates to increase slightly in 2024.
Factors affecting the cost of cyber insurance
Business Size: Larger businesses typically have more digital assets, more extensive customer databases, and a broader digital footprint, which can increase their exposure to cyber risks. A larger business might be a more attractive target for cybercriminals due to the potential for a bigger payout. Additionally, the complexity of larger IT infrastructures can introduce more vulnerabilities. As a result, they often face higher premiums.
Industry Type: Businesses in high-risk industries like healthcare, finance, manufacturing, and e-commerce often pay more. They handle vast amounts of sensitive data, making them prime targets. For instance, healthcare records fetch a high price on the black market due to the comprehensive personal information they contain. Similarly, financial institutions are direct gateways to monetary assets, making them lucrative targets for cybercriminals.
Coverage Amount: The extent of coverage you opt for will directly impact the cost. Just as with any other insurance, the more protection you seek, the more you’ll need to pay. If a business wants coverage that includes not only data breach costs but also items like business interruption, cyber extortion, and regulatory fines, the policy will be pricier. More comprehensive coverage equals higher premiums.
Security Measures: Businesses with strong cybersecurity practices may be eligible for lower premiums. Strong security measures reduce the risk of a cyber incident occurring in the first place. Insurers often see businesses with better security postures as lower risks. For instance, a company that regularly conducts penetration testing, maintains updated firewalls and antivirus software, and provides cybersecurity training to its employees demonstrates a proactive approach to mitigating cyber threats. Such companies are less likely to file claims, leading insurers to offer them more favorable rates. Some insurers will not provide coverage if a minimum level of security is not practiced.
How much coverage do you need?
Determining the amount of coverage you need is a complex task that should be tailored to your specific business needs. Here are some factors to consider:
Value of Digital Assets: Take inventory of your digital assets, or data, and estimate how much it will cost to recover them. Digital assets include databases, proprietary software, financial information, intellectual property, and more. You should be able to prioritize this data based on how essential it is to your ability to conduct business. The more critical the data is and the faster it needs to be recovered, the more the recovery will cost — which will increase how much coverage you need.
Potential Loss of Income: Unexpected system downtime can lead to a loss of revenue. Doing some simple math to estimate your daily lost revenue can help you determine how much coverage you will need. Check out How to Calculate Downtime Costs for an example.
Legal and PR Costs: Consider potential legal fees and public relations expenses that could arise from a cyber incident. For example, you may need counsel for any lawsuits that come from extracted data or failure to meet contractual obligations. And if you don’t have the internal resources to manage a public relations incident or notification of all your affected customers, you may need to hire an outside PR firm.
An insurance advisor who specializes in cyber insurance can provide valuable insights into the level of coverage that’s appropriate for your business.
How to lower the cost of cyber insurance
Enhance Security Measures: Implementing robust cybersecurity measures like firewalls, encryption, and multi-factor authentication can lower your risk profile and, consequently, your premiums. We talk about some practical measures you can take in our article, How to protect yourself against cybercrime.
Employee Training: Educating your employees about the importance of cybersecurity and best practices can also reduce the risk of human error. Employee training is critical because, according to the World Economic Forum, 95% of all cybersecurity issues are the result of human error. Phishing scams, especially those that focus on high-value targets like executives, remain an effective tool for cyber criminals. Learning how to identify and report them is an essential part of your security.
Bundle Insurance Policies: Some insurance providers offer discounts for bundling multiple types of business insurance.
Regular Risk Assessments: Conducting regular cybersecurity risk assessments and sharing them with your insurance provider can demonstrate a proactive approach to risk management, potentially lowering your premiums. Third-party risk assessments provide an outside perspective from an industry expert, show that you take security seriously, and highlight areas for improvement.
Pitfalls to avoid
Underestimating Coverage: Cybersecurity incidents can be unexpectedly costly. The cost is affected by factors such as the nature and severity of the breach, your industry, and whether you operate in more than one state or country. The insurance company Hiscox estimates that the median cost of a cybersecurity incident in a small business (less than 50 employees) is $8,000 to $12,000; however, they also note that even small firms can experience costly breaches of nearly $300,000.
Ignoring the Fine Print: Always read the policy terms carefully to understand what is and isn’t covered.
Lack of Due Diligence: Failing to assess your cybersecurity measures can result in higher premiums and inadequate coverage.
In conclusion, cyber insurance is an essential tool for mitigating the financial risks associated with cyber threats. While it comes at a cost, the protection it offers can be invaluable, especially for small and medium-sized businesses that may not have the resources to recover from a significant cyber event. By understanding the factors that influence the cost and working with specialized advisors, you can tailor a cyber insurance policy that meets your business’s unique needs.
Evaluate and improve your IT maturity
Investing in your IT maturity can enhance your customer experience as well as protect the business you have worked so hard to build. IT is more than hardware and software — it is the combination of people, systems, and processes that work together to meet the goals and challenges of your business. Take our FREE IT Maturity Self-Assessment to see how you stack up and where you have room for improvement. Then, if you like, you’ll be able to book a short call to discuss your results.
Take the IT Maturity Assessment
Is your business ready to weather changes, including employee turnover? Find out by taking our IT maturity assessment.
You’ll get personalized action items that you can use to make improvements right away. Plus, you’ll have the opportunity to book a FREE IT strategy session to get even more insights into your IT needs.
