Do You Really Need Cyber Insurance? 4 Questions to Ask Before You Get It
A security breach is rarely something you are happy to discover, if ever. There’s the loss of and potential destruction of data. Then there’s the aftermath: changing passwords, trying to recover information, and uncovering the depths of the attack. Finally, there are the financial implications, too.
For regular consumers and businesses alike, cyber-crime is costly. But what if there was another way?
Cyber-crime insurance is a burgeoning industry that many businesses and other organizations are exploring. However, is cyber-crime insurance a worthwhile investment for home users? And if it is, what does it actually protect? Let’s take a look.
1. What Is Cyber Insurance?
It’s no secret that cybersecurity is a delicate balance between security researchers and malicious actors. It is a game of cat and mouse; a new threat hits our systems, researchers and antivirus firms patch the issue. A new security mitigation technique appears, and attackers set about finding vulnerabilities. One thing, however, is constant: the cost of a cyber-attack.
Be like Bob and #Update #Patch regularly ? #Infographic #InfoSec #Security #CyberSecurity #DataBreach #DataProtection #CyberAttack #CyberWar #Hacker #malware #Botnet #Ransomware #Technews #DarkNet #DarkWeb #DeepWeb #Cybercrime #cybersec #cyberinsurance #technology #Tech pic.twitter.com/F5la0bvgjI
— WMPDigitalPCSO (@WMPDigitalPCSO) July 27, 2018
Personal cyber-insurance helps mitigate the cost of security breaches such as ransomware extortion demands, data recovery, data destruction, online fraud, and identity theft. The overall cyber-insurance market is young and therefore difficult to accurately define. Policies for individuals focus on protecting against the financial burden of the myriad attacks lurking online. For instance:
Sounds over-the-top? Professional data recovery services can run from between $50 to $350 an hour depending on your location and severity of the issue. Smartphone data recovery can cost $200 or more depending on the device. And while the average ransomware payment demand has dropped from its 2016 high of over $1,000 per infection, the payment is still an enormous financial burden.
2. How Much Does Cyber Insurance Cost?
There are few things to consider before forking out for cyber-security insurance. Befitting the cyber-insurance market’s relative youth, there’s some skepticism regarding taking out an individual policy. As with most personal security, the answer lies in the cost of the policy. How much can you afford to part with to guarantee financial protection from an attack?
Like other forms of insurance, your policy costs vary depending on the coverage you desire. Though, unlike regular insurance, underwriters are still struggling with how to accurately model and forecast the myriad online risks.
“Typically in insurance, we use the past as prediction for the future, and in cyber that’s very difficult to do because no two incidents are alike,” said Lori Bailey, global head of cyber-risk for the Zurich Insurance Group.
The issue is further exacerbated by a lack of knowledge from both insurance providers, and those seeking cyber insurance. “All the major homeowner [insurers] are anxious to provide some sort of cyber offering,” says Tim Zeilman, a cyber-insurance specialist at Hartford Steam Boiler. “People seem to think that it is going to be a standard part of homeowner’s cover in the next five to 10 years.”
However, Hartford Steam Boiler offer one of the cheapest cyber insurance policies, starting from around $30 per year, while UK online insurance brokers PolicyBee offer cyber insurance policies starting from just £6.99 (roughly $9). The initial cost is low but to get complete coverage for repairing hardware, data recovery services, ransomware extortion pay-outs, and even legal fees, policy fees escalate quickly.
Cyber Insurance Policy Small Print
AIG’s Family CyberEdge policy costs $597 per year for $50,000 of coverage in key areas such as ransomware and extortion, data restoration, cyberbullying, and crisis management. The AIG policy sounds expensive until you look at what you get for your money.
For example, the cyberbullying cover includes a year of psychiatric services, as well as PR cover (if required), digital forensic analysis to uncover the bullies, plus cover for any lost salary if the individual loses their job during a 60-day period after the cyberbullying is reported. Victims can also apply for temporary relocation along with “temporary private tutoring” or an “increase in expense for school enrollment for you or a family member to relocate to an alternative but similar school.”
Other terms in the small print are less encouraging. AIG reserves the right to reject claims “resulting from an error in computer programming or error in instructions to a computer.” The onus, then, falls on the victims to ensure their system is completely up-to-date at all times as most system vulnerabilities come from a programming issue. Furthermore, how do completely unknown zero-day vulnerabilities fit within this description?
3. Do Individuals Need Cyber Security Insurance?
A cyber-attack is stressful for business and individuals alike. Want to know what makes it worse? Repeated breaches of the same system. Embarrassingly, the National Bank of Blacksburg fell victim to two separate spear-phishing email attacksover an eight-month period and lost over $2.4 million. Sounds bad, right? The National Bank of Blacksburg’s cyber insurance provider compounded the issue by refusing to pay out after the breach.
If that can happen to a bank worth billions of dollars, won’t individual customers suffer at the hands of the powerful insurance companies? Do individuals even need cybersecurity insurance to begin with?
Some think it depends on the net worth of the individual or the family considering the cybersecurity insurance. Individuals or families with a high-net-worth might find it beneficial to have an extensive policy to guard against all manner of online threats. Josephine Wolff, assistant professor at the Rochester Institute of Technology, says “If you are a very high-net-worth individual, then it is possible that this would make sense. For other people, the costs [of a cyber-attack] are not so high.”
She continues: “It is very hard to put price tags on breaches, especially how they affect individuals. Most of the time the individuals are not on the hook—the charges are absorbed by banks, retailers or payment companies.”
But this ignores the sometimes devastating effect an attack has on an individual or family, or the positives that simply paying off a ransomware note or using professional data recovery services bring.
4. Is Cyber Insurance a Scam?
Critics of cyber insurance point out that policies may actually encourage attackers safe in the knowledge that someone else, other than the victim, will pick up the final bill. Or, hackers will target those with cyber insurance, driving up premiums for everyone. How about an increase in ransomware because attackers see more individuals paying out? Other critics believe personal cyber insurance sends the wrong message to individuals regarding system security; why take care when your policy pays for expensive professional data recovery?
At the end of the day, cybersecurity insurance depends on your network security. Most policies will refuse to pay out if there are significant issues in your network. The advice, as ever, is to:
The cyber insurance market is already growing, and it won’t be long before your home insurance provider attempts to bundle it at your next renewal. Be prepared to consider all of the options.