The industry of Cyber Insurance is emerging in response to the significant cost and impact that a data breach can have on an organization. Smaller organizations have a lot of competing priorities and don’t understand the risk of cyber attacks to their business. A survey from ARGO Limited showed that only 27% of SMBs under $25 million had cyber insurances while 48% of those between $25-$100 million had insurance.
Organizations that go through a cyber insurance vetting and evaluation process benefit from having an industry standard framework to apply, which can help to focus IT investments on those areas that present the most risk.
In our recent presentation on this topic with Aon we learned about different cyber risk considerations for nonprofits.
- Cyber Insurance can include both first and third party coverage.
- System and network outages coverage for both first and third party
- Data release of PII, PHI, PCI or confidential information
- Data & system integrity losses that impact performance and decisions
- Reputational damage — which is easy to lose but hard to recover
Examples of first party coverages would include things like breach event expenses to your own nonprofit. We know from a Kaspersky survey that the average direct cost of responding to a data breach for a small to medium business in North America is $149K, which is up from $117K in 2017.
These are actual costs that small to mid-sized organizations would face, for example if accounting information were hacked as Save the Children discovered in a false invoicing scam. The elements of the cost include direct remediation services, outside legal fees, in some cases PR work and lost staff productivity.
Additional first party coverages could include business interruption, dependent business interruption, system failure and digital asset protection. Finally cyber extortion could be included to provide reimbursement of expenses incurred in the investigation and remediation of a threat.
Third party coverages would be invoked when other parties incur damages as a result of a failure of the covered entity — your nonprofit. Those damages could include technology errors and omissions, miscellaneous professional liability, media liability coverage, security liability, privacy liability, regulatory proceedings or PCI-DSS coverage. In the event that your security lapse allowed an attack that damaged a third party — for example a HIPAA violation that exposed sensitive client information — you’d be covered. A broker would work with your organization to provide a tailored policy that fits your unique need and avoids a scenario where coverage is incomplete or has gaps.
The market for cyber insurance is still relatively new, less than 20 years old, and has a lot of new entrants providing coverage. Actuarial data and loss modeling for the sector is improving as data is collected. With the increase in competition, overall pricing is favorable for nonprofit organizations seeking coverage.
Small and mid-sized nonprofits and associations should review their existing insurance coverage, with the help of a qualified broker, to determine if the level of coverage is adequate for their current business needs. The dynamic cybersecurity and cyber insurance landscapes mean that people, process and technology solutions need to be re-evaluated on a regular basis.
Working with a trusted partner can ensure that the right solutions are chosen in each area to provide the appropriate level of protection for the organization, as those risks change over time.
Find more information on our Cybersecurity Services here.