As businesses fall victim daily to a wide range of new and evolving cyberattacks, ranging from ordinary breaches and hacks to extortion and the destruction of data, cybersecurity is more important than ever before. These attacks not only lead to huge financial losses for businesses, but also to the frequent exposure of consumer data.
Noteworthy incidents over the last few years include the 2021 Colonial Pipeline cyberattack that forced the company to temporarily shut down its operations and make a $4.4 million ransom payment, and the 2017 Equifax data breach that resulted in 147 million people having their financial and credit card information exposed online. These high-profile cases are just a few among countless examples.
Globally, cyberattacks cost businesses an average of $4.35 million per breach, up from $4.24 million in 2021, with the average company spending 277 days before it can successfully identify and contain an attack. The financial fallout of a cyberattack in the U.S. is even worse. On average, American businesses spend more than double the global average, at an estimated $9.4 million per breach.
Consumers also suffer when these attacks occur because hackers often gain access to consumer personal and financial information such as addresses, birth dates, credit card data and social security numbers. They then use this information to steal personal identities, transfer funds and commit other crimes. In 2022 alone, the Federal Trade Commission (FTC) estimates that 5.2 million American consumers lost over $8.8 billion to fraud.
These attacks are only becoming more frequent, more destructive and impacting more businesses, particularly small businesses. Research suggests that 43 percent of all cyberattacks are now aimed at small businesses, yet only 14 percent of these businesses are prepared to defend themselves in the event of an attack. Other, more pressing concerns lead most businesses to underinvest in cybersecurity. One recent survey found that just 37 percent of small business owners reported being concerned that their business could fall victim to a cyberattack in the next 12 months. This lack of concern is troubling when resources exist to help businesses prepare for these types of attacks. One such resource is cyber insurance.
Cyber insurance is a type of liability insurance that companies can purchase from private vendors to protect themselves from financial losses associated with a cyberattack. Despite only having existing for a little over two decades, cyber insurance has rapidly grown in popularity. The U.S. market is now worth $3.5 billion, with 40 percent of all U.S. companies reportedly having some form of cyber insurance.
What this insurance looks like varies considerably, with most insurance providers offering just two types of coverage: first-party coverage and third-party coverage. First-party coverage is like property insurance in that it covers the cost of damages a business sustains because of a data breach. These costs include things like the recovery and replacement of stolen data for employees and customers and coverage for fines and penalties related to the breach. Third-party coverage is comparable to general liability insurance in that it protects a business from any claims brought against it, or a client, by a third party. This coverage includes things like accounting costs, payment to consumers affected by the breach and any legal expenses that arise from subsequent disputes.
Having even one type of coverage can significantly improve a business’s ability to survive an attack and consumers’ chance of recovering their data. For instance, a 2018 IBM study found that having cyber insurance reduced the amount of money a company loses per record stolen, which on average costs $148. With the average business losing thousands of records in a data breach, even small savings go a long way toward financial recovery.
In this way, cyber insurance offers companies an additional layer of protection that reduces the risk of exposure. While investing in cybersecurity can reduce the likelihood of a data breach, only cyber insurance provides companies compensation when a breach occurs.
Cyber insurance also has the secondary benefit of encouraging companies to adopt cybersecurity best practices because insurers require their clients to have a certain level of security as a precondition of coverage. These best practices serve as de facto standards that govern the cyber insurance market and serve as a market-friendly alternative to what would otherwise be top-down government standards. They are highly flexible and, being driven by the interests of insurers that have a strong incentive to avoid future attacks since they bear the cost of client damages, can adapt more easily than the government to the evolving nature of cyberattacks.
Cyber insurance is one market-based solution to cyberattacks that avoids many of the unintended consequences that government intervention often invites. While government still has a role to play in creating and enforcing the rules that businesses must follow, such as enacting state security breach notification laws and taking action against companies that don’t sufficiently secure consumer data, the market is ultimately best equipped to help businesses survive a cyberattack.
The cyber insurance market also indirectly helps consumers. Consumers benefit from the enhanced security environment that results when businesses invest more in cybersecurity so that they can qualify for insurance plans. Consumers also benefit from businesses’ ability to survive attacks and provide them with adequate compensation when their information is compromised. Cyber insurance can help consumers recover compromised data, including their identities.
While the cyber insurance market is still a relatively niche market, and one that is not immune to the growing pains every new market experiences, it’s quickly evolving to meet the needs of businesses and consumers. While costing a small sum upfront, the price of peace of mind is invaluable, especially when it can be shared by consumers and businesses alike.