Costs for data breaches are edging upwards at an alarming pace. Last year, the global average cost of a data breach in 2023 was $4.45 million. That’s a 15% increase over the past three years. Meanwhile costs for U.S. businesses were more than double the global average at $9.44 million.
If you’re a Proofpoint customer, you’re well aware of the risks. And you’ve already made one of the most valuable steps toward mitigating them by protecting people and defending data in your environment.
But nothing can stop every threat. When something goes wrong, cyber insurance can provide another layer of protection. A good policy can help ensure that companies withstand the short-term and long-term aftereffects of a cybersecurity event, offloading some of the residual liability and financial impact of ransomware attacks, data breaches and more.
Most general business liability policies exclude cybersecurity threats. So if your company doesn’t have an explicit cybersecurity policy, you won’t be covered when a breach or cyber event happens.
But what exactly is cyber insurance, and how does it work?
Let’s take a detailed look at cyber insurance, including what you should look for in a policy, key nuances to keep in mind, and how to assess what kind of coverage you’ll need before you take the plunge.
Importance of cyber insurance
If you’re not convinced you need cyber insurance, consider what’s at stake. Expenses from a breach or cyberattack can run the gamut from ransom payments and lost revenues to legal fees, audit fees, supply chain disruption and more. A couple recent examples show the depth of the potential fallout.
In September 2023, MGM Resorts International—a hospitality company that runs 31 hotels and casinos worldwide—fell victim to a ransomware attack. In the days that followed, guests couldn’t use their digital hotel keys, credit cards or slot machine pay vouchers, according to reports. And problems didn’t just affect guests. MGM also faced potential long-term financial repercussions with Moody’s noting there was a possibility of a credit downgrade—just like what happened to Equifax in 2019.
And look at the fallout from the cyberattack on Clorox in October 2023. Afterward, many of the company’s automated systems were down. Clorox was forced to use manual processes for nearly six weeks. This delayed order processing and hit the company’s supply chain, which led to multiple product shortages. With so much chaos, company shares fell 20%. In fact, falling share prices are common for publicly traded companies in the aftermath of a breach. Share prices fall an average of 7.5% and typically don’t recover for an average of 46 days—if at all.
Cyber insurance doesn’t completely shield companies from all the financial impacts and liabilities of a cybersecurity event. But it can help them weather the storm. Generally, it covers:
- Financial costs incurred from a data breach
- Revenue losses due to business interruptions
- The loss of payments to bad actors for business email compromise (BEC) and phishing attacks
- Ransomware and extortion payments
Proofpoint research for our 2023 State of the Phish report found that companies are eager to protect themselves with cyber insurance. Of the companies that experienced a ransomware incident in 2023, 96% had cyber insurance. And most insurers (91%) helped with ransom payments.
However, cyber insurance is no silver bullet. Even when a ransom is paid, companies aren’t guaranteed to get their data back.
What happens when companies pay the ransom. (Source: 2024 Proofpoint State of the Phish report.)
Actions that cybercriminals monetize
Financial rewards are the goal of most cyberattacks. Our research shows that the three most common consequences of a cyberattack are:
- Data breach (29%)
- Ransomware infection (32%)
- Account compromise (27%)
Most common results of successful phishing attacks. (Source: 2024 Proofpoint State of the Phish report.)
Cybercriminals can monetize all these actions. As Proofpoint noted in the 2024 State of the Phish report, 22% of businesses that endured a successful attack experienced a direct monetary loss, such as a fraudulent invoice, wire transfer or payroll redirection.
Risk vs. rates
These risks matter. Cyber insurance premiums are directly tied to the cyber risk profile of the insured. The higher the risk, the higher the rates. (And in the most extreme cases, some organizations might be deemed too risky to insure at all.) By tying premiums to risk, insurers provide a natural incentive to make security a top priority.
Evaluating your risk profile
Your risk profile is mostly based on the type of business you run and your existing cybersecurity practices. So, before you reach out to providers to ask about a policy, you should take a deeper look at these aspects of your business. They’ll determine the insurability of your company. The work you do upfront assessing your company will help you to negotiate a better rate as well as select the right coverage. Plus, it will help you with renewing your policy later on.
Start evaluating your own cyber-risk profile by answering these questions:
What are your company’s biggest risks?
Consider what you stand to lose if your business experienced a cybersecurity event. For example, when attackers target companies like banks and healthcare facilities, they steal clients’ names, dates of birth, Social Security numbers or financial records. In contrast, when they target energy companies and manufacturers, they go after physical operations or networks.
Keep in mind that nuance is important here. If you store personal information, you have a high risk of cyberattacks. But if you store only customer names and emails, your insurance risk category will be lower. The reason? If you experience a data breach, you probably won’t lose a lot of money. (The good news is that your premium will likely be lower, too.)
How effective is your cybersecurity?
You can’t get insurance without a cybersecurity strategy and infrastructure in place. An organization without these things is sure to be a victim of a data breach, if not multiple breaches. A cyber insurance provider will want to know about your cyber defenses to determine your coverage and costs. So, now is the time to audit your infrastructure and document your security policies and systems so you’re ready to have that conversation.
Be prepared to provide evidence, like external audits, penetration test results and compliance certifications. If you have any additional access controls—like multifactor authentication (MFA) and privileged access management (PAM)—make sure to point them out because it may help to reduce your premiums.
Understanding your company’s coverage needs
Every provider bundles their offerings slightly differently. So, it helps if you understand the three basic types of cyber insurance:
- First-party policy. This covers the losses that your company suffers directly as a result of a cyber event.
- Third-party policy. This covers the costs of damages that are claimed by third parties whose data was stolen, whose money was stolen, or who were injured in some other way.
- Tech E&O. Short for “errors and omissions,” this type of policy comes in handy if you run a technology business. Essentially, it is professional liability insurance that protects you in the event that your company is sued by a client for a mistake where your technology caused them a loss of some kind.
Key features to look for in cyber insurance
As with any insurance, you will need to choose the exact coverage options that your business needs. Every insurance company offers its own packages. But first-party policies will typically cover many of the expenses below or offer them as policy add-ons. The details are what matter, so make sure to read the fine print.
Here are just some of the options that you’ll want to look for:
- Business interruption. This is a broad category that can include multiple expenses, like lost sales and in some cases labor costs. Make sure to examine what the provider requires to trigger this coverage. Does your company need to completely shut down its operations? Or is reputational damage enough?
- Data breach response and reporting. After a breach, your company will spend a lot of time and money notifying those who are affected. In some cases, you may need to provide them with credit monitoring services. And you’ll need to do a forensic analysis to find out what happened.
- Digital assets restoration. You’ll need to pay a team to either recover or re-create the data that was lost or stolen.
- Cyber extortion and ransomware payments. A recent survey found that a mere 19% of companies have ransomware coverage limits above $600,000. Compare that to the average cost of a ransomware attack, which was $1.5 million in 2023. So, don’t get caught underinsured, especially if you’re in a high-risk industry.
- Brand damage repair. If a cyber event ruins your brand image, you may want to hire a media relations team.
- Regulatory fines. Depending on your industry or your geographic location, you may be subject to penalties and fees in the wake of a cyber incident.
Requirements
To keep their risks at an acceptable level, every cyber insurance provider will require you to prove that you meet their policy requirements. This means you will need to meet basic IT cybersecurity standards before they decide to insure you. Know that cyber insurance providers are increasingly strict about this. So don’t be surprised if they ask for an independent audit or ask you to get an official certification like ISO 27001.
Cyber insurance best practices
Now, let’s look at some essential best practices for cyber insurance. These measures can help you navigate the policy purchasing process and cultivate a good working relationship with your insurer.
Find an expert and ask for support and guidance
Specialized brokers are your allies in the intricate world of cyber insurance. Insurers vary in risk appetite, claim acceptance rates and expertise. Brokers have an in-depth grasp of this landscape, and they will assess your options meticulously. They will help make sure that the policy you choose is the right fit for your industry, size, risk profile and more.
Closely examine coverage scope
Before you sign any agreement, make sure to read the policy thoroughly and confirm that you meet all of its terms and conditions—and that you have exactly the right coverage. Coverage specifics vary globally. You will find that most cyber insurance policies cover a portion of losses from ransomware attacks and expenses linked to crisis responses.
Understand that your insurance may not cover as much as you think it will. In our 2024 State of the Phish report, we found that while most insurers (91%) helped with ransom, far fewer reimbursed policyholders for the full amount.
Make sure you have a thorough understanding of the breach scenarios your policy does or does not cover. Take note of any exclusions. Be sure to scrutinize services like breach investigation support, legal counsel, public relations assistance and customer identity protection, as well.
Actively collaborate with your insurer
Invest in building a collaborative relationship and trust with your insurer. It’s a good idea to do this even if you don’t have an active claim. Insurers possess a wealth of experience from helping their clients recover from various breaches, which makes their insights invaluable. You could ask them to:
- Share timely threat intelligence
- Participate in simulated exercises
- Provide expert advice on incident response strategies
Arrange for your incident response team and the insurer’s forensic experts to interact during response plan trials. The forensic experts can share their perspective and recommend the best responses.
Contact your insurer immediately during a breach
During a suspected breach, you should be in immediate contact with your insurer. Industry best practice is for a business to engage with their insurer within the first 24 to 48 hours after an incident. This can dramatically improve your chances of mitigating damages and reducing recovery costs.
When you engage early with your insurer, you also broaden the range of options available to contain the situation. Your insurer’s vested interest lies in helping your business to recover as quickly and fully as possible.
Conclusion
Any cyber event can be expensive. And while it might seem like cyber insurance is a magic bullet, it’s really not. It may cover a lot of the costs, but it won’t cover any lost future revenue from dampened business growth. In other words, an attack still has the potential to permanently damage your business outlook.
Cyber insurance is not a replacement for strong security posture. Rather, it’s just one more layer of risk mitigation in your overall cybersecurity plan. Think of it as a supplemental addition—it should never be your entire strategy. To ensure your company can survive any cybersecurity event, make sure to create a strong, comprehensive cybersecurity strategy. For tips on creating one, watch our webinar, “How to Build Your People-Centric Cybersecurity Strategy.”
Cyber insurance can be another layer of protection as part of a larger, human-centric security strategy. Ready to boost your cybersecurity? Proofpoint Threat Protection is the only AI/ML-powered threat protection platform that disarms today's advanced attacks, including BEC, phishing, ransomware, supply chain threats and others. Find out more here.