Key Takeaways:
- For every business, cyber insurance should be an anticipated expense given today’s reliance on data.
- Given the fast-paced, ever-changing threat landscape, businesses have more and more cyber insurance questions as time goes on.
- Insurers need answers when advising commercial policyholders about cyber insurance coverage.
Today's businesses face an ever-evolving array of cyber threats to their operations, executives and customers. In fact, the severity of data breaches increased 34% last year, reaching the highest level ever recorded by TransUnion®. Those attacks also cause real financial consequences for breached organizations, with the average cost of a data breach increasing 10% year over year — largely due to lost business and post-breach response activities
These figures show there’s a critical need for companies to deploy proactive cyber protection measures, as well as robust cyber insurance solutions to protect them from significant financial losses.
When asked to advise their commercial policyholders about the pros and cons of cyber insurance, many insurers have questions of their own. Let’s address some of the most common commercial cyber insurance questions.
Top 10 questions about cyber insurance for companies
To ensure their cyber insurance offerings meet the needs of modern business clients, insurers and agents need to understand some basic key questions they may encounter. These include:
1. What does cyber insurance cover as far as types of incidents?
Commercial cyber insurance policies typically cover a range of cyber incidents. These can include data breaches, ransomware attacks, phishing attacks — including business email compromise (BEC) — and distributed denial-of-service (DDoS) attacks. In addition to recovering business interruption losses resulting from these incidents, cyber insurance coverage might also address legal fees and costs of notifying anyone whose personally identifiable information (PII) was exposed. Agents can better advise their business clients when they understand the coverage detailed by their policies.
2. What are common exclusions in commercial cyber insurance policies?
Many commercial cyber insurance policies will exclude events like acts of terrorism or war, pre-existing vulnerabilities that were known but not addressed, and intentional acts by the policyholder. Some policies might also exclude covering specific types of data like intellectual property. The best practice is for agents to clearly state any exclusions to the policyholder, which can better set expectations when establishing the coverage and eliminate misunderstandings during the claims process.
3. How do I determine the appropriate coverage limits for commercial clients?
You’ll need to balance the client’s protection needs against the cost of the premium. To determine the company’s risk profile, consider how large the company is, what proactive protection it has in place, the criticality and value of its data, and what the financial impact might be if a cyber event were to occur. You’ll want to examine any available benchmarks for the policyholder’s industry as well as historical data when setting coverage limits. Regularly review the policy and, as the company evolves, make any necessary adjustments to the coverage.
4. How do I assess the cyber risk of commercial clients?
Assessing a commercial policyholder’s risk means evaluating the business's vulnerabilities and potential exposure to cyber threats. Many insurers will use established risk assessment tools like the NIST Cybersecurity Framework to measure a business’s cybersecurity posture. You’ll want to establish how seriously the company takes cybersecurity by asking questions, such as:
- What cybersecurity solutions are currently deployed to protect its systems?
- What data protection steps does the company employ? Does it regularly back up data? Is that backup stored onsite or offsite?
- Does the company regularly conduct cybersecurity training of employees?
- Is there a thorough incident response plan in place to help ensure a fast and orderly response to an attack?
Having an annual conversation about cybersecurity and evolving risks in the market is a great way to show the insurer is a trusted partner committed to the company’s protection.
5. What are the underwriting criteria for commercial cyber insurance coverage?
To underwrite a commercial cyber insurance policy, multiple factors must be examined to determine a policyholder’s potential risk. The insurer needs to dig deeper than basic network security solutions and what kind of data is collected. Insurers will typically look at the computing redundancies in place, whether regular backups are made, if there’s a disaster recovery plan, how access privileges are determined, and how system and security patches are managed. This kind of information helps the insurer precisely assess the risks so an appropriate premium can be set.
6. What cybersecurity measures should my commercial clients implement to qualify for coverage?
Before a cyber insurance policy is issued, insurers will want to ensure the company’s cybersecurity posture meets a minimal standard to help manage risks. These criteria can include requiring regular security audits, implementation of multi-factor authentication (MFA) to access company systems, end-to-end encryption of digital communications, and a thorough incident response plan. Depending on the industry and risk assessment, insurers may also insist clients follow specific information security standards like the ISO/IEC 27001 or NIST frameworks.
7. What are the latest trends in commercial cyber insurance deductibles and premiums?
The rising frequency and severity of cyber incidents has expanded interest in cyber insurance, and cyber insurance premiums are climbing as a result. While specific premiums depend on the individual coverage limits and deductibles for each policy, Munich RE estimates global cyber premiums will grow from $14 billion in 2023 to $29 billion by 2027.
8. How can I help my commercial clients reduce their cyber insurance premiums?
The ultimate goal is to help them reduce their risks upfront. Ensure they take security seriously by having robust cybersecurity solutions in place, regularly training employees on security best practices, and implementing protective measures like MFA. Explain how larger deductibles can help lower their premiums. You might also offer discounts for commercial policyholders whose team members earn specific cybersecurity and risk management certifications.
9. What is the claims process for commercial cyber insurance?
For policyholders, the claims process is pretty standard: Report the incident, provide documentation and go through a post-incident investigation. They provide detailed information about the cyber incident, including the nature of the event (e.g., accidental exposure vs. cyber attack), systems affected and financial impact.
Insurers need to assess the claim, decide the coverage level and then handle the payment. Some choose to streamline the claims process by utilizing a third-party administrator to manage cyber and privacy breach claims for commercial policyholders.
10. How do I stay updated on regulatory changes affecting commercial cyber insurance?
The complexity of today’s cyber insurance market means agents and insurance companies must stay informed about regulatory changes to compete and serve their business customers. Industry newsletters, conferences, online peer groups and professional organizations can help ensure an insurer is apprised of new regulations and evolving best practices — enabling them to adjust their cyber offerings to align with these changes.
Keys to selling business cyber insurance
Given the persistence and creativity of cybercriminals, businesses of all sizes will continue to face a range of ever-evolving cyber threats. Demand for commercial cyber insurance will continue to grow, so insurers need to be ready to answer questions policyholders will pose.
Insurance companies and agents can better serve their commercial cyber insurance policyholders by educating themselves on the basics, ensuring those businesses are taking their security seriously and staying current on the latest trends.
Want to build a profitable and sustainable cyber insurance program? Get the cyber protection services and support you need to take advantage of expanding opportunities. Learn more at TransUnion Cyber Protection.
