Cyber insurance requirements

Cybersecurity insurance, or data breach insurance, protects your business from the financial losses and legal consequences of an accidental or malicious security breach. It will cover incidents like:

• Ransomware attacks
• Malware attacks
• Employee data theft
• Employee errors
• Security or software flaws

There are several different types of cybersecurity insurance. Depending on your business, you might need all of these policies, or just one. The main types of cyber insurance for small businesses are:

• First-party cyber liability insurance
• Third-party cyber liability insurance

If you own a small business and are wondering is cyber insurance mandatory, the answer is no.

Generally speaking, small businesses are not legally required to carry cyber insurance. However, cybersecurity insurance is recommended for most businesses, especially ones that handle or store sensitive personal or financial data.

Cyberattacks on small businesses can be incredibly expensive. For the average small business, it costs $690,000 to recover from a cyberattack or data breach. Because of that, cyber insurance can be a valuable part of your risk management strategy.

If your business is targeted in a cyberattack, you might have to pay for security fixes, ransomware demands, credit monitoring, legal fees, and reputation management services. Cyber insurance helps cover these costs, so it lessens the impact on your bottom line.

Additionally, all 50 states have data breach notification laws that require businesses to notify customers if their personally identifiable information (PII) is stolen or unlawfully accessed. The cost of notifying customers is also covered by cybersecurity insurance.

Most insurance companies have cyber insurance coverage requirements for businesses that want to purchase a cybersecurity policy. However, there isn’t a universal set of cybersecurity insurance requirements. The exact criteria depends on the insurance carrier and your industry. Although, some are fairly standard across insurance companies, like access management, firewalls, and incident response plans.

These requirements may include:

Multi-factor authentication (MFA) is a security feature that requires at least two different means of authentication to verify your identity or log into an account. Oftentimes, a user must input their password, and a one-time security code generated through a separate app or mobile device.

Many insurance carriers have MFA requirements for cyber insurance because it has been shown to significantly reduce the risk of a cybercriminal gaining unauthorized access to sensitive information or privileged accounts.

Some insurance companies also have cyber insurance MFA requirements for specific types of coverage. For example, you might need to use a secondary means of authentication to get funds transfer fraud coverage.

Having a robust data backup strategy is an important feature of any security posture. With the rise in ransomware attacks on small businesses, failing to back up your most important information could have serious consequences.

When you apply for a cyber insurance policy, many cyber insurance providers will ask if you’ve implemented a data backup strategy. You might also be asked how often the data is backed up, and where the information is stored.

As a best practice, your backed-up data should always be encrypted and stored on a separate network. For the most sensitive information and business files, consider backing up your data offline on external hard drives or optical or magnetic storage devices.

You might only be able to get cybersecurity insurance if your employees undergo regular security training. This is critical because human error can easily lead to security flaws, like using weak passwords or forgetting to log out of accounts.

If you haven’t already implemented a cybersecurity training program for your employees, you can look for companies that offer online security awareness training resources. These programs will educate your employees about cyber threats, basic network security tips, and malicious social engineering tactics.

A security risk assessment surveys your business’s security protocols and strategies. It’s a requirement for many cyber insurance carriers. Before an insurance company agrees to insure your business, they’ll want to know where the weak points are.

If you’re planning to purchase cybersecurity insurance, you can hire a third-party company to conduct a cyber risk assessment of your systems, networks, and security controls. If the report finds any vulnerabilities, you’ll have the opportunity to make changes that will improve your insurability.

However, the insurance company may want to conduct its own assessment as part of its cyber liability insurance requirements. For example, some insurers will review your business’s website to identify potential hazards and security flaws that could present opportunities for cybercriminals to access data.

Endpoint detection and response (EDR) continuously monitors your employee’s devices and collects data about the device’s location and software versions. It can also detect when a user attempts to download or install new software or programs.

Many cyber insurance underwriters require businesses to use EDR within their organization. EDR can be used to identify risky or unusual behaviors, like unauthorized access attempts, and shut them down before they become a bigger threat. IT departments can also use EDR to remotely wipe a device that might be infected with a virus or malware.

Cyber insurance costs vary based on several factors. In addition to choosing lower coverage limits, these tips can help keep costs down:

You can usually choose to pay your cyber liability insurance premium in monthly or annual installments. While it’s tempting to go with monthly payments because they require less cash upfront, many insurance companies offer businesses a discount for paying the entire annual premium at once.

If your small business has no cyber liability claims history, you could save money on your premium. You can also save money by implementing security measures at your business. For example, you might:

• Routinely change your business’s account passwords
• Invest in secure equipment and software
• Teach employees to recognize and avoid malware and phishing attempts
• Implement multi-factor authentication for employees

Any business that transacts online or handles and stores sensitive data should have cyber insurance. Some of the business types that can benefit the most from cybersecurity insurance include:

Say an IT consultant recommends a web service to a client, which later is found to be insecure after a data breach exposes the client's data. The client then sues the IT consultant for the recommendation of the service. Third-party coverage would help pay for the consultant's legal defense, as well as a settlement or judgment.

Should a retail store's point of sale (POS) system become compromised and a cyberattack exposes customer data stored by the business—such as credit card numbers—first-party coverage would provide financial protection for the store.

A denial of service attack on a restaurant could shut down critical systems making it impossible to process orders and complete sales. This would lead to a loss of income for the restaurant, reputation damage, and potentially devastating legal costs.

Cyber insurance covers any lost income during the downtime, legal expenses, and any ransom costs to restore access to their systems.

Every healthcare practice stores the personal health information (PHI) of patients, including medical records, test results, and medical bills, which is heavily protected by the federal Health Information Portability and Accountability Act (HIPAA). Any violation of this act, like a data breach of the computer systems, would result in significant fines and penalties.

Cyber liability insurance would help pay many of the costs related to a cybercrime, such as identifying and correcting cybersecurity flaws that led to a breach, payment of cyber extortion demands, and any resulting HIPAA fines.

Financial service providers have access to and store highly confidential information for their clients, like tax returns, Social Security numbers, W-2 forms, employer IDs, financial statements, banking info, and more.

This data is a treasure trove to cybercriminals. With cybersecurity insurance, your financial service business would be protected from the repercussions of a cyber incident, including financial loss, fines and penalties, privacy injuries, negative press, and legal costs.

Because of the sensitive customer data and sizable transactions that real estate businesses handle, they're at high risk for a cyberattack. If electronic data is stolen or compromised, clients are at risk of theft—including identity theft—and could sue the impacted real estate business.

When data is stolen or compromised, cyber insurance can cover legal fees and provide vital resources, such as credit monitoring for affected clients.

Are you ready to safeguard your small business with cyber insurance? You can get started by filling out Insureon’s easy online application to compare insurance quotes from top-rated U.S. insurance carriers.

If you need help choosing your cybersecurity insurance coverage limits, you can consult with an insurance agent about your business’s insurance needs. We can also help you find the right cyber insurance coverage at the best price.

Once you find the right cyber policy for your small business, you can begin coverage and get your certificate of insurance (COI) in less than 24 hours.