Is Cyber Insurance Worth The Cost For Small Businesses?
As a cybersecurity company that also happens to be a small business, we've had to decide for ourselves whether cyber insurance is worth the investment. We thought it’d be a good idea to walk through this issue from the perspective of a small business, and offer some thoughts that you might not have considered yet if you’re shopping around.
There are obvious reasons to have cyber insurance, and we’ll list them here. But be sure to keep reading: There are some other benefits you might not have considered before. Here goes:
The Obvious Benefits
Financial compensation for cyberattacks: If your business falls victim to a breach, your insurance may cover costs associated with remediation and recovery. This can include everything from data recovery to business interruption losses.
Ransomware protection: In the unfortunate event that you're hit with ransomware, some policies will even cover ransom payments, along with negotiation services to ensure the best possible outcome.
Customer communication and legal assistance: After a breach, communicating with customers and managing potential legal issues can be daunting. Many cyber insurance policies include help with both, minimizing the risk of long-term damage to your reputation and keeping you legally protected.
The Not-So-Obvious Benefits
Access to incident response: As one of our customers once said: “Your first call when you have an incident is to your insurance provider.” Most cyber insurance companies offer incident response resources and will manage the recovery process, for better or worse. This can be a huge relief, though the quality of these resources can vary, so it’s important to vet your provider carefully.
Built-in security standards: To qualify for coverage, your insurance provider will require your business to meet a certain level of cybersecurity standards. This may include some important security basics:
- Multi-Factor Authentication (MFA): Ensures that access to sensitive information is tightly controlled.
- Employee security training: Keeps your team aware of common threats, from phishing to malware.
- Endpoint Detection and Response (EDR) or 24/7 security monitoring: Provides an extra layer of security to detect potential threats before they become major issues.
These requirements act as a sort of “security framework”, indirectly pushing businesses to maintain a baseline level of security and acting as a built-in incentive to improve cybersecurity practices that might otherwise go overlooked.
OK, So Who Really Needs Cyber Insurance?
While cyber insurance may not be a “requirement” for every small business, there are certain industries where it can be particularly beneficial.
- Businesses with compliance requirements: If your business deals with sensitive customer information, like those under PCI (Payment Card Industry) or FISMA (Federal Information Security Management Act) regulations, cyber insurance can complement the security measures you’re already required to maintain.
- Vendors providing managed services: For companies like ours that offer managed services, customers increasingly require cyber insurance as a condition of doing business. In other words, you might need it just to stay competitive.
- Small businesses with limited resources: Cyber insurance can be a shortcut to acquiring the incident response services and security practices that would otherwise be out of reach for many small businesses. The fringe benefits—like built-in security requirements and external response support—are especially valuable when your in-house capabilities are limited.
Is It Worth It?
The short answer is, “Yes.” The longer answer is a bit more nuanced: Cyber insurance is worth it for most small businesses, especially considering the benefits we’ve laid out above.
However, be sure to thoroughly vet your insurance provider. You’ll want to confirm that they offer the resources they advertise, and more importantly, that they have a strong track record of supporting clients when the going gets tough.
Ted has worked with network security and web technologies for almost 30 years, beginning his career as a full-stack web engineer and transitioning to network security. He now guides Nomic and its supporting initiatives, including CINS Active Threat Intelligence.