In standalone cyber insurance, it is tough to just start pinning numbers on the cost of cyber insurance because it really depends on the industry someone is in.
Here are the main driving factors of the cost of cyber insurance:
(1) The Industry of the Company – insurers look at the industry someone is in, and every vertical has specific codes which are used to determine the type of exposure. It is then combined with the cybersecurity controls that a company has in place;
(2) Cybersecurity controls – this was discussed in the last few pages and this is certainly a big driver not just of the cost of insurance but the ability to access the right policy. If you have the proper controls in place, the cost of premiums will certainly go down.
If you have the right cyber security controls not only will the premiums be lower, you will have digital accessibility where you can pick and choose the policy that handles claims in the way that’s most advantageous for you. You have access to all the different carriers out there.
Whereas, if you don’t have cyber security controls, you can probably still get cyber Insurance, but it just might be a little more expensive and it might not handle claims under a “pay on behalf of” policy which is the most advantageous way.
(3) Yearly revenue – this is a big driver of the cost of premiums because of it determines the cost of business interruption. Insurers want to know the financial repercussion if this business is down or slow for two months. It answers the question, “what is that going to equate to in claims?”
If there is ransomware, the criminals – those very good ones – when they’re in the system, they will look at someone’s balance sheet and they can kind of say, “okay this data gives us sufficient reason to ask this certain amount of ransom.”
(4) Claims history – insurers may use a company’s claims history as a reference. It is something that they will look at as if there has been an incident in the past three years.
Insurers have different ways to handle claims or reimbursements
It is a common confusion wherein people think that all insurers cover necessarily the same things and handle claims in the same way. The answer is no. They don’t necessarily handle claims in the same way. This is something we always look to educate people on – that process of claims or reimbursements is not the same for all insurers.
So that means that if there is an incident, you pay upfront, and then you will be reimbursed for whatever cost you paid.
Pay on behalf
“Pay on behalf” means the bills are directly paid by the insurance company. It is like using your company credit card directly and not really having to worry about using your money for payments.
Here, you say, “I know I’m going to get reimbursed for this 30 days later but there’s going to be some paperwork and it might take only a minute.”
And to me, that’s very important because just like we want the best team of experts available to us. If there is an incident, we want the claims handled in the way that’s most advantageous and just the easiest.
No one wants to be trying to figure out how to buy Bitcoin to send to a criminal to unlock their system and then or dealing with that reimbursement. It can be a little tricky now. Either way, “reimbursement” or “pay on behalf”, there will be a team of experts via the breach coaches to help navigate but I just think it’s important to dig into these details a little bit.
The deductibles clause is also interesting. In the commercial and health insurance world, it is also sometimes referred to as retention or participation. It means the amount that you are responsible for before the insurance kicks in.
So there are two (2) different types of retention: On the left orange box is deductible retention which means that if a claim is a hundred thousand dollars and the retention is ten thousand dollars, a business would still be paying that $10,000 and the insurance would pay the remaining $90,000. And then in the self-retention you see it’s similar but there’s a little bit more coverage available there.
Knowing and understanding your policy is very important. Especially to determine if you will have to pay first and get reimbursed only later, which most people don’t want. So, it is important to go back and check their policies now because nobody would want to be surprised by that.
These things really are worth checking for because they’re a little bit buried in the policy constituting a 90-page document.