In standalone cyber insurance, it is tough to pin down the cost because it really depends on the industry someone is in.
Here are the main driving factors of the cost of cyber insurance:
(1) The Industry of the Company – insurers look at the industry someone is in, and every vertical has specific codes which are used to determine the type of exposure. It is then combined with the cybersecurity controls that a company has in place.
(2) Cybersecurity controls – this was discussed in the last few pages, and this is undoubtedly a significant driver not just of the cost of insurance but also of the ability to access the right policy. If you have the proper controls in place, the cost of premiums will undoubtedly go down.
If you have the proper cybersecurity controls, not only will the premiums be lower, but you will also have digital accessibility, allowing you to pick and choose the policy that handles claims in the way that’s most advantageous for you. You have access to all the different carriers out there.
Whereas, if you don’t have cyber security controls, you can probably still get cyber Insurance, but it just might be a little more expensive, and it might not handle claims under a “pay on behalf of” policy, which is the most advantageous way.
(3) Yearly revenue – this is a significant driver of the cost of premiums because it determines the price of business interruption. Insurers want to know the financial repercussions if this business is down or slow for two months. It answers the question, “What is that going to equate to in claims?”
If there is ransomware, the criminals—those very good ones—when they’re in the system, will look at someone’s balance sheet and say, “Okay, this data gives us sufficient reason to ask this certain amount of ransom.”
(4) Claims history – insurers may use a company’s claims history as a reference. It is something they will examine as if there has been an incident in the past three years.
Insurers have different ways to handle claims or reimbursements
It is a common confusion wherein people think that all insurers cover necessarily the same things and handle claims in the same way. The answer is no. They don’t necessarily handle claims in the same way. This is something we always look to educate people on – that process of claims or reimbursements is not the same for all insurers.
Pay upfront
So that means that if there is an incident, you pay upfront, and then you will be reimbursed for whatever cost you paid.
Pay on behalf
“Pay on behalf” means the bills are directly paid by the insurance company. It is like using your company credit card directly and not really having to worry about using your money for payments.
Here, you say, “I know I’m going to get reimbursed for this 30 days later but there’s going to be some paperwork and it might take only a minute.”
And to me, that’s very important because just like we want the best team of experts available to us. If there is an incident, we want the claims handled in the way that’s most advantageous and just the easiest.
No one wants to be trying to figure out how to buy Bitcoin to send to a criminal to unlock their system and then or dealing with that reimbursement. It can be a little tricky now. Either way, “reimbursement” or “pay on behalf”, there will be a team of experts via the breach coaches to help navigate but I just think it’s important to dig into these details a little bit.
Deductibles/Retention/Participation Clause
The deductibles clause is also interesting. In the commercial and health insurance world, it is also sometimes referred to as retention or participation. It means the amount that you are responsible for before the insurance kicks in.
So there are two (2) different types of retention: On the left orange box is deductible retention, which means that if a claim is a hundred thousand dollars and the retention is ten thousand dollars, a business would still be paying that $10,000, and the insurance would pay the remaining $90,000. And then in the self-retention, you see it’s similar, but there’s a little bit more coverage available there.
Knowing and understanding your policy is very important. Especially to determine if you will have to pay first and get reimbursed only later, which most people don’t want. So, it is essential to go back and check their policies now because nobody would like to be surprised by that.
These things really are worth checking for because they’re a little bit buried in the policy, constituting a 90-page document.
