In the dynamically growing world of FinTech, trust and security are everything. Even one mistake in these fields can lead a promising startup to instantly fail and there are no second chances. How to minimize the business risks if it is impossible to be 100% certain of the available cybersecurity measures? Read more to find out how cybersecurity insurance providers can let you sleep tight.
Why we need cybersecurity insurance providers
In Code & Pepper we know how important cybersecurity is, after all we deal mostly with FinTech and need to maintain the highest standards to ensure all projects we work on for our partners are secure. No matter how much attention one pays to this issue, no system is 100% safe, though. There are types of attacks which are extremely difficult to protect against (DDoS, for instance) and, in fact, it is becoming harder and harder to stay safe each year. Also, there are so many components in every system or application that it is impossible to predict whether all of them will always be free of vulnerabilities – even after performing tests on every step of the SDLC. Need evidence?
- 88% of organizations worldwide experienced spear phishing attempts in 2019 (source: 2020 State of the Phish Annual Report).
- 86% of breaches were financially motivated and 10% were motivated by espionage (Source: Verizon’s 2020 Data Breach Investigations Report).
- At least 76% of small and medium scale enterprises report cyber attacks each year (Source: 2019 Global State of SMB Cybersecurity report).
In such an environment it is only sane to consider cyberthreat an actual possibility. This is where cybersecurity insurance providers come into play, with their services aimed at minimizing the consequences of a successful attack. Why is it good that there are insurers that specialise in cyber-threats only, though? Thanks to such a narrow field of work, these companies can adapt their products to a rather dynamically changing world of hacking. They understand that talented and extremely creative criminals keep inventing new ways to harm businesses and are willing to understand the very specific needs of their clients.
What do cybersecurity insurance providers have to offer
What is extremely important about the cybersecurity insurance providers, is that they protect the value of the entire business. Some of such companies cover for sums even higher than a dozen million pounds.
In case of cybersecurity insurances, the coverages are divided into two types:
- 3rd Party Liability Coverages
- 1st Party Liability Coverages
Let’s quickly find out what these are.
3rd party liability coverages
After being a victim of an attack, information about 3rd parties, such as your customers may become public. Those can include their personal data or multimedia content. As a result, you may face fines and other penalties. In some cases, a cybersecurity breach may lead to bodily injuries or property damage and if any of these happens to a 3rd party your business is connected with in any way, a cybersecurity insurance provider will cover for you.
1st party liability coverages
The list of events in which an insurer can help you in case of a 1st party liability is even longer. After all, we’re talking about situations where your business is the direct victim of an attack.
Besides obvious coverages, such as bodily injury of you or your employees, property damage (any type of equipment that needs to be replaced or repaired), an insurer will usually cover for losses caused by:
- Fund transfer fraud (a very common result of a social engineering attack)
- Service fraud (fake bills or additional charges for services)
- Digital asset restoration (costs of recreating digital content lost as a result of an attack)
- Business interruption (your company may be temporarily paralyzed and generate losses after falling victim to an attack)
- Extortion (an insurer can cover the costs needed to respond to an extortion incident)
- Breach response (including funds for specialised 3rd party services)
- Public relations (media monitoring and purchases)
- Reputation repair (long-term costs, including legal fees)
Cybersecurity insurance providers won’t solve all problems
We’re in the ransomware era of cyberattacks, after decades of viruses and other types of breaches. What is different in the case of ransomware is how much more expensive dealing with attacks can be. Moreover, the severity of financial consequences is becoming higher and higher, ransoms can be as high as USD 10 million (Garmin paid that much last year – I hope they were insured.) Now, if the same sum is the limit for most insurers and the trend continues, ransomware attacks may be too much for cybersecurity insurance providers. There’s just not enough funds in the industry, as Tom Johansmeyer from Harvard Business Review points out. Let’s hope it’s just a short term problem and service providers will adapt their offers to what the criminals do.
Top cybersecurity insurance providers on the market
While there are dozens of insurers that provide cyber-risk protection, 99% of them are huge financial institutions and cybersecurity is just a fraction of what they deal with. There is one interesting startup that offers only cybersecurity insurance products – Coalition. Later on we’ll get to the more standard firms, but let’s start with the underdog.
Coalition is an American company based in San Francisco and specialising in cybersecurity insurance since 2017. Though just 4 years on the market may not seem impressive, Coalition claims one of the best cybersecurity insurance providers. It’s very probable, since Coalition was designed as a very specialised startup and grew dynamically after raising USD 125 million from top tier investors, including Ribbit Capital, Greenoaks Capital, Valor Equity Partners and other major enterprises and financial institutions. Right now, Coalition serves more than 25,000 clients from all industries and of all sizes, from small businesses to Fortune 500 giants.
Coalition is not an insurance broker, however, and you cannot purchase directly from them. The company offers a very specific product and cooperates with brokers to get it on the market. If you don’t know where to find a Coalition partner, feel free to contact the company, though.
If you are not sure whether you are exposed and need insurance from Coalition, you can order a free cyber-risk assessment service to learn more.
A Swiss company Chubb is currently the biggest commercial insurance provider in the USA. Cybersecurity is not their main area of interest, however, they’ve been insuring against cyber-threats since 2018. It doesn’t mean anything, though, because Chubb knows all there is to know about the insurance industry, after dealing with it since 1882.
Chubb offers a number of different cyber insurance products for all industries and sizes of companies. The Enterprise Risk Management is dedicated for large clients, DigiTech ERM is for technology companies, such as FinTechs or software developers. Integrity+ is a selection of policies for claims of third parties, B2B partners (vendors, suppliers etc.) and customers. ForeFront Portfolio 3.0 is designed to meet the needs of private companies and, besides cyber-threats, covers a variety of risks, including extortion and kidnap ransom. If you, for some reason, fear of falling victim to a cyber-criminal as an individual, you may consider purchasing Chubb’s Cyber Protection product.
For Chubb, most risk types are eligible for USD 10 million in limits, however, a maximum capacity of USD 100 million is available via Chubb’s Global Cyber Facility. Chubb’s policies can be purchased through agents and brokers.
American International Group (AIG)
Founded in 1919 in Shanghai, AIG is now present in over 80 markets worldwide and has its headquarters in New York. Being one the largest insurers in the world, AIG offers its services both to individuals and businesses.
Cybersecurity is an important sector for AIG. The company’s cyber coverage was recognized as one of the best on the market, when it won the Advisen 2018 Cyber Risk Innovation of the Year award for CyberMatics. This product can be a part of a general policy or bought independently. AIG’s baes level cybersecurity insurance is CyberEdge which covers financial costs resulting from attacks (data restoration, money owed to third parties, extortions, network interruption). The CyberEdge Plus variant also includes physical damage and physical injuries of third parties. Interestingly, the firm created its top product, CyberEdge PC, in cooperation with IBM. Typically, the limits are up to USD 100 million.
Interestingly, AIG tried to have a dedicated CyberEdge application and encouraged the clients to use it for purchasing the policies. Now, however, the application seems to be dead, with the last patch released in 2016. It was also deleted from the Google Play store and is now only available for iPads.
Axa XL (formerly known as XL Group)
Founded in 1986 in tropical Bermuda, XL Group is now a subsidiary of Axa and is known as Axa XL. Cyber Insurance is a very simple and informative name for a product range. Axa XL’s solutions include modular cyber and data protection policy custom-designed for different industry sectors, both for third-party liability and first party losses – pretty standard. What makes Axa XL’s offerings unique, is their network of cybersecurity experts who are ready to provide top-class breach response services 24/7. They help at literally every aspect of the post-breach work, from IT forensics to public relations.
North American clients can also purchase Axa XL’s CyberRiskConnect, which is a policy available only in the USA and Canada. The main benefit of this product is access to proactive risk mitigation resources through a dedicated platform. Another reason to choose Axa XL’s proposal is the transparency. The policy is formulated in a very clean way and the whole offer is superbly easy to understand. Too bad the policy’s capacity is only up to USD 15 million.
To insure or not to insure
There are two types of people: those who have insurance policies covering their possible problems and those who worry after the accident. While it is impossible to predict what measures need to be taken to maximize security, it is always better to be careful. Even if you do invest in top notch ethical hacking services and eliminate the weak links in your system, you will never be 100% safe. And this is where cybersecurity insurance providers can help you sleep tight!