The Expert Podcast

So what is the difference between cyber insurance and cyber security? Forbes had a really good article about that exact subject, and we get into this every single day because we own both a cyber insurance agency and also a licensed investigative agency. So we deal with both the security and the insurance.

First, let's look at what the article says. It says cyber insurance protects an organization against financial losses following an attack. Cyber security focuses on protecting data, software, and hardware and preventing the attack from happening in the first place. Differing outlooks mean that traditionally cyber insurance and cyber security were separate propositions because the underwriting of insurance was treated much like other lines of commercial insurance. The focus was tallying up losses and determining which industry the organization fits into—that's called underwriting.

So when you go to get insurance in a traditional type of insurance, they say what kind of business are you, how big are you, how many employees. This is what we expect for losses. Here's your rate. Here's your premium.

For cyber, they started doing things the same way. However, smart insurance companies now are writing cyber insurance coverage in a different way. They're looking at it more holistically. So if you're talking to your agent or your broker about cyber coverage, ask them what means testing or what strategy they use to create their market for cyber insurance. Because if it's written under a traditional market, the rates might be too high, they might be too low. You want to have a cyber insurance company that is starting with a clean sheet of paper because the majority of cyber insurance underwriting comes from a risk-based approach, not a loss-based approach.

Another industry has done this for many years, and that's the real estate title insurance industry. Look, when you buy real estate title insurance on a transaction—you buy a house, you get title insurance—they don't expect to have many claims. In fact, the claims rate for real estate title insurance is like two or three percent of premiums. They put a lot of their money into prevention. They run title searches, they do title abstracting, they get a title opinion. They do a lot of prevention up front from having title claims to keep it from happening in the first place. So their rates are low. In fact, the good thing about real estate title insurance is it's not an annual premium. You buy title insurance one time and that premium is good for as long as you own the property.

Cyber insurance in the new marketplace is being underwritten in much the same way. They're going to look at the risk of your company, not the risk of your industry in general or what their loss runs are or what their claims experience is. They're going to look at your particular company. In fact, many of the modern progressive insurance companies, when you submit for a quote, they're going to scan your system, they're going to check your domain name, your website, your company information, and they're going to get a profile pretty quick of what level of risk your company is—not because it's in a certain industry or SIC code or demographic area. They're going to look at your particular company.

In fact, they may actually get your IP addresses and do scans to know how much of a risk is your company. In addition to that, they're going to put certain protocols on your policy requiring you to do certain things. Have multi-factor authentication so you can't just log in with a password—you have to have a code sent to your phone like you do for your bank. They may require you to have monthly updates to patches on firewalls and modems. They may require you to have access for their underwriting to ping or pen test your system. That's a good thing because if your insurance company is writing your policy based on your particular risk, you're not going to get lumped in with a bunch of jamocks and other companies that really don't know what they're doing.

So the newer cyber insurance companies are coming at it from a whole different ball game. They're not like the legacy old school insurance companies. Look, those companies know how to write things like fire, commercial auto, physical damage, errors and omissions—all the traditional types of insurance—because their losses are based on industries. Cyber is based on a particular company risk.

If you are at this moment thinking about cyber insurance, you are probably at the cutting edge of cyber awareness. Most companies aren't even asking about this yet. Most companies don't even think they need it yet. If it's at least on your mind, you probably are already wondering what should I be doing, how can I prevent it? You probably already have some fear about having a cyber loss, which you don't want to have, so you're probably already taking some actions. That's a good thing. That's going to put you at the more limited risk end of that curve.

Still, before you start doing underwriting or applications, we recommend getting a list of best practices. You can get it from our website: riskcoverage.com. What are the best practices to put in place in your company before you start applying for insurance? Because if the insurance carrier, the underwriter, can see that you as a company have already put some procedures in place, they know that you take it seriously. And the things that they add on for recommendations or even requirements are to just stack above what you already are doing.

The other clue to how well your carrier is has to do with how they take your information. Are they giving you a piece of paper you have to fill out and hand write an application? Or is it done electronically? Many companies in the past—I'm sure when you did your renewal or new insurance for your company—you filled out a form, an application form. Maybe it was a PDF file online. But the more modern progressive insurance companies for cyber are taking all this information electronically. You're typing it into a website. We even have a portal—and you can check out our website—where you can do it verbally. You can do it by voice. You can call a number. You can speak into the voice system to answer the questions at the prompts and it can come up with a quote based on that.

Cyber is a big deal right now. Five to ten percent of companies are looking for it. We expect over the next two or three years it's going to jump over 50 percent of companies as you see two things happen: more claims and more events happening—people that you know in business or maybe even your own business—and also a more stabilization of rates. You know, rates have been jumping around a lot. They were low, then they jumped high, now they're backing off.

Once rates get into a range where it's easy to have a policy with a stabilized rate that you can count on, more companies will be adding cyber liability coverage to their layers of protection they have. Look, you probably have an umbrella policy, a commercial umbrella. You probably have other types of coverages that are layered on top of each other. Why not add cyber?

For a typical—don't quote exact amount for your company because you want to get it specific—but most medium to small size companies with a decent amount of employees in a non-dangerous industry that have regular protocols, you can get a cyber policy for a thousand bucks, 1500 bucks a year in most cases. Maybe a little more if you have a higher employee count, but it's not going to be a ton. It's not going to be 10,000. It could be 20,000 unless you're a Fortune 500 company or you have high risks.

Again, this is not designed to be a price quote—just designed to give you an idea of what these policies cost. You can find out almost instantly on our website. Type in four or five pieces of information, hit enter, and you can find out exactly what it would be—whether you get it from us or somebody else.

If you have questions about cyber coverage, you can reach us at our website: riskcoverage.com, or you can contact us through email or our phone.