Should my business get ransomware insurance and how much does it cost?

Max Pierce - December 13, 2021

Ransomware attacks are on the rise and cyber insurance is becoming more and more of a necessity every day. Organizations that find themselves with poor cyber hygiene AND no ransomware insurance are asking to be attacked. It’s a perfect storm for threat actors.

To protect your organization you should:

Get ransomware insurance (or better yet, cybersecurity insurance)
Improve your cyber posture by working with a cybersecurity agency

Typically ransomware coverage has been included within more generalized cyber policies. As time goes on though, stand-alone cyber policies that cover ransomware are becoming more readily available.

Here’s the catch: protecting against one potential cyber-attack type is hardly “comprehensive” coverage and could be easily exploited.

Many organizations are turning to kidnap and ransom policies for coverage. These kidnap and ransom policies are meant to be used to protect executives, not protect from ransomware. These policies were not designed with ransomware in mind. That means that payouts tend to be lower and the coverage is less comprehensive.

The right move is to get a comprehensive cyber policy that protects your organization across the board. Skip out on the gimmicks, it’s not worth the risk.

So should I get ransomware/cyber insurance?

The answer is invariably yes.

Insurance costs can be difficult to swallow. The alternative if you experience a cyber attack is not pretty.

Just ponder this:

Can you think of any other business risk that you have no control over, that could completely lock down your operations and permanently close your doors in just a couple weeks?

There are very few risks that large. A cyber-attack event is one.

So now the question is: how much does it cost? What should I look for in my cyber insurance policy? What can I do to reduce my risk?

Let’s break it down.

How much does cyber insurance cost?

The national average cost for cyber insurance in 2019 was $1,485 per year in the U.S. This number is highly variable depending on several factors, the key ones being the nature and size of your business. Obviously, if you handle insurance for an organization of 1000 people, your cost isn’t going to be $1,485 a year.

Insider Insight: Cyber insurance companies have found themselves paying out huge amounts to attackers over the past 12 months. As a result, premiums on cyber insurance are rising rapidly. Many estimate premiums on cyber insurance will increase by a minimum of 1.5x up to 4x when your organization goes to renew your cyber insurance. Insurance companies don’t like losing money, this is their solution.

So if you have a company with annual revenue of $1mm, with a $10,000 deductible and liability limits of $1mm you can expect to pay around $1500-$2500/year on a cyber insurance policy.

What to look for in a cyber insurance policy

Important note: cyber insurance isn’t standardized, your organization should review all policy language with a broker before making a decision. Unfortunately, policies can vary significantly in the language used and their policy options. At minimum, it is recommended to find a policy that provides coverage for extortion demands/payments and covers lost income as a result of an attack.

You should look for policies that use broad terminology and those that protect against a wide range of threats. Especially lookout for the following:

The threat to damage or destroy software/programs
The threat to use your network to transmit malware
To interfere with your company website (modify content to deface your company)
Phishing attempts
Impair/disrupt business operations
The threat to introduce malicious software to your network (viruses and self-propagating code)
Access private data stored on your network and subsequently sell, disclose, or misuse that data

Cyber insurance policies and premiums will vary highly depending on the nature of your business. It is especially dependent on if you store sensitive records, what types of risk management policies you have in place, and several other factors.

This means that the only way to find the best policy for your organization is to work with a broker. It’s important to remember that insurance companies are a business and they expect to make a profit, in 2021/2022 most insurance providers will no longer provide coverage unless you follow basic risk management procedures. This means doing things like implementing multi-factor authentication and training your employees on cyber risks.

The other side of the story. What you should do to mitigate your risk of a ransomware attack.

Mitigating cyber risk is much like mitigating financial risk in your organization. Think about who has access to your computer-based operations and why. The largest vulnerability for your organization is the people within it. The majority of cyber events start as a result of human error.

Managing cyber risks is a continuous battle. Cyber-criminals are always finding new ways to attack companies. This means to maintain protection (and compliance) you need to continuously test and assess your companies risk management policies. What worked a year ago may no longer be effective. We tell our clients that managing cyber risk, especially for those in high-risk industries, should be considered an operations expense. To maintain operations you must continuously assess, track, and mitigate cyber risks.

Wondering where to start? A good place to kick this process off is with a cyber security assessment of your business.

Does this all seem like a headache?

We get it, it’s hardly exciting and can often leave our clients feeling frustrated. That’s why we recommend working with an agency that specializes in managing these things. At Techfive, that is what we do.
The way I explain what we do to our new clients is that we are managed service partners built for the modern world with a security-first mentality baked into every step of our processes.

We can help you handle compliance, cyber risk management, work-from-home tech and so much more.

If you would like to know more, feel free to schedule a free 30-minute discovery call with us by clicking here.

In summary

Yes, you should invest in cyber insurance
Opt for a comprehensive cyber insurance policy rather than ransomware specific insurance
The cost of cyber insurance is highly variable. You can expect to pay a minimum of $1500/year for businesses exceeding $1mm a year in revenue.
Work with a broker to establish a specific policy for your organization. Look for broad language around threats.
Most cyber insurance policies require you to protect your organization first. This means committing to risk management for your organization.
Work with the pros

Thanks for reading, if you want to know more about cyber insurance policies or protecting your business feel free to reach out to our advisory team here at Techfive. They would love to discuss it with you.