The Ultimate Guide to Cyber Insurance for Startups

Agency is not an insurance company and does not sell cyber insurance. 
We do have an exclusive program for early stage startups.
See if you qualify for: Agency for Startups

For most startups, cybersecurity is often at the bottom of founders’ to-do lists. But this way of thinking is problematic and, in our opinion, ultimately an unfair and disparaging way to treat your users. An unprepared startup is more likely to be damaged by a cyber incident and likely to leave its users bearing the burden if something happens. 

The good news is that it’s effortless to implement a few fundamental best practices right from the start, such as buying cyber insurance to cover both the company and third parties like your earliest believers and customers.

Regardless of your industry or business stage, your startup has vulnerabilities that leave it open to cyber threats. As cybercriminals become more sophisticated, they more easily infiltrate businesses and commit attacks. Combine that with increasingly digital businesses, and cyber risk is higher than ever. By 2025 cybercrime is expected to cost $10.5 trillion in damages in the United States alone, an increase of 250% from 2015.

“Over the past decade, the cyber threat has grown exponentially with nation state and cyber criminals increasing the scale, scope and level of sophistication of their cyberattacks. Addressing this kind of complex and agile environment requires a more comprehensive response than any one single government agency, business, technology, or data source can provide. Instead, an interwoven architecture of combined capabilities from across public agencies and the private sector must be leveraged to protect critical infrastructure and impose risk and consequences on attackers.”

 – Herbert Stapleton, Deputy Assistant Director, FBI Cyber

Recovering from a cyberattack is usually quite costly. In 2020, the average data breach cost in the United States was $8.64 million, more than twice the global average. For small businesses, the average was $2.98 million in 2021, up 26.8% ($2.35 million) from 2020.

So, the most important question is whether your startup is prepared?

It is imperative that you lower your risk and mitigate the impact a cyber threat would have on your business. While there is not one solution that will protect your business, an approach combining cybersecurity and cyber insurance increases your resilience by lowering risk, improving your ability to recover, and minimizing damage and disruption.

HOW TO BUILD RESILIENCE

A Dynamic Duo: Cyber Insurance and Cyber Security

From ransomware and phishing to various social engineering attacks – companies are more at risk than ever. Distributed remote workforces have reduced visibility into the networks and devices employees are using, enabling more security coverage gaps and increasing cyber security risks. And while perpetrators have often been presumed to be external threats, they can just as frequently be internal.

The most prominent cyber risks businesses face permeate every area of a business posing threats to:

• Privacy – consumer privacy rights and regulatory risks
• Security – network vulnerabilities, data breaches, confidential corporate information
• Operations – reliance on technology to operate
• Service – Errors and commissions, contractual liabilities, aggregation of cyber risk

Cyber insurance and cyber security are important in your cyber strategy to reduce risk and minimize loss. While you’re probably already familiar with cyber security on some level, it is important to recognize that it is not a one-and-done infrastructure build-out but rather a complex system that needs constant management and assessment.  

Cybersecurity is “the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information.” Implementing cyber security throughout your organization helps to lower the risk of cyberattacks. Measures such as anti-virus software, endpoint security, strong passwords with multi-factor authentication, and forensic logging are just a few tools important to implement for a strong cyber security strategy.

It’s important to understand that “security itself is a process, not a product. Products provide some protection, but the only way to effectively do business in an insecure world is to put processes in place that recognize the inherent insecurity in the products. The trick is to reduce your risk of exposure regardless of the products or patches.”

Risks of malicious actors infiltrating security are continuously evolving as new entry methods are discovered, which means your security needs to evolve equally. Because of this, you cannot solely rely on software to protect against cyber incidents. It is important to have cyber insurance to complement your active cyber security measures for a holistic approach to cyber resilience.

What exactly is cyber insurance?

Cyber insurance is designed to help protect technology-reliant businesses against cyber threats and attacks such as data breaches, ransomware, DDoS attacks, and other criminal methods that compromise your networks, intellectual property, or confidential information. This insurance helps cover the high costs of a data breach or malicious attack, minimizing financial damage by covering expenses and losses to your business and clients.

While cyber insurance helps to transfer your cyber risk, it does not eliminate it. It is an important layer in building a cyber defense for your business to mitigate the impact of a cyberattack, and that is precisely why it is important to build resilient plans with both cyber insurance coverage and cyber security in tandem. Cyber insurance plays an important role in both managing and reducing your cyber risk.

What does cyber insurance cover?

Cyber insurance policies vary, and coverage depends on the needs of your business – there is no one size fits all policy. Typically, coverages are divided among commercial general liability, first-party liability, third-party liability, and technology errors and omissions. Each type of insurance has different protections to address specific circumstances.

General liability insurance does not cover cybersecurity incidents. It covers claims related to property damage and physical injuries.

Cyber Insurance or Cyber Liability Coverage covers a variety of levels of insurance depending on what needs coverage; this includes sections for 1^st party and 3^rd party liability claims.

First-party liability insurance protects your business against the financial impact of a data breach or cyberattack on your company. Essentially it covers damages from covered cyber losses on your own network, and as the policyholder it protects you from potential financial fallout. This coverage covers expenses incurred when your systems or networks are breached and data is stolen. This includes employee and customer information and helps lessen the impact on your company. This could include:

• Legal counsel
• Recovery of lost or stolen data
• Services to notify customers
• Lost income due to business interruption
• Public relations and crisis management
• Cyber extortion and fraud
• Investigative forensic services
• Fees, fines, and penalties

Third-party liability insurance protects you from your clients in instances in which they file a lawsuit following a cyber incident, such as a data breach that is your fault. This coverage covers your business’s legal expenses for your defenses.  This also includes:

• Payments to consumers affected
• Related claims and settlement expenses
• Losses related to defamation, copyright, or trademark infringement
• Costs for litigation and any regulatory inquiries
• Accounting costs

Technology errors and omissions insurance, or professional liability insurance, protects your company from your clients if they file a lawsuit following an incident in which your company makes a critical error that financially harms a client. The circumstances in which this coverage is used have a wide range from oversights and mistakes to failure to deliver contracted services and professional negligence. This insurance covers:

• Attorney fees and court costs
• Money to settle lawsuits
• Legal judgments
• Additional court costs

PROTECTING YOUR ASSETS

Why Your Business Absolutely Needs Cyber Insurance

As a business’s reliance on technology increases, so does its vulnerability to cyber threats. While every business has a unique risk profile to determine whether you need cyber insurance, there is only one question you need to answer. Do you conduct any portion of your business online? It could be as minimal as communication with employees through email or as extensive as building your entire business in the cloud. Your answer was yes, right? That means cyber insurance is not a want but a need.

There is estimated to be a ransomware attack on a business every 11 seconds, and the average time to identify and contain a data breach is 287 days.  This means that by the time you identify an attack, it might be too late. While that might seem dramatic, it is important to realize that 60% of small and midsized businesses go under within six months of a data breach or cyberattack. By building cyber resilience into your business through both cyber insurance and cyber security, you lower your overall risk both proactively and, in the case that it is needed – reactively. 

Your business’s vulnerabilities are constantly increasing, in parallel with increasing cyber risk. The constant growth in risk is impacted by the applications your business uses and the people who access them – including employees, vendors, and even customers. Every person is an additional vulnerable link for external threats to access protected networks and data.
According to the International Risk Management Institute, less than 15% of SMEs are confident that their cyber threat strategy can detect and respond to cyberattacks, with two-thirds of them reporting an attack in a 12-month span.

What are the most common threats and attacks?

While the types of cyberattacks are continually evolving as attackers become more effective and find new ways to exploit weaknesses and evade detection – no matter the method, any attack can paralyze a business. What are some of the most common types of attacks businesses experience?

Social Engineering

• Social engineering is the exploitation of human interaction to trick an individual into providing compromising information, making purchases or transferring company funds. The most common types of social engineering attacks include email, funds transfer fraud, telecommunications fraud, and crypto-jacking attacks.

Phishing and Spear Phishing

• Phishing is a form of social engineering in which fraudulent communication, typically through email, appears to come from a trustworthy source. It contains a malicious attachment or link to a compromised website and asks for confidential information such as financial details, system credentials, or other sensitive data to access otherwise secure details.

• Spear phishing follows the same approach as phishing but is much more targeted to specific organizations and individuals with very personalized messaging—88% of organizations worldwide experienced spear phishing attempts in 2019. While phishing thrives on the quantity of outreach, spear fishing focuses on quality.

Malware, Ransomware, System Intrusion, and Bricking

• Malware is malicious software designed to damage computers, steal data and information, mine cryptocurrency, and compromise networks. This includes trojan horses, viruses, spyware, crypto-jacking, and ransomware.

• Ransomware is a type of malware that utilizes encryption to hold an organization’s information or data at ransom. It is distributed by email attachments, application downloads, or website scripts and is designed to target entire networks and quickly paralyze entire organizations. To access the encrypted files and decrypt them, the demanded ransom must be paid, or the files are destroyed.

• Bricking is when technology equipment such as devices or servers is the victim of a malware attack and loses all functionality, eventually requiring replacement.

DDoS

• Distributed Denial of Service, or DDoS, is a malicious attack that floods a network with an extenuating amount of traffic, so much so that a network is overwhelmed and cannot communicate and operate, ultimately crashing it.

Basic Web Application Attacks

• Basic web application attacks are simple attacks that compromise an application in just a few steps. This could be anything from gaining email access to repurposing an application.

Lost and Stolen Assets

• When a device such as a computer or a cellphone that is host to sensitive files is missing either through misplacement or theft.

Privilege Misuse and Insider Threats

• Malicious use of legitimate privileges in an organization, typically by an internal actor such as an employee. They typically use insider access to appropriate data they are not authorized to.

ASSESSING AND ADDRESSING RISK

How to Avoid Having Your Business Become A Victim

As a company that utilizes technology, your startup is at risk of cyber threats – 28% of data breaches involve small businesses. So what factors are important in assessing, addressing, and ultimately reducing risk?

First, it is important to fully assess your risk level and understand the components you need to layer in your approach to build a holistic defense and mitigate cyber risk.

Assess Your Risk

How prepared is your company to handle a cyber threat? 61% of business leaders rank cyberattacks as a higher threat to growth than shifts in consumer behavior, speed of technological change, or supply chain disruption. The first step in assessing your risk for a cyberattack is to understand your overall cybersecurity maturity level.

• High maturity level means you have a strong cyber risk strategy implemented.
• Medium maturity level means you have some cyber risk measures implemented.
• Low maturity level means you are behind and have few, if any, cyber risk measures implemented.

The lower your maturity level, the higher at risk your startup is to cyber threats. The following areas will help you assess where your startup can close gaps, improve resilience, lower vulnerabilities, and increase maturity.

1. Define Responsibility

Leadership plays a key role in building a prepared response, but every individual within your organization holds some level of responsibility for cyber risk. Devices alone make each individual open to the risk of an attack.

> Do you have an individual or a team responsible for educating, implementing processes, and building a framework for managing tools around security and cyber threats?

2. Identify Assets, Vulnerabilities and Threats

It is difficult to build a strong security network for your business if you aren’t aware of everything you have. From physical assets, such as devices, to digital assets and infrastructure such as SaaS solutions, applications and databases, your digital assets are most likely quite extensive.

>Do you have an inventory of all physical and digital assets to visualize vulnerabilities and identify threats?

3. Analyze Risks and Potential Impact

Not all areas of your business are equally secure and some areas are more important or carry higher risk should a cyber threat occur. It is important to identify the risks across your entire digital ecosystem.

>Where is sensitive information stored and how do you access it in the event of an encryption failure? What is your business continuity plan in the event of a cyber event? Can you financially recover? 

4. Set Security Controls and Monitor

Understanding where the greatest cyber risks within your business are important so that you can build controls and enhanced security. From firewall configurations and network segregation to anti-malware software, data backups, and more – you can build the security your startup needs.

Do you have a thorough cyber security environment with controls in place and consistent monitoring?

5. Have Cyber Insurance Policy

While all of the other areas help protect your company from the actual threat, cyber insurance is the only segment that directly assists in minimizing financial losses you incur directly and even helps you recoup costs.

Do you have cyber insurance coverage?

Did you answer yes to all of these? Or, no? We’re guessing it was some combination. But in reviewing these key areas of risk you should have a more comprehensive understanding of the areas you need to address within your business to build a resilient cyber strategy and protect your startup.

Building a Multi-layered Approach

Think of your approach to cyber risk and security as you would dressing for a day in the cold. Different layers can protect different areas, while different layers can also add more protection in some of the most vulnerable ones. This holds true whether we are discussing cold weather or security for your startup.

Now that you have more than likely decided that it is vital to prioritize the protection of your business from cyber threats, it is important that in your approach to lowering your cyber risk you do not build your strategy for cybersecurity and cyber insurance in silos.

Cyber insurance cannot be treated as a risk transfer mechanism to make up for a decreased level of security, so it is important to create a multi-layer approach. In building this, there are key components that will protect you beyond what is anticipated.

Multi-Factor Authentication

Complex passwords are no longer enough to protect your digital systems. Multi-factor authentication, also known as MFA, secures your data and applications by requiring your users to present various combinations of two or more credentials to verify identity and decrease the likelihood of a cyberattack. Common MFA factors typically incorporate at least two of the following:

• Knowledge: things an individual knows – a password or a pin.
• Possession: things an individual has – a verification sent to a smartphone or email.
• Inherent: things an individual is – a fingerprint or voice recognition.

Endpoint Security

This layer of security is your frontline protection against threats. It secures both the end and entry points on end-user devices such as desktops, laptops, tablets, mobile devices and point-of-sale systems. These points exist in every scenario in which humans and machines intersect. With each employee typically having multiple devices that can access your networks, this is an extremely vulnerable entry point for cyberattacks. Endpoint security uses encryption and application control to monitor, block and secure each device and the files that enter your network from them. One component of endpoint security is anti-virus software. 

Data Backups and Restoration

Having just one copy of all of your company data just might be the modern definition of living on the edge. Data backups regularly create copies or archives of your network data in a secure secondary location that you can access should you need to restore this information, whether due to a system failure, data corruption or cyberattack. These backups are imperative in helping your business in its ability to recover from a cyber event and minimize disruption to your operations.

Forensic Logging

Logs from your networks, applications and systems contain important information that is typically needed in the event of a cyber incident. These logs provide you with precise details of all events that have occurred on your server, network, and website in any given time frame. Analysis of these logs is called log forensics and is vital information in a “digital crime scene” so that you can establish factual details in the case of a judicial review. Because digital forensic analysis is an important part of your cyber security operations, you need to have systems in place to make sure that logs are properly working and being stored.

It is crucial to incorporate these four key measures into your cyber strategy, so you can not only lower your risk of avoiding a cyber threat to your startup but also aid in your cyber insurance coverage. And most importantly, it helps prevent overall disruption and damage to your startup following a cyberattack.

FINDING THE RIGHT COVERAGE

How to Shop for Cyber Insurance

The cyber insurance market is continually evolving and adapting to the continuously changing threat landscape. This means how coverage is built is different now than it was even just a year ago. And with this, it is important to be aware that not all cyber insurance policies are created equal. If you already have coverage, you’ll want to review it. If not, it’s time.

One of the key elements in buying cyber insurance is to purchase it early in establishing your business. Why? The cost of cyber insurance is impacted by various factors, including the number of customers, revenue, payroll, and the types of data you store. So generally, the earlier you purchase your policy, the lower the cost of your coverage. It is important to understand that while this is true for most startups, there are certain industries that detract from this generality and can experience difficulty in finding the same coverage. This typically affects industries highest at risk for attacks which include finance, manufacturing, energy, and retail, and those that carry higher volumes of sensitive data, such as healthcare and information technology.

Where to find cyber insurance?

If your startup already has a commercial general liability policy or you have an agent you work with, you will want to start there. If not, here are a few companies and brokers who specialize in cyber insurance.

Companies

o   Vouch – provides coverage to early-stage tech startups and can be purchased online

o   The Hartford – provides coverage when paired with purchasing a general liability policy

o   Corvus Insurance – provides higher coverage limits of $5M+

Brokers

o   NFP

o   AON

o   Marsh

It’s important that when deciding on an agent or broker that you understand their level of experience and familiarity with your industry and businesses like yours. Some important questions to ask include:

–   What types of claims have your clients filed?

–   What is your familiarity with our industry and its common risks?

–   Are your policies flexible to adapt as we grow?

Want help finding a broker or insurance program? Get in touch with Agency for Startups

What is the right amount of cyber insurance?

There is no one size fits all for cyber insurance. Determining limits varies extensively because each individual business has unique risks that are further complicated by their industry, customers, cybersecurity implementation, and data storage policies and procedures.

The amount that is right for you is based on a compilation of your risk factors along with your business’s threshold for risk. As a startup, you should have a minimum of $1M in coverage for both first and third-party liability. At $1M,  39% of small businesses pay less than $1,500 per year on average for their cyber insurance.

Because no two policies are the same, it is imperative to make sure that the areas in which you need the most coverage, you have ample capacity in your policy and a clear understanding of the sub-limits that exist across your coverage so that you are not underinsured. Therefore, it’s important to do your due diligence in evaluating your options and fully understand any obligations you are required to follow to make sure your claim is honored in the case of an incident.

What should your cyber policy cover?

What your insurance should cover varies based on your industry and business needs as well as third-party requirements. But there are some key elements of coverage that are essential. This includes business interruption, network security, privacy liability, media liability, and errors and omissions.

–   Business Interruption covers your business in the event of a cyber incident that precipitates a network interruption that causes lost profits and direct expenses.

–   Network Security covers your business in the event of a cyber incident that causes network security failure such as a data breach, malware, ransomware, or cyber extortion.

–   Privacy Liability covers your business in the event of a cyber incident that requires litigation or a settlement.

–   Media Liability covers your business in the event of a cyber incident that leads to intellectual property infringement.

–   Errors and Omissions covers your business in the event of a cyber incident that prevents your fulfillment of contractual obligations and delivery of services.

It is crucial to remember that while these are the core components of coverage, there are opportunities for additional and distinct coverage based on your startup’s unique needs. This includes enhancements in coverage for social engineering, reputational harm, bricking, forensic investigation and more. This should be determined based on the needs of your business and not singularly benchmarked by the needs of industry peers. Your agent or broker will guide you through what will be required specifically for your business.

Make Cyber Resilience a Priority

Your business has a lot to lose should you face a cyberattack. Prioritizing cyber security and insurance for your startup is undoubtedly no longer a question of when or how. Cyber insurance and cyber security will help you to quickly reduce and transfer risk, effectively manage and respond to an attack, and significantly minimize damage to your business.

It’s important to begin laying the foundation to build your cyber resilience and work with trusted partners internally and externally to build your risk management strategies, implement security measures, and purchase insurance.

In a survey conducted by the Insurance Information Institute of small businesses that experienced an attack and had cyber insurance, 97% indicated their insurance adequately covered their losses. Moving cyber security to the top of your list protects both your business and your customers minimizing any potential burden faced and ensuring a more stable future for your startup. It’s time to take steps to get started today.

Have questions about getting started, implementing cyber security, or buying insurance for your startup? We’re here to help.