Every business owner hopes that they never experience a security breach in their company. However, in light of the recent global cyberattacks that affected large corporations like JBS and Colonial Pipeline, you can't afford to be casual about cybersecurity measures. As the digital landscape changes with each passing day, you may not know where the next attack will come from and how it will affect your business. 

This is why you need to have cyber insurance for your business. It can protect your business and give you peace of mind knowing that you're covered if something goes wrong. 

Unfortunately, businesses make several mistakes when answering the question, "how much cybersecurity insurance is enough?" So we reached out to cybersecurity experts to find out what they think is the biggest mistake companies make in determining the amount of insurance they need. 

Ignoring the Two Elements of Liability in a Cyber Breach

Cyber insurance should be mandatory for every company, given that the risk of attack is almost too sure. However, many companies fail to realize that cyber-breach presents two elements of liability. Firstly, they suffer a reputation liability, and secondly, they face an actual lawsuit liability from their clients and customers. The biggest mistake companies make is not understanding the reputational part of the cyber breach, says Matt Bullock, VP of Technical Sales at Accelera IT Solutions. 

When a company gets hacked, it quickly learns the hard way that it can spend about 20% - 50% above the lawsuit amount on rebuilding its reputation. The process is long and requires time and money. On the one hand, the company must remarket itself, and on the other hand, it must explain in plain terms how the attack happened and the steps the company took to mitigate the breach. Besides, it must define the steps it has put in place to immunize itself against future security breaches. 

With these crucial factors in mind, companies need to plan on an additional 50% of total financial protection above what they think lawsuits will cost them.

Not Considering the Cost of Downtime

Nick Martin, Director of Managed Services at Mainstreet IT Solutions, says that many companies miss out on their financial goals when looking for cyber insurance. They don't take the time to consider how much they stand to lose during downtime after an attack happens. On the contrary, they are quick to count the cost of operations, direct employee paychecks, and benefits, not considering the loss in sales and customer trust. 

For example, if a company is down for a week, how much revenue does it estimate to will lose? If they lose customer trust, which harms future sales, should more insurance money be considered to repair lost faith through various efforts? Those are difficult costs to quantify, yet those costs have a profound impact on the business's health if something were to occur. While paying insurance is not an enjoyable thing to do, the benefit of having that insurance if something were to happen has a profound impact. 

Not Having the Bigger Picture in Mind

Martin's thoughts are backed by Michael Anderson, Founder, and President of 365 Technologies. Anderson says that companies forget to incorporate the complete picture of the cost of business disruption. Costs like fines or even paying a ransom, which is not recommended, are clear and direct. 

However, understanding the actual cost of potential downtime can be more complex.  A company must consider lost productivity, failure to meet contractual obligations, loss of reputation, and recovery costs. In addition to ensuring adequate coverage, companies should also take time to understand what terms and conditions may apply. With cyber-attacks on the rise, insurers require that companies demonstrate they have appropriate security controls before extending coverage.

Troy Driver, President of Pure IT, recommends taking it a step further in considering the risk involved. A company should consider:

• The worth of its data

• How sensitive is that data?

• If the hacker takes a copy of the data and posts it on the internet, what sort of issues could that cause? 

• Could the company be in the position of being sued? 

In other words, a company must first understand and quantify the amount of risk it holds. Having a robust risk management strategy will allow businesses to decide which risks to avoid, accept, control or transfer to cybersecurity insurance. Avoiding the risk through cybersecurity prevention measures will go a long way in protecting your business. It will also help reduce the level of cybersecurity insurance required, says the Sales Development Representative at CyberUnlocked, Sarah McAvoy. 

Recovering from a security breach can be very expensive. Besides, the fallout could be much more far-reaching than what is assumed. Hence, it's always a wise idea to speak with someone who understands cybersecurity risk. They will help evaluate what insurance coverage would suit a particular situation before signing up for coverage.

Not Thinking That They Need Cyber Insurance

According to Ashu Singhal, President, Orion Networks, many companies don't think they need cyber insurance. Consequently, they end up running their operations without coverage, believing they are protected. Bryan Badger, the CEO, Integral Networks, also believes that companies think they are not targets of cybercrime hence don't need insurance. 

Sometimes when they take up insurance, they go for policies that don't cover all the pieces of technology that their businesses run on. For example, they forget about the security systems, phones, and lawyer costs. The best approach in determining how much coverage a company needs is to think of everything technology-related. Then, consider what the cost of replacing it would be in the event of an attack, says Singhal. 

While at it, it's also crucial to calculate the deductible, which sometimes tends to run fairly high, adds Ilan Sredni, CEO and President of Palindrome Consulting, Inc. 

Prevention is Better Than Cure

McAvoy believes that it helps to take a proactive approach in cybersecurity insurance matters. She recommends that even if compliance is not mandatory, businesses should adequately protect themselves, especially if a client decides to sue them for not preventing a data breach. 

Badger adds that there are five basic things that companies should be doing at a minimum even if they are not already breached. 

• Find and work with a reputable managed services provider: look for one with experience in helping breached companies recover from the loss. Such an MSP can help you navigate what you need to put in place based on your business needs. 

• Put a proper security firewall in place: if you're not already paying an annual license subscription for a firewall device that includes security service, you're not well protected. 

• Use security filtering services that prevent link poisoning 

• Implement multi-factor authentication to add a layer of security to all logins

• Create a rock-solid backup system and recovery plan that focuses on Recovery Point Objective and Recovery Time Objective to minimize data loss and downtime.  

Final Thoughts 

Cyber insurance is crucial for businesses, especially in the wake of increasing cybercrime. However, many companies don't give much thought to it. In worse cases, others don't know the factors to consider when determining how much insurance amount they need. 

The good thing is that working with an experienced cybersecurity expert can help you through the ropes. They know all that goes into determining insurance premiums for your business. Don't suffer alone in silence or throw caution to the wind out of frustration.