How much cyber insurance should you carry?

We specialize in cybersecurity not insurance, but I still get this question and as a business owner I ask myself that question.

Common costs of a data breach or ransomware attack include:

• Business interruption/lost revenue: Most businesses rely on technology to operate efficiently. But a cyberattack can take down your tech, leaving you unable to offer services or make sales.  When you get lawyers and insurance involved, it really can slow down the process.  In some cases, I have seen companies start to just replace equipment to keep the business moving forward.  All these cases get expensive.
• Ransom demands:  The average ransom demand has increased from $25K in 2017 to $751K in 2021 – a thirty-fold increase, according to NetDiligence's 2022 Ransomware Spotlight Report.  There have been instances where the ransomware demand relates to bank account balances.  This is big business for these attackers; they know what the company can afford.
• Investigating and eliminating security weaknesses: You will want to bring in forensic experts to find and fix a security flaw.  This can cost you big bucks. A forensic examination by a reputable firm can cost anywhere from $10K to over 100K. Your cost will depend on a number of factors, including the size and number of locations of the business.
• Public relations costs: As soon as you learn of a data breach, you need to start damage control. A PR firm can be essential to protect your business’s reputation.
• Regulatory fines/penalties: The State of Ohio requires that any exposed 3^rd party data needs to be reported.  Regulators are cracking down on companies that fail to protect data, no matter their size. Penalties for negligence can range from massive fines to jail time.  The FTC has now jumped into the ring and they mean business.  June of 2023 they expanded the GLGA Regulation to create a FTC Safeguard Rule in order to protect consumer data.
• Customer notification costs: Following a data breach, you must contact any affected party. This can get expensive, with the average U.S. customer notification cost being $270,000, according to IBM report.
• Credit monitoring: There could also be a need to cover credit monitoring services for all affected parties for at least two years. Credit monitoring can cost anywhere from $10 to $30 per individual per year, according to Zurich.
• Reputational damage/lost customers: Even with the best PR, your business’s reputation will take a hit after a breach. It’s hard to measure lost business but expect it to impact your company’s bottom line.
• Potential lawsuits from customers or clients: Lawsuits are always a risk after a data breach. According to NetDiligence’s 2022 Cyber Claims Study, the average legal or litigation expenses related to cyber incidents that occurred during 2017–2021 were $287,000 for SMEs.

Maybe you feel some of these bullet points are overkill – but it depends on your business.  Downtime is expensive; clean-up is expensive and never goes as fast as you want.  Another stat I found was that Small Business Administration said that 60% of the business hit by a cyber attack go out of business within the first 6 months.  Maybe that is your plan?  Cyber attacks are inevitable, but protecting your data is your responsibility.