A Guide to Obtaining Cyber Security Insurance for Your Small Business

In today’s increasingly digital world, cyber security is more important than ever before. Small businesses are especially vulnerable to cyber attacks, as they often lack the resources and expertise of larger businesses. This is why it’s so important for small businesses to have cyber security insurance.

Cyber security insurance can protect your business in the event of a data breach or other cyber attack.

But what exactly is cyber security insurance, and how do you go about obtaining it? This guide will answer those questions and more, so you can make an informed decision about whether or not cyber security insurance is right for your small business.

What Is Cyber Security Insurance?

Cyber security insurance is a type of insurance that helps to protect businesses against the financial losses that can result from a cyber attack. This can include things like data breaches, theft of confidential information, and denial of service attacks.

Cyber security insurance can help cover the cost of damages, legal fees, and other expenses associated with a cyber attack. It can also help you recover from an attack and get your business back up and running as quickly as possible.

There are a variety of different types of cyber security insurance policies available, so it’s important to do your research to find the right one for your business. Policies can range in price from a few hundred dollars to several thousand dollars per year, depending on the coverage you choose.

If there’s one thing we know is that cyber security insurance costs have gone up exponentially in the last few years and are expected to grow further.

One of the changes we’ve noticed in the market over the last several years is that it’s becoming more difficult to obtain cyber security insurance.

Why? Because some insurers are now aware of the dangers posed by cyber attacks, they are now “demanding” certain standards from businesses before they will cover them. It’s no longer enough to just have the funds to pay for premiums. Of course, this requirement is different for each provider. We cover the standard checklist of things your business should have/do in below.

What Does a Cyber Security Insurance Cover?

Cyber security insurance policies vary, but most will cover some combination of the following: 

• Data recovery costs 
• Cybercrime expenses 
• Public relations expenses 
• Loss of income 
• Legal fees 
• Costs associated with notifying customers of a data breach 
• Regulatory fines and penalties 

Most policies will also include some sort of incident response services, which can be invaluable in helping you recover from a data breach or attack. Again, it’s important to do your own research in order to find insurance that’s right for your business and needs.

What’s Not Covered By Cyber Security Insurance?

Cyber security insurance is not a silver bullet, and there are some things that it will not cover. For instance, it will not cover the cost of damages caused by employee negligence or errors.

It also will not cover the cost of damage caused by viruses or malware that you intentionally installed on your systems. When shopping around for policies, make sure to also ask what’s not covered in the policy.

How Much Does Cyber Security Insurance Cost? 

The cost of a cyber security insurance policy will depend on a number of factors, including the size of your business, the type of industry you’re in, what coverage you need, and the deductible you’re comfortable with.

Other factors unique to cyber security insurance that also affect the total cost are the amount and sensitivity of data. A local business will most likely pay less than a national chain with an eCommerce business.

Another factor affecting insurance costs is the business’ own security measures in place. Businesses with annual cyber security training and other policies will pay less than those without. As mentioned above, this is one of the things we’re seeing that is becoming a standard requirement for insurance providers.

A basic policy for a small business might start at around $1,000 per year, but it’s not uncommon for companies to pay $10,000 or more per year for comprehensive coverage. 

Why Do Small Businesses Need Cyber Insurance?

As a small business owner, you might be thinking that you don’t need cyber security insurance because you’re not handling any sensitive customer data. However, this isn’t always the case. Even if you’re not handling credit card numbers or social security numbers, you could still be a target for hackers. If you are doing anything online, like emails or accessing Xero or your online bank, you are at risk.

This need for cyber insurance is only going to increase as we become more reliant on technology. The number of data breaches is expected to continue to rise, and the cost of these attacks is also on the rise.

The pandemic made this only worse, as many businesses were forced to quickly shift to a remote workforce. This change left many small businesses vulnerable to attack, as they may not have had the proper security measures in place.

As reported by the most recent CERT NZ quarterly report, “scams and frauds” rose by 6.9%. This report also noted that total cyber security incidents increased by 48% from the previous year.

With these statistics in mind, it’s clear that small businesses need to take cyber security seriously and obtain the proper insurance to protect themselves.

Cyber Insurance Checklist: How to Get Cyber Security Insurance

The first step in obtaining cyber security insurance is to assess your business’s needs and current situation. What kind of data do you handle? How much would it cost to replace that data if it were lost or stolen? How would a breach affect your business’s reputation?

To be prepared for the new insurance policy standards, it is beneficial to start planning and/or implementing these strategies if you have not done so already.

1. Data Backup and Disaster Recovery Plan

A data backup and disaster recovery plan is a must for any business, whether you’re handling sensitive data or not. This plan will help ensure that your data is safe and can be recovered in the event of an attack or other disaster. Some questions to ask yourself if you are covered:

• Do you backup your data at least once a week?
• Is one of your backup copies in an off-site location?
• Have you (or your IT provider) successfully tested and retrieved data from the backup?

If you answered no or unsure of your answers in any of these questions, reach out to your IT partner immediately.

Remember, while these aren’t necessarily a requirement for all insurance providers, it is still best practice to have a proper backup policy in place.

2. Anti-Virus/Anti-Malware Protection

Anti-virus and anti-malware protection is another essential piece of the cyber security puzzle. This software will help protect your computers and devices from attacks, as well as remove any malicious software that may have already made its way onto your system.

Questions to ask yourself to see if you’re covered:

• Do you have antivirus protection on all your devices, including tablets and mobile? What about your server?
• Do you have a firewall installed? Is it configured properly?
• Are these regularly updated, at least quarterly?
• When was the last time you checked their settings and configuration?

3. Multi-Factor Authentication (MFA)

MFA is an authentication method that requires more than one piece of evidence to verify a user’s identity. This is typically something you know (like a password), something you have (like a code sent to your phone), or something you are (biometrics).

MFAs help reduce unauthorised access to systems and accounts. It’s actually built-in most cloud/internet-based services. You just have to turn it on.

4. Cyber Security Training

One of the most common ways that hackers gain access to systems is through phishing attacks. These attacks are typically emails or messages that appear to be from a trusted source, but are actually malicious.

To help protect your business from these types of attacks, it’s important to train your employees on how to spot them. You should also have a process in place for reporting suspicious emails or messages.

Questions you need to answer:

• Do you train new employees on basic cyber security threats?
• Do you have regular (at least once a year) cyber security training for all staff including the owners?
• Does the training cover identifying and managing phishing scams?
• Do you have testing to ensure correct practices are followed?

5. Perimeter and Network Security

Perimeter security is another piece of the puzzle when it comes to protecting your business from cyber attacks. This can include things like physical security (locks, cameras, etc.), as well as remote connection.

Questions you need to answer:

• Does remote access to your computer network require a virtual private network (VPN) connection?
• Do you have a housekeeping policy for old or unused files, user accounts, and access privileges?
• Do you limit administrator-level access to only those who need it?
• Do you have a process for approving new devices and software before they are allowed on the network?

6. Software and Firmware Patch Management Policy

One of the most important things you can do to protect your business from cyber attacks is to keep your software and firmware up-to-date. This includes things like your operating system, as well as any other software that you use.

Questions you need to answer:

• Do you have a process for patching systems?
• Do you have a process for testing patches before they are applied to systems?
• Do you have a schedule for applying patches?
• What is your policy on any unsupported/end of life (EOL) software?

7. Email Security

Email is one of the most common ways that hackers gain access to systems. This is because it’s relatively easy to spoof an email address, as well as send phishing emails that look like they’re from a trusted source. It’s also one of the tools you and your staff use regularly. Email gateways work to protect your staff from spam, viruses, and phishing attacks by filtering out malicious messages before they have a chance to reach the inbox.

Questions you need to answer:

• Do you have a system for filtering spam and phishing emails?
• Do you have a process for dealing with spam and phishing emails?
• Do you train your staff on how to spot spam and phishing emails?
• What is your policy on clicking links or opening attachments from unknown sources?

Over to You

If you’re a small business owner and you’re looking to obtain cyber security insurance, reach out to iT360. We can help you implement any of the strategies listed above so that you can increase your chances of being approved for coverage and reduce your premiums.

iT360 can help your business with best practices for data backup and business continuity, as well as cyber security assessments and training. We can also manage your entire IT needs, so you can focus on running your business.

Frequently Asked Questions