Cyber Insurance for Technology Startups

Why Cyber Insurance for Technology Startups a Must-Have Protection

In this article we will layout in simple, non-technical insurance language why cyber insurance is a form of protection that tech startups must consider early on in the formation of their company, and give advice on what to look for, and how to purchase it.

What is Cyber Insurance?

A good place to start is describing what cyber insurance is and what it does.

For example, if your data is seized in a ransomware attack – where attackers hold your data hostage until you pay a ransom, you’re unable to work on your product or service until that attack is resolved, and resolving it is complex and costly.  The ransom to be paid is only one direct cost you’ll incur. 

There are other costs that need to be paid as well like the costs to hire attorneys and forensic experts to make sure you’re in compliance with laws and regulations and to uncover the cause of the attack and how to prevent it again. 

If any private data of employees or customers was potentially released in the attack, there are state and federal notification laws to be complied with.  There could be hardware that’s damaged in the attack, there’s the downtime and resulting interruption of your business, the expenses go on and on.   

In fact, some experts believe that the actual ransom paid usually only amounts to 15% of the total cost of a ransomware attack.

But ransomware attacks are only one element covered in a cyber insurance policy.  A good cyber insurance policy is intended to protect you and your startup from the direct and indirect costs and lawsuits that can arise in a cyber event.

The Prevalence of Cyber Threats and Their Impacts

Astra Security indicates that there are nearly 4,000 cyber-attacks occurring every day around the world, and 560,000 new malware threats are identified every day.

Yet, you may think it will never happen to you.

Unfortunately, tech firms are a target for hackers and threat actors, so chances are good that it will happen.

Why is Tech a Target of Threat Actors?

There are four main reasons why tech is a target of hackers:

1. Your business is built on data. If that data is disrupted or held hostage you will likely pay any sum feasible to recover it, as would your backers.
2. High Value Transactions. Many tech firms engage in what we call high-value transactions which can be large scale transfers of data, or large dollar value wire transfers, making startups a lucrative target for cyber attacks like man-in-the-middle attacks, social engineering, and phishing schemes.
3. Theft of Intellectual Property – As mentioned above, your business model is built on data, in addition to hackers holding that data hostage, they may instead just steal your IP to build their own technology more rapidly and beat your startup to market. This is commonly carried out by state actors with far greater resources than you.
4. Tech Startups are by their very nature risk-takers and may be adopting newer technologies and cloud computing platforms which can be risky and easier to penetrate than larger firms with purpose built safe systems.

What Does Cyber Insurance Cover?

There is no standardized cyber insurance policy in the market, every different provider has different coverage parts and “tweaks” to their form, but generally, the vast majority of cyber insurance policies include three main coverage parts:

1. First Party Damages. These are the claims and costs your business would incur as a result of a cyber event. Common claims here include the cost of a ransomware attack and the resulting business interruption costs, the remediation costs, the ransom itself, the costs to notify customers, employees and others of private data being exposed, and other related expenses.
2. Third Party Damages. These are lawsuits that arise when private data is breached and made public. Under certain state and federal laws when personal information is made public in an event you will be required to notify those “record holders’ of this event. That notification often results in expensive class-action lawsuits.
3. Cyber Crime. The third major component of a cyber policy is crime coverage relative to cyber. This includes electronic or wire transfer frauds and social engineering claims where you are tricked into paying a fraudulent invoice or transfer.

Then there are a multitude of other coverage parts including coverage for:

Forensic investigations

Regulatory defense expenses and fines

Crisis management costs

Bricking – to pay for hardware damaged or made useless in an event.

Media Liability – covering lawsuits that arise from social media, and other website publishing activies.

Public relations

And many more depending on the policy form.

What’s Not Covered?

Cyber Insurance typically excludes claims from:

• Bodily Injury and Property Damage
• Costs to enhance your cybersecurity following a claim
• Loss of Intellectual Property
• Other exclusions identified in the policy

Benefits of Cyber Insurance for Technology Startups

We’ve written at length about the types of claims that can arise from a cyber event as well as the threats that all companies face from threat actors, so what is the benefit of cyber insurance for tech startups?

There are two main benefits in our opinion.

If you had the cash on hand, those are dollars already earmarked for the development of your product or service.  If they’re spent on remediating a claim, how would that impact your progress, and what would your investors think?  How will they react when they learn that money invested in your company to create something was spent on remediating a cyber event?

The second benefit of cyber insurance is resources.  If you were hit with an attack of some form and didn’t have insurance, who would you call?  What would you do?  What process would you deploy to recover?  Think of the stress and urgency that’s created if you just learned that malware exploded in your network and now you’re unable to access any of your data.  Your virtual drives and backups are all frozen.  Now what?

Cyber insurance policies often have an emergency phone number staffed with trained response handlers called a “breach coach” 24/7/365.  Their job is to identify the problem and provide you the next steps to stop the bleeding and start recovery by putting you in touch with the right resources and experts.  Without this breach coach, you’d be on your own to figure out what to do and who to call.

The combination of expert resources and financial resources puts you in greater control of the outcomes of an event so you can get back to business faster.

How to Choose the Right Cyber Insurance Policy

As we’ve mentioned there is no standardized cyber policy in the market.  Every policy is nuanced with its own coverages, endorsements, exclusions, and conditions.  So, how do you choose the right cyber insurance policy that will fit your needs?

In our experience, many tech firm leaders will turn to Google and search for a provider.  What results in a search for cyber insurance for tech companies?  Typically, in addition to those firms willing to pay for sponsored listings, which I can tell you is expensive real estate to occupy, are those firms that are spending a lot of money on their SEO and many of them are direct writers.  A direct writer is an insurer or specialty insur-tech firm that offers their company’s quote.  Some will have a very slick simple quoting platform where you can quote and buy a policy in minutes.

Is this the right cyber policy?

Hard to tell, and what usually happens is that a tech founder will go onto the next website or provider and go through the same exercise and the next and the next.

The result may be 4 or 5 or more quotes to choose from.

Which is the best?

Is it the lowest priced one?  The highest priced one?  Or somewhere in the middle?

We’ve focused on the pricing here because that’s really the only differentiator a founder can go on when looking at these quotes because trying to decipher all the different coverage elements is nearly impossible to the untrained eye.

What’s the solution?

This is of course going to sound biased, but the best solution is to work with a skilled broker to find you the right solution.  A broker can shop multiple insurers and specialty providers to make sure you’re getting a good deal based on price, but also based on coverage elements.

A skilled broker can take this exercise of determining the right coverage off your plate and make it their responsibility to know the marketplace and arrive at the best possible recommendation.

Lastly, a skilled broker in the tech space, like The Coyle Group, will know who the right insurers are, what the right endorsements and enhancements are, and how to tailor the policy to fit your needs.

A final thought on which policy is best.

We have had tech firms contact us to say that they’ve purchased cyber insurance but a new contract demands higher limits which their insurer can’t provide, or their insurer is insufficiently “rated” (rated by a rating agency like AM Best) according to their customer.   Now what do they do?

Again, this is the role of a skilled broker to find you a solution that may be difficult to impossible to attempt on your own.

Conclusion

In this article, we’ve identified the continued rising threats and risks that cyber pose to tech startups, as well as the financial consequences those threats pose.

We’ve also discussed why tech startups are particularly targeted by threat actors, and why having the right cyber insurance is a must to protecting you and your firm.

Finally, we talked about how to go about purchasing coverage and why we think working with a skilled broker is a critical element of that process.

There is one last issue to discuss.

How Much Cyber Insurance Do You Need?

Is it a million?  Is it five million?

Unfortunately, most brokers and direct providers will quote you a $1M limit of cyber insurance but we are finding that inadequate in today’s market.

Why?

For two reasons.

The first is contractual.  Many early-stage tech firms are facing requirements from their customers to provide evidence of higher limits of protection.  Typically, at least $5M but it’s not uncommon for us to see requirements demanding $10M.   So, building the cost of higher limits into your insurance budget makes sense.

The second is claim costs.  We have seen claim costs explode over the past three years from all different claim scenarios, and a policy with an aggregate limit of $1M isn’t cutting it.  An aggregate is the most the policy will pay for all claims in a given policy year, and what happens in most events is that the direct cause of loss, let’s say a ransomware event is covered by the limit of insurance, but the follow-on costs go well above that $1M limit.

What’s the solution?

Our advice is to seek options.   Instead of just buying or accepting the one million dollar policy as the standard, ask for options.  What would $3M or $5M cost?  What are your peers purchasing?  What makes sense for your company?

These are the questions you can ask a skilled broker and get solid advice and feedback from.

We hope you found this article helpful in determining why cyber insurance is a must have for a tech start up, what’s covered by a cyber insurance policy, and how to purchase protection.  As a specialist in the technology sector we invite your call to talk about cyber insurance, technology E&O insurance or any other form of business insurance or question on your mind.