We no longer support this browser. Using a supported browser will provide a better experience.

Please update your browser.

Close browser message

Treasury and Payments

Improve your working capital, reduce fraud and minimize the impact of unexpected disruptions with our treasury solutions—from digital portals to integrated payables and receivables—all designed to make your operations smoother and more efficient.

Learn more about our treasury solutions:

Credit and Financing

Prepare for future growth with customized loan services, succession planning and capital for business equipment or technology.

Learn more about our credit and financing solutions:

Commercial Real Estate

Get the strategic support to be successful throughout market and real estate cycles with insights, hands-on service, comprehensive financial solutions and unrivaled certainty of execution.

Learn more about our commercial real estate solutions:

International Banking

Global opportunities mean global challenges. But real success means understanding the local markets you serve—which is why we bring the business solutions, insights and market perspective you need. 

Learn more about our international banking solutions:

Newsletter

Discover the latest numbers, news and market moves to know about each week with Ginger Chambless, Commercial Banking’s Head of Research.

Cybersecurity and Fraud Protection

What to consider before purchasing cyber insurance

Amid the constant threat of cyberattacks, many businesses are considering cyber insurance. Would a policy be right for you?


Cybercrime continues to escalate. In 2021, the FBI’s Internet Crime Complaint Center (IC3) received a record number of complaints, which led to potential losses of $6.9 billion. Ransomware, business email compromise and phishing were among the leading attack types, as hackers use any vulnerability they can compromise an organization’s computer systems.

The threat is more real than ever for companies of all sizes and industries. So, what more can be done to improve preparedness? While preventative defenses and incident response plans are helpful, a comprehensive strategy should also consider what happens in the event an attack occurs. Organizations should have plans for how they would recover from financial losses and reputational harm.

That’s where cyber insurance is valuable. A policy could help a business manage costs during and after an attack. But what exactly is cybersecurity insurance, how does it work and how can your organization find the right amount of coverage?

 

What is cyber Insurance?

Cyber insurance, also known as cyber risk insurance or cyber liability coverage, is designed to help an organization reduce risk and financial exposure by offsetting costs associated with systems and data recovery— including a ransomware payment—during and after a cyber incident.

Depending on the terms and conditions of the cyber insurance policy, the insured could also recover the cost of:

  • Identity restoration for impacted customers
  • Income loss due to business disruption
  • Communication to clients, customers, employees and other stakeholders
  • Civil fines and penalties
  • Security and privacy liability
  • Cyber extortion

Cyber insurance uses a typical insurance model. An insurance underwriter will reviews the case to determine whether or not they will accept the risk. If acceptable, they will take the next step to determine the amount of insurance needed to cover the risk. Finally, the insurer collects premiums from their clients to pay for the risk coverage and help subsidize claims when an event occurs.  

 

Why purchase cyber insurance?

The financial damages of a cyber incident can be sizable. In Q2 2022, the median ransomware payment was $36,360 and the average downtime from an attack was 24 days, according to Coveware, a ransomware incident response and recovery service provider. Protection against these costs is the primary motivator for acquiring a cyber insurance policy.

The transfer of financial risk through cybersecurity insurance can help reduce financial impact on operating capital needed to preserve business continuity. This type of financial instrument can mean the difference between surviving an attack and closing the doors. According to the U.S. Government Accountability Office, in 2020, 47% of general business liability insurance clients opted into cyber insurance coverage. As attacks continue to grow, it seems that purchasing a policy has become a normalized cost of doing business.

When evaluating whether to purchase cyber liability insurance, organizations should ensure they will receive value from a policy. The cost of insurance premiums and deductibles should fall below the annualized loss expectancy (ALE) for the company. ALE is determined by calculating the annual rate of occurrence (the likelihood of an incident occurring each year) and the single loss expectancy (the cost of a single incident).

 

The costs of a cyber attack

In addition, companies should consult with their technology staff, risk department and accounting team to assess the risk of a cyberattack, the business impact and the value an insurance policy may provide. This evaluation should include the insurance policy’s deductible, premium, limits of coverage and the cost to adhere to the coverage terms.

 

How can businesses calculate the right amount of coverage they need?

Organizations should balance the cost of paying for cyber insurance against expected value of the policy and potential losses from a cyberattack. For example, if there is a 2% chance of an organization losing $1 million and the insurance premium costs $10,000 annually, they could use the following calculation to decide whether to transfer or retain the risk:

EXPECTED VALUE MATRIX
  No Loss Loss Expected Value
WITHOUT INSURANCE $0 x 0.98 = $0 ($1,000,000) x 0.02 = ($20,000) $0 + ($20,000) = ($20,000)
WITH INSURANCE ($10,000) x 0.98 = ($9,800) ($10,000) x 0.02 = ($200) ($9,800) + ($200) = ($10,000)

     

EXPECTED VALUE MATRIX
  Cost Expected Value
WITHOUT INSURANCE $1,000,000 loss x 2% probability of incident -$20,000
WITH INSURANCE $10,000 insurance premium -$10,000

In this example, the cost of purchasing insurance with an annual premium of $10,000 shows a higher expected value than accepting the risk, as the ALE is $20,000. Given this information, it may be more financially beneficial for an organization in this scenario to purchase insurance than accept the risk.

 

Are there other considerations to look for in a cyber insurance policy?

The policy will require a deductible for each loss incurred. It’s important to recognize that lower deductibles can increase annual premiums. The cost of the deductible should be included in expected value calculations when totaling the cost of an incident.

There are a wide variety of policies, so review the policy coverage with your insurance carrier and broker to ensure your organization has appropriate coverage based on its needs and risk appetite. Additionally, the organization’s management should review the policy with legal counsel to determine the impact of a cyberattack and its effect on any regulatory or contractual requirements.

Here are three important factors to aid your decision:

1. Determine if the maximum loss is affordable for your organization

2. Consider the likelihood of losses

3. Ensure that the transfer risk is worth the premium

Armed with this information, it will be time to work with stakeholders on a final decision.

Buyer beware: Insurance may not cover all cyberattacks, particularly incidents that originate from a nation-state actor. The insurance industry generally considers these types of attacks to be acts of war, so policies usually don’t cover them.

Finally, purchasing more insurance than you need doesn’t mean you will be better insured if an attack happens. Estimate your insurance policy coverage by using the expected value matrix to confirm you have adequate coverage to restore business operations quickly.

 

The information provided here is intended to help inform clients about cyber insurance. It does not provide a comprehensive list of all types of cyber insurance considerations or identify all types of best practices. The client company or organization is responsible for determining how to best select cyber insurance products and for identifying the best practices that are most appropriate to its needs.

© 2022 JPMorgan Chase & Co. All rights reserved. JPMorgan Chase Bank, N.A. Member FDIC. Visit jpmorgan.com/cb-disclaimer for disclosures and disclaimers related to this content.

Higher Education Healthcare Aerospace, Defense and Government Cybersecurity and Fraud Protection

Get in Touch and Stay Informed

icon
Loading...