The following post summarizes a handful of insights shared across FirstMark's CTO and CFO Guilds from multiple contributors.
Recently, a series of questions were brought up in FirstMark Guilds about when and how to procure cyber insurance, such as:
Is it a good idea to get it?
If so, at what stage should we be looking at getting it?
When is it mandatory?
How much coverage do we need?
It’s coming up more and more in infosec audits as a recommendation, boards are asking for it, and an increasing number of customers and external stakeholders are requiring at least a minimum level of coverage.
It’s doubly important to have or ask for it if you (as a vendor) will be touching your customers’ data (even if it’s encrypted) or if you (as a customer) will be engaging with a vendor who will have access to your data.
When It’s Needed
If you work in a sensitive industry like healthtech, fintech, security, etc., then it’s absolutely going to be a requirement. In not-as-sensitive industries like martech, then requests for cyberinsurance might not have come up in the past, but will be coming up more and more, following the path of SOC 2 compliance.
Simply put, if you are a B2B company selling into enterprise customers, you will almost certainly be required to carry cyberinsurance in order to close business.
For Guild members who may be exploring cyber insurance options, we recommend you check out FirstMark-backed Parametrix, an innovative insurance policy that protects businesses from third-party outages (e.g., the loss of cloud hosting.).
Why It’s Important
There are two reasons why it’s so important to have cyberinsurance.
The first reason, per the above section, is that it’s simply a requirement.
The second reason is that it can actually be extremely helpful. One Guild member shared their experience about being four months into their tenure at a new company when they were hit with a breach. The cost of the forensic firm, legal guidance, investigating notification requirements by location, and completing the necessary paperwork in multiple countries would have been close to $1 Million.
Instead, they paid a small fraction of that cost, thanks to their cyber insurance.
Obviously, no one ever expects to be hit with a breach and need to deal with this, but in some cases, it makes sense to have insurance just to be prepared for all scenarios.
When To Get It
The general rule of thumb is that if you are in a sensitive industry, and could be vulnerable to an attack or a breach, then you want cyber insurance as soon as possible.
However, there is a major caveat in that you should not get cyber insurance until you have the proper internal controls in place and someone who knows what they are doing technically. That way, you can rest assured that you are in fact doing everything you need to do to be protected by the insurance policy, should something happen.
It’s also not as simple as signing up for other types of insurance. For cyber insurance, there is some technical and legal back-and-forth that needs to be navigated with the insurance company at the get-go, including gap analyses, risk assessments, etc., so keep this in mind as you go down this road.
How Often Claims Are Made And/Or Paid
According to Coalition, about 2.5% of policyholders have a claim each year, so if you decide that it makes sense for your business to have cyberinsurance, you have about a 1 in 40 chance of actually needing it in a given year.
According to Coalition’s 2022 Claims Report, the average claim is about $200,000 USD, however, the policies are rated on revenue, so the smaller your business is, the less you pay for your policy, and as your business grows, so will the cost of your policy.
An Insider’s Tip on Getting the Best Rates
If you choose to apply for cyberinsurance, use your recent financial history and not your fundraising revenue projections for your submission. Presumably, these numbers will be much lower, which will result in you getting a far better cost for your policy.