Cyber Insurance – What You Need to Know

Cyber insurance works just like any other forms of insurance. Policies are sold by many suppliers that provide other forms of business insurance, such as errors and omissions insurance, liability insurance, and property insurance. Cyber insurance policies help companies pay for any financial losses incurred from a cyberattack or data breach. It also helps them cover any costs related to the recovery process, such as paying for the investigation, crisis communication, legal services, and refunds to customers.

What Can Cyber Insurance Cover?

Cyber insurance coverages vary based on business needs, nature of industry, and types of data stored. Many policies offer first and third-party coverage, which covers the business’s direct losses and damage suffered by parties outside the business, like consumers who had their data stolen.

Typical inclusions in a Cyber Insurance policy:

1. Threat Response & Recovery Services – the costs associated with hiring an incident response team to perform cyber forensics, system repairs, data recovery, etc.
2. Ransom Payments – when systems are locked and ransom demands are made, the costs can be prohibitive. Some policies will offer to cover those costs, many providers are now discontinuing Ransomware coverages or increasing premiums due to the high costs of payment.
3. Lost Revenue – just like a short-term disability policy that covers lost wages for an employee after an injury or incident, many cyber policies will be able to cover lost revenues due to attack-related downtime.
4. Associated Legal & Regulatory Fees – when a company is responsible for other parties’ data security (customers, partners, etc.), there is a liability that comes along with it. After a breach that accesses or exposes the data there may be legal actions taken against the party at fault, such as lawsuits filed by customers or regulatory penalties and audits. Some carriers may provide the legal representation from their own expert team.
5. Reputation Restoration – after an attack that exposes a company’s cyber weaknesses, and any public legal/regulatory actions that may occur, repairing the company’s brand may require the hiring of a PR firm. Some policies include a component that may help cover these costs.

Cyber insurance is no different than regular insurance policies in that there will always be exclusions against certain items.

Typical exclusions in a Cyber Insurance policy:

1. Attacks that Exploit Known Vulnerabilities – companies should undergo regular tech audits to find vulnerabilities and take action to remediate them. If action is not taken, resulting in an attack, coverages can be voided by the carrier. Many insurance companies will require regular audits by a third-party.
2. Social Engineering Attacks – if an attack results from human error within the company, the company itself will be deemed at fault. This underlines the importance of regular cybersecurity awareness training for staff to provide a front-end defense against cyber threats.
3. Inside Actor Attacks – if an employee, contractor, etc., within the company/organization is purposely behind the attack, the vulnerability resulted from a lack of security on the part of the insured. This will negate any coverage under almost any policy.
4. State-Sponsored Attacks – these may be classified as “Acts of War” or fall under a Force Majeure clause. The first sets of cyber insurance policies made an attempt to cover these type of attacks, but were deemed too costly to carriers and the responsibility of law enforcement bodies to investigate.

Coverage Considerations

When considering cyber insurance, you should evaluate coverage details like first-party costs, third-party liabilities, and specific policy terms such as exclusions, limits, deductibles, and the provider’s experience/reputation. It’s also important to assess your business’s unique risks, existing cybersecurity practices, and the insurer’s claims process. 

Additionally, businesses should consider both their cybersecurity posture and the specific terms/coverage of the policy itself. Carriers require a minimum set of cybersecurity standards before considering the issuance of a policy. The higher a company’s security levels, the lower the risk to the insurance company and cost to the policy holder.

Remember: Cyber Insurance is NOT a replacement for Cybersecurity

Companies purchasing cyber insurance but should only consider it to mitigate the damage caused by a potential cyberattack.  Failing to invest in appropriate or effective cybersecurity solutions can result in either failing to qualify for a policy or paying more for it. There are several methods that can be taken to improve the security within your business. A complete approach to cybersecurity involves a combination of strategies, including:

•Education & Awareness Training: Keeps staff aware of latest threats and helps prevent data breaches.

•Technical Controls: Assorted cybersecurity tools that work as layers to shield against attacks.

•Cybersecurity Policies & Procedures: Clearly defined set of policies that provides guidance to employees.