What is Cyber Insurance?
Cyber insurance protects a business from the inevitable fallout that occurs after a data breach or cyberattack. In recent years, it feels like there has been a constant stream of companies announcing that their data has been hacked. Sensitive information has been leaked. It has become nearly impossible to do business in the world without an online presence. So, most consumers and businesses have learned to live with an uneasy awareness that it is likely only a matter of time before some of their private information is compromised. The 2017 Equifax data breach affected approximately 143 million Americans. Anyone watching the news when the breach was announced certainly felt thankful they were not the Chief Information Officer left to deal with the aftermath of such a huge leak.
Purchasing cyber insurance will not take away the headache of managing a breach in your company’s cybersecurity. But, it will definitely make it a lot less stressful. In fact, carrying a cyber insurance policy may end up meaning the difference between business life and death. There was a 2015 report from the U.S. Securities and Exchange Commission. It stated, “it has been estimated that half of the small businesses that suffer a cyberattack go out of business within six months as a result [of the attack].” With odds like that, cyber insurance should be a no-brainer for businesses. However, less than 3% of small businesses carry the needed cyber insurance. Hopefully, your business is one of them. If it is not, keep reading! In this article, we will explain how cyber insurance works and what it covers. We will discuss what types of coverage might be necessary for your business and how to find the plan that’s right for you
What Does It Cover?
Cyber insurance policies cover a wide range of possible consequences that could affect your business after a cybersecurity incident. Most people in the early stages of learning about cyber insurance are surprised to learn just how far-reaching the negative effects of a security breach can be. After reading through all of the coverage options, you may be reeling with new fear of just how much a cyberattack can cost your business. The good news is that others have done the work of imagining almost every possible negative scenario for you. They have responded with insurance coverage to keep your business safe.
The first thing to know about cyber insurance policies is that coverage options are usually split into first-party and third-party coverage. Understanding the difference between these two types of coverage does not need to be confusing. Basically, first-party coverage pays for the concrete results of the event itself. These might be things like damaged software, lost emails, and interruptions to business. Third-party coverage extends to the ripple effects of a cyberattack. These can be things like a customer who sues you for exposing their private records, paying government fines and meeting regulatory requirements, and setting up a call center to answer customer questions.
Types of Coverage and Why They Matter
Perhaps you are overwhelmed by the prospect of buying cyber insurance. Maybe you are not sure what your business should be protecting against. Or, perhaps you are hyper-aware of everything that can go wrong. You want to make sure you have coverage that is adequately protecting your business. In either case, it is helpful to have a glossary of terms and types of coverage that you will encounter in most cyber insurance policies. The following is a list of common types of coverage. Keep in mind that most of our partners will work with you to customize a cyber insurance policy. It should cover exactly what you need with coverage limits that keep your business safe.
Business Interruption
This covers you if your business is unable to operate as normal. – It matters because cyberattacks often target e-commerce websites and technology used in production and communication systems between employees and partners. For many businesses, even a short interruption in operations can cost thousands of dollars in lost revenue.
Forensic Investigation
This covers you if you need to conduct an investigation to determine what information was lost or stolen, the extent of the damage, and for how long your business’s data was at risk. – This matters because forensic investigations may be required by the federal, state, or local government after a cyberattack. Your business will also need to know exactly what happened in order to respond and recover.
Credit Monitoring
This covers you if your hacked data included customer’s social security numbers, credit or debit card numbers, birthdays, addresses, or other private personal information that could allow criminals to open accounts in their name or shop with their cards. – It matters because offering free credit monitoring is usually regarded by the public as the least a business can do to apologize for losing or leaking their trusted information.
Customer Notification
This covers you if your business loses information that belongs to others in addition to information that might belong to you. – It matters because your customers have a right to know if they or their businesses could be at risk due to a breach in your infrastructure. They may need to take action to protect themselves.
Data Loss Recovery
This covers you if a breach or hack results in loss of business records. – It matters because recovering business records may be vital to your business’s financial security. It will help you make sense of what happened and recuperate from a cyberattack.
Legal/Litigation
This covers you if a customer or group of customers sues you for accidentally losing or exposing confidential information of theirs. – It matters because the costs to hire legal representation, pay financial damages or judgments, or settle a lawsuit may be enough to force your business to close its doors.
Regulatory
This covers you if your business is required to pay government fines or penalties or jump through regulatory hoops as a result of a cyber security incident. – It matters because many data breaches are serious enough to involve law enforcement and even the FBI. Government penalties and fines may be exorbitantly expensive for your business.
Extortion
This covers you if cybercriminals infiltrate your systems with ransomware or demand money to stop them from releasing or deleting sensitive information. – It matters. Let’s say a cyber attack threatens your business. You don’t have extortion coverage. You may not have the funds required to prevent irreparable damage to your customers or reputation.
Crisis management
This covers you if a breach is severe enough to require that your business hire a public relations team to represent you to the public. – It matters because cyber attacks can do severe damage to the public image of a company. This is true whether the event was within their control or not. Messaging matters. If an attack occurs, you will need all the help you can get. This will go towards keeping your customers and partners calm, rebuilding their trust, and regaining their loyalty.
Transmission of damage/malicious content
This covers you if your systems are infected by an attack and a virus or other malware are spread to your clients as a result. – It matters because your business could be held responsible for the transmission of damaging content.
Defamation – This covers you if cyber criminals libel, slander, or cause reputational harm for your business in a cyberattack. – It matters because the costs of defamation cases can be exorbitant. A ruined reputation may force your business to close.
What is not included?
It is easy to look at a list of coverage types and think that insurance companies have thought of everything. However, there are a number of scenarios that usually aren’t covered by cyber insurance policies.
Property Damage and Bodily Injury: Let’s say physical property damage occurs at your office or an employee or customer is hurt. The cause of the loss is not likely to be classified as a “cyber” event.
Reckless conduct: Let’s say you or someone in your organization purposefully leaks information or deliberately breaks the law. Your business likely will not be covered by most cyber insurance policies.
Prior knowledge, pre-existing claims, and retroactive coverage: Let’s say you had knowledge of a hack before being insured. Or, you have previously filed a cyber insurance claim that was not covered by your insurance provider. Those issues will not be covered by a new policy. Cyber policies also may exclude coverage of breaches that occurred before coverage was purchased. This is true even if they are discovered after your policy goes into effect.
Fraud or funds transfer losses: Some cyberattacks involve unauthorized transfers of funds from the business being attacked. Although some policies will cover this, most do not. Read the fine print. Or, ask your agent to determine whether your policy includes fraud coverage.
Infrastructure failure: Let’s say your power goes down, a hard drive crashes, or your IT system experiences other electrical or mechanical failures. This may not be covered under a cyber insurance policy. In general, cyber insurance covers purposeful attacks by external parties or accidental leaks by internal parties.
Intellectual property: This is another type of coverage that is occasionally included in cyber insurance policies. Check your terms to see if loss of trade secrets, patents, or other intellectual property is covered.
Failure to repair or correct known vulnerabilities: Let’s say you identify a system failure, process, or other defect that leads to a cyberattack. Let’s say you failed to correct the problem. Your cyber insurance provider is likely to deny the claim.
How do I find a plan?
To find the right cyber insurance plan for your business, you first need to know what to expect when shopping. Cyber risk is difficult for insurance companies to quantify for a number of different reasons. First, risk can vary largely from one industry to another. Second, businesses in similar industries may have wildly different levels of exposure due to differing internal business practices. Third, the market lacks verified data on the frequency and likelihood of cyberattacks since they are often difficult to identify. Also, they often occur without being discovered. Because of these factors, many cyber insurance companies will ask for more participation and compliance from you in underwriting a policy for your business than they might for a traditional business liability policy.
Many car insurance companies will ask about various safety features installed in your vehicle. In the same way, most cyber insurance providers will ask about what your organization has done to minimize cyber risk. Cybersecurity experts recommend that businesses conduct a cyber risk assessment at least once a year. Most cyber insurance companies will want to see that you have done so before underwriting an insurance policy for your business. The National Cyber Security Alliance provides an iterative framework for protecting against and responding to cyberattacks.
- Identify potential cyber security risks (usually through an organizational risk assessment).
- Protect as many of the gaps identified as possible. Train employees and document a plan for dealing with cyberattacks.
- Detect threats and be on the lookout for attacks so you can catch a data breach quickly and minimize damage.
- Respond by notifying customers, recovering data, repairing assets, and alerting authorities.
- Recover through repairing assets, recovering data, and learning from mistakes.
Performing a risk assessment and outlining a cyberattack response plan will expedite the process of securing cyber insurance. It will also provide a helpful overview of the particular types of coverage your business should be sure to buy.
Keep in mind that you do not need to perform all the steps above before you begin shopping for cyber insurance coverage. We recommend reaching out to our providers for a quote as soon as you know you need cyber insurance coverage. This will help you make sure your business is not left exposed to dangerous cyber risks. As you gather quotes and research the various types of coverage offered by our partners, you can simultaneously begin the process of conducting a risk assessment.
Cyberattacks present a real threat to the safety and health of businesses today. Cybersecurity risks are mounting every day. But, purchasing cyber insurance does not need to be a confusing or stressful process. Begin by gathering quotes and assessing the type of coverage your business needs. Our providers will guide you from there.