Cyberattacks take many forms. A business could be hit by malware, a phishing scheme, trojans, or denial of service attacks. Those attacks could target email accounts, cloud storage, or legacy systems. And they could empower hackers to exploit regulated/sensitive data, disable mission-critical applications, or steal intellectual property.
Cyber insurance is intended to protect against the consequences of an attack. The hard part is determining what kinds of coverage are necessary considering how vast and varied the number of threats is. Companies cannot afford to end up missing coverage they need or paying for coverage they don't.
Different cyber insurance policies offer different types of coverage, limits of coverage, and premium/deductible rates. This guide will answer what does cyber insurance cover so that your protection perfectly matches your needs and wants.
What is Covered by Third-Party Cyber Insurance?
This type of liability coverage protects a company against the indirect consequences of a cyberattack. For example, if a customer decides to sue the company following a data breach that exposed personal information. In general, this form of insurance kicks in to insulate companies from the damage caused by errors and omissions committed while creating, sending, receiving, or saving digital information. Coverage falls into several broad categories:
Network Security LiabilityThis type of coverage pays for the cost of litigation alleging you took inadequate steps to secure a network. The presence of malware, viruses, or unauthorized users are all evidence of security issues. Lawsuits may be brought by customers, employees, suppliers, or other parties.
Network Privacy LiabilityThis provides funds for lawsuits alleging you did not do enough to protect sensitive data. Policies typically distinguish whether that data is related to clients/partners or to employees.
Electronic Media LiabilityPublishing the wrong media in the wrong place can lead to stiff penalties. This type of coverage pays for costs related to online libel, slander, copyright infringement, defamation, domain name infringement, and invasion of privacy.
What is Covered by First-Party Cyber Insurance?
There are a number of immediate and ongoing costs to a business that are directly related to a cyberattack. This type of cyber insurance is designed to cover those costs and to supply funds to mitigate the consequences of an attack. Again, coverage falls into several broad categories:
Loss or Damage to Digital Data
Expenses related to data that is lost or damaged are covered as long as the consequences are caused by factors covered by the policy. Things like hackers, denial of service attacks, and viruses are typically covered while things like user error or accidental destruction may not be covered. Coverage applies to the cost of restoring/recovering data as well as the cost of any experts/consultants who assist in that effort.
Loss of Income and Extra Costs
A traditional commercial property policy supplies funds to make up for lost revenue or extra costs associated with damaged commercial property. Cyber insurance can supply the same type of coverage when the damage is done to data. Typically, the loss/cost must be caused by one or more of the threats on a pre-approved list.
Loss Due to Cyber Extortion
Hackers are increasingly taking control of sensitive data and applications and then demanding payment to avoid the destruction of data or the denial of service. Some cyber insurance policies will pay for these extortion demands and any related costs as long as they are approved by the insurer in advance.
Almost every state requires companies to notify anyone whose personal data has been exposed in an attack. It might also be necessary to provide victims with credit monitoring services. The cost of this effort can be significant, which is why it's covered in some cyber insurance policies.
Following a cyberattack a company/brand may develop a reputation for poor security and poor customer service/support. The only way to restore a positive image is through a combination of public relations and marketing, both expensive efforts. There are some cyber insurance policies that cover the cost.
What is Not Covered By Cyber Insurance?
There are some significant limits and omissions in cyber insurance policies. Those are important to understand, but first we should discuss the purpose of coverage. Cyber insurance insulates a business from the negative impacts of a cyberattacks. However, it does not help to prevent those attacks from happening. Insurance is an important safeguard, but in all cases, it's better for a business to avoid incidents entirely. With that in mind, these are some of the items that fall outside the typical boundaries of coverage:
Loss of IP
If important intellectual property falls into the wrong hands the immediate and ongoing impact could be both immense and difficult to calculate. Given that fact, most cyber insurance policies do not extend coverage for IP that is stolen or otherwise degraded in a cyberattack.
Even though companies can get coverage to pay for marketing and PR, these efforts do not ensure that a company will regain its reputation. The impact of the brand damage on the bottom line is not a cost that coverage will recoup.
Every type of cyber insurance coverage is subject to various terms and conditions. Most of those dictate that if an incident is caused because of insufficient security tools or policies being in place then coverage is denied. Even if the consequences are the same, the cause is what really matters.
Some policies state that coverage only applies to attacks perpetrated by hackers seeking personal profit. Coverage is denied if an attack is motivated by terrorism or carried out by a nation-state actor for political ends.
In the same way that cyber security does not help you prevent the first attack, it does not help you prevent the next either. Policies rarely extend coverage for security upgrades, enhancements, or additions implemented in the wake of an attack.
It's possible for a cyberattack to physically damage property, if a piece of heavy machinery was hacked, for example. The cost of this damage is not covered by cyber insurance, but it may be covered by other common types of business insurance.
Determining Your Cyber Insurance Coverage Needs
It is a mistake for any company to assume it's safe from hackers and elect to operate without cyber insurance. Every company is at risk regardless of its size or industry and regardless of what type of data it handles. The most important question to ask it what types of cyber insurance coverage a company needs and what limits/premiums/deductibles are necessary. The answer to those questions is different for every business, but these steps make it easier to arrive at the right conclusion:
Asses Your Protection
It must be stressed that the question is not if you will be attacked but rather when you will be attacked. Your current level of protection has a direct impact on the consequences you could potentially face. Focus on the data that is most sensitive or most likely to be attacked, then honestly asses how well that data is protected from all angles.
Calculate Your Risk
You won't know how much coverage you need until you understand what is at stake in an attack. Work through several scenarios that model what would happen if you were affected by common types of attacks. Then try to calculate what the response would cost, focusing on the coverage types outlined above. This exercise helps to illustrate risk in directly financial terms.
Evaluate Your Current Policies
Even though cyber insurance is largely a separate entity there may be certain types of attacks or losses that are covered by the policies you currently have for property, liability, or fidelity. Understanding your current coverage helps to eliminate overlaps but more importantly prevents gaps in coverage from creating unanticipated risk.
Boost Your Security
At this point you should have a good sense of the strengths and weaknesses in your cyber security strategy. Adding insurance is important, but so is upgrading your levels of protection. Where and how those upgrades are made will ultimately impact how much cyber insurance coverage you need to carry.
Prepare Your Team
No matter how much coverage you have or how extensive your security measures are there is no replacement for a team that is well-trained. This helps to limit the risk of an attack while also mitigating the damage should an attack occur. In addition to training, create a plan outlining exactly how department/teams/individuals will respond in the immediate wake of an attack.
Review Your Potential Policies
Once you understand how much coverage you actually need, make sure you understand how much coverage you are actually getting. The terms and conditions attached to various policies could limit or restrict your coverage in ways you never expected. Make sure you have a clear and confident understanding of a policy before committing.