At this point it's important for all businesses to have cyber insurance regardless of their size, industry, or IT dependency. The threat of a cyber-attack is too high, and the consequences run too deep. Without cyber insurance as a safety net, businesses may be forced to pay huge out-of-pocket costs. And as the disruption of cyber attacks climbs quickly, those costs could bankrupt the businesses.
Choosing to add cyber insurance coverage is an important first step. The equally important second step is determining what types of cyber insurance a business requires. The answer is different for every business, but it's determined by considering the kinds of threats the business faces and the costs/consequences of those threats. Once that is understood, businesses are able to tailor their coverage to perfectly reflect their needs.
As you begin to explore what kind of coverage you need, consider what kind of coverage is available. Below is an outline of various types of cyber insurance. The details of the policies will vary depending upon the provider, but the purpose of each is largely the same across the industry. Think about the threats your business faces now and in the future. Then pick one or more different types of cyber insurance to provide an essential last line of defense.
First-party vs. third-party
Before diving into the specific types of coverage, it's important to explore the distinction between first-party insurance and third-party insurance. Many types of coverage are designated one or the other. First-party refers to costs to the company that directly result from a cyber incident. For instance, businesses may have to hire security professionals to help them recover from an attack. Third-party refers to costs that are levied by outside parties like plaintiff's lawyers or regulators. For example, a business may have to pay lawyers to defend its interests against lawsuits from victims of a data breach. Determining if, when, and why either type of insurance is necessary is an important consideration when exploring coverage.
Errors and omissions
This type of cyber coverage is designed to cover costs related to performance issues with a product or professional service. This type of coverage is important because it's also one of the most overlooked. Accidental cyber incidents happen just as often as malicious or intentional ones. And companies that are not heavily involved with technology can still be on the hook for technical mistakes.
Media liability
The issue of copyright infringement is one that has long concerned companies, but it's become even more complicated in the era of digital information. In instances where a company improperly uses electronic media and is exposed to a lawsuit or other penalty, this type of coverage addresses some of the cost. Coverage for slander and libel is also often included. This type of cyber insurance is particularly important for media companies but considering that most companies now have an online presence, it's a protection that every type of businesses should consider.x
Network security
This is the type of coverage that most people think about when they hear the term cyber insurance. It is intended to insulate companies from the costs of viruses, malware, cyber extortion, data breaches, and data destruction. Essentially, it protects companies against the consequences of hackers. Since cyber crime is growing rapidly, network security coverage is an essential component of cyber insurance. Equally essential, however, is to understand when, where, why, and how network security coverage is applicable. That way companies avoid having gaps and cracks in their coverage that they only discover when they need to file a claim.
Privacy
There is some overlap between this type of cyber insurance and network security since privacy issues often arise from network troubles. The important distinction is that privacy coverage also protects against the loss of physical records like files tossed into a dumpster. Companies are subject to various rules and regulations around privacy and considering the sensitivity of the issue the potential for lawsuits is high as well. Privacy coverage helps companies compensate for the ongoing struggle of securing all information in all instances.
Understanding cyber liability costs
Cyber insurance is one of the fastest growing and evolving types of insurance. That is largely because the number and complexity of threats is growing as well, along with the overall costs of an incident. Following even a minor breach a company could be exposed to a dozen predictable costs and a dozen more they never anticipated. Below, you will find a list of common examples divided by party. Think of how deeply these could affect the long-term bottom line without the financial cushion provided by cyber insurance.
First-party costs
- Paying a company to perform a forensic investigation to determine exactly how a cyber incident occurred
- Hiring legal counsel to advise about meeting notification and regulatory obligations
- Paying to notify each victim of an incident through formal channels
- Paying for credit monitoring for each victim of an incident
- Investing in marketing and outreach to rehabilitate the public image of the company
- Loss of revenue opportunities when a cyber incident interrupts normal business operation
Third-party costs
- Paying for a legal defense
- Paying for settlements, judgments, or damages related to the incident
- Covering the cost of issuing new credit cards to each victim of the incident
- Meeting the mandates of regulators and formal inquiries
- Paying fines and fees to regulators, including hefty PCI fees
Choosing Small Business Cyber Insurance
As we noted earlier, the details, coverage limits, and even names of different policies can vary widely. Some providers also segment coverage to give consumers more choice. This has the side effect, however, of making it harder to compare coverage options. Rather than focusing on the types of cyber insurance available, think more about the types you actually need. Working through the checklist below helps decision makers ask the hard questions and work through the important details:
Analyze your unique risks – Every business is vulnerable to a unique set of threats depending on the technology they use and the type of data they handle. Analyzing what this unique risk is reveals what aspect of the business is most likely to be attacked. Focusing coverage on this aspect ensures that insurance investments have the greatest impact.
Examine your existing policies – Some types of cyber risk are included in basic business liability policies. Examining what type of protection is and is not present, plus exploring when and how that coverage applies, helps businesses avoid both gaps and redundancies in cyber insurance.
Buy at least the basics – It's up to each company to determine the depth and breadth of coverage necessary. But for all businesses a basic cyber liability policy should be considered mandatory. The cost is manageable, yet many of the most common and consequential costs are covered. Prudent business leaders make it a priority to have a baseline level of protection at all times.
Calibrate the appropriate limits and sublimit – Having the right levels of coverage is just as important as having the right types of coverage. If a company underestimates the cost of a breach it could be forced to pay hefty out-of-pocket costs. The first step is determining what limits and sublimit are necessary. The second step is determining what limits various policies realistically provide. The coverage companies imagine they have might not equal the coverage a policy actually supplies.
Beware of exclusions – Most cyber insurance policies define what is not covered rather than what is covered. Study these exclusions carefully because they reveal when and what a policy will actually pay out. If an important aspect of coverage is excluded, either negotiate with the provider or seek out other coverage options.
Consider coverage date – When a policy becomes active is important. In many cases coverage starts on the inception date of the policy. That means if a threat/issue is already present in the network it may not be covered by the policy. Retroactive coverage is available, but it's important to consider when the coverage is applicable and what sorts of incidents it applies to.
Enlist every stakeholder – One reason companies end up with inadequate or incomplete cyber insurance it because they only talk to the IT team when considering coverage options. Cyber risk and cyber security are issues that affect every department and stakeholders at all levels. When those stakeholders are part of the coverage consideration it's easier to identify vulnerabilities and cover every asset.
Consider additional coverage – We outlined the four major types of coverage above, but there are certain types of exceptional incidents that are not typically covered unless the policyholder seeks out additional coverage. These range from incidents caused by third-parties (e.g. cloud-service providers), damages from lost devices, the cost of large-scale data recovery, or the cost of an in-depth public relations campaign. Most companies will not need these deeper levels of coverage, but for some companies they are essential.
The resources on this site are designed to make selecting cyber insurance easy. Users are able to research policies, compare coverage options, explore various prices points, and choose with complete confidence. Better still, all the information a decision maker needs is available without paying fees to an insurance broker. Use this as your one-stop portal to explore and select the right types of cyber insurance.