A Business Owner's Guide to Cybersecurity Insurance

Ransomware and cyberattacks increase on a daily basis. Because of this companies have looked to multiple tools to protect their most valuable assets – their data.

Business leaders today are faced with an untold number of options when researching cybersecurity tools. From network security firewalls to endpoint protection for all BYOT devices. One additional resource that has gained popularity over the last couple of years is the growing demand for Cybersecurity Insurance.

When evaluating Cybersecurity insurance options, business leaders are shown an ever-growing list of requirements to secure a policy. For example, a simple ransomware policy with basic coverage could be secured with a simple proof of anti-virus coverage. Policymakers are requiring more sophisticated, complete cybersecurity strategies as the number of cybersecurity threats grows.

What is Cybersecurity Insurance?

Let’s start at the beginning: Many business leaders today ask, “What is Cybersecurity Insurance or Cyber Insurance?” To put it simply, cybersecurity insurance protects a company’s assets in the event of a cybersecurity breach. Similar to other insurance policies, the amount of coverage, and what isn’t covered, depends on several factors and requirements.

Cybersecurity insurance is also referred to as cyber insurance, cyber liability coverage and data breach insurance. This insurance covers financial losses your business incurs following a cyber event or a data breach. Cybersecurity insurance policies often include coverages automatically and others you can add at your discretion.

First-party coverages apply to costs your company incurs directly due to a cyber event. Third-party coverages protect against claims made by companies or consumers affected following the cyber event. For example, first-party coverage would cover the costs to inform your customers about a data breach. Third-party coverage would cover your expenses for a lawsuit if a customer sues your company for negligence.

What Are the Types of Cyber Insurance Coverage?

Companies of every size are vulnerable to cyberattacks. Your information, privacy, and operations are all at risk. Cybersecurity insurance can protect your business from these risks. Cybersecurity insurance provides network security coverage, privacy liability coverage, network business interruption coverage, media liability coverage, and errors and omissions coverage.

1. Privacy Liability Coverage

For companies with privacy risks or information risks, privacy liability coverage is essential. Employee and customer information is highly sensitive. Data breaches that expose this data threaten your company and leave you vulnerable to liability.

With privacy liability coverage, your company will be protected In the event of a privacy law violation or a cyber incident. You may incur these third-party costs if you face liabilities from a contractual obligation or liabilities from regulatory investigations.

Examples include protecting your company against consumer class action litigation and funding a settlement after a data breach or cyber incident. In a regulatory investigation performed by law enforcement or the government, privacy liability coverage may cover legal expenses, penalties, and fines.

Include privacy liability coverage in your cybersecurity insurance policy to protect the information and privacy of your business.

2. Network Security Coverage

Most businesses should include network security coverage in their cybersecurity insurance policy. If you want to protect your company’s privacy and information, you should have network security coverage. If your network security fails, this cyber insurance will cover your company.

Network security failures include:

Business email compromises
Cyber extortion demands
Data breaches
Malware infections
Ransomware

Your first-party costs will be covered by network security coverage. For network coverage, first-party costs include:

Breach notification to customers
Credit monitoring
Data restoration
Establishing a call center
Expertise in public relations
Identity restoration
IT forensics
Legal expenses
Payment and negotiation costs from a ransomware demand

Include network security coverage in your cybersecurity insurance policy to protect your company in the event of a network security failure.

3. Errors and Omissions Coverage

Errors and omissions (E&O) coverage protects you from cyber events that keep you from delivering your services to customers. Claims about errors or performance failures in your services are covered by E&O coverage. These claims can include software or consulting services, or traditional professional services rendered by engineers, doctors, or lawyers.

This coverage also protects against breaches of contract or allegations of negligence. It includes legal defense costs from a lawsuit or a dispute with a customer.

Protect your company against losses and omissions with E&O cybersecurity insurance coverage.

4. Media Liability Coverage

Media liability coverage protects you from intellectual property infringement, except for patent infringement. This coverage typically applies to both printed advertising and online advertising, including your company’s social media posts.

Include media liability coverage in your cybersecurity insurance policy to protect the intellectual property of your company.

5. Network Business Interruption Coverage

If your business relies on technology to stay running, you should consider getting cybersecurity insurance that covers network interruption. This will protect your business from cyber risk.

This coverage can help you cover expenses, lost profits, and extra costs if your network or your provider’s network goes down. Coverage also applies to security failures from events like cyberattacks, and system failures like human errors or failed software patches.

Include network business interruption coverage in your cybersecurity insurance policy if the successful operation of your business depends on technology.

What does Cyber Insurance Actually Do?

Cybersecurity insurance protects and recovers an organization after a cyber-attack. Oftentimes, a company is not able to recover its data. When this happens, the cyber insurance policy provides monetary relief to the organization following the breach.

For many organizations, there are multiple benefits of securing cybersecurity insurance. Many governments and publicly traded companies require a certain level of cybersecurity insurance to partner or conduct business with them. As a level of protection for organizations, many require cybersecurity insurance for their vendors as well. Some organizations are required to carry cyber insurance to meet regulatory requirements.

So what does a cybersecurity insurance policy include?

Cybersecurity insurance policy coverage varies greatly and the type of coverage you and your organization need can vary greatly.

Costs depend on several factors, including the organization’s chosen coverage. As business owners shop around for coverage, every insurance company offers its own packages and policies. Insurance agents will send quotes for coverage options with different costs that a business owner can choose.

Generally, cyber insurance covers:

Loss of data and associated recovery.
Loss of revenue due to business interruptions from a cybersecurity event.
Loss of transferred funds from events such as fraud and social engineering.
Loss of funds from computer fraud and extortion.

The above list covers the actual cyber event. Many insurance policies also cover the aftermath and follow-up events associated with a data breach.

After suffering from a data breach, a cyber insurance policy will likely cover:

Notification costs. Costs associated with identifying victims and sending notices so that they are aware of the breach. This is often a compliance mandate.
Credit monitoring. Costs associated with the victim (customer) credit monitoring after data loss and identity theft.
Civil litigation. Costs associated with lawsuits and reimbursing affected customers.
Forensics. Costs to hire consultants and forensics experts so that damage and the root causes can be analyzed.
Brand damage. Costs associated with public relations to repair damage to the organization’s reputation.

Organizations should check with the insurance company for cost coverage to help stop attacks before they happen. An insurance company might help with prevention training against phishing and social engineering.

Why General Insurance Liability Won’t Cover Cyber Crimes

For many insurance policies, cybersecurity events are explicitly excluded from coverage. General insurance liability typically excludes cyber attacks and other digital data theft. That means organizations usually must buy cyber insurance separately. (Every business should check their policy for their specific coverage.)

General insurance liability usually doesn’t cover cybersecurity incidents since the cost associated is too much. Also, the volume of risks is a large factor in insurance premiums. That makes calculations difficult, especially as organizations grow and add more infrastructure to their environment.

What Attacks Result in Cyber Insurance Claims?

After a cybersecurity incident, the organization must cover costs for subsequent actions. These include:

Incident response
Containment
Forensics and investigations
Litigation
Compliance audits
New security infrastructure and policy changes

Any cyber event that results in data loss, investigations, and cost-related consequences could be covered by an insurance policy. But coverage depends on the cyber insurance company and the type of coverage the organization chooses. The type of coverage determines policy premiums, so cost is often a factor in the organization’s policy choice. Most policies cover costs associated with credential theft, phishing, ransomware, malware, and insider threats.

What Does Cyber Insurance Not Cover?

As with any insurance policy, there are exclusions in cybersecurity insurance worth noting for potential policyholders. Generally, a cybersecurity insurance policy doesn’t cover the following:

Costs for improving your internal technology systems following a cyber event
Loss of value caused by the theft of intellectual property from your company
Potential lost profits in the future

In addition, acts of war from foreign attackers are not usually covered, and any costs associated with building cybersecurity infrastructure before and after the breach might not be covered. As usual, check with the insurance company and the policy to find any exclusions to coverage.

Though these losses or costs may not be included in the standard cyber insurance requirements, obtaining cybersecurity insurance is essential if you want to protect your business from cyberattacks.

Cybersecurity insurance, while at first viewed as a niche tool, is now considered a requirement for every company’s risk management system. And, fortunately, along with the sophistication of cybercrime, cybersecurity insurance, too, has come a long way since its early days.

Though cybersecurity insurance coverage is now essential, many businesses remain unaware that cyber risk is insurable, let alone what exactly cybersecurity insurance covers. Fortunately, cyber risk is insurable, and the coverage options available today are flexible enough to meet the needs of your company.

Though rates for cyber insurance have increased globally by 32 percent year-over-year, this coverage remains an essential part of a company’s cybersecurity strategy. Let’s learn more about this important way to protect your enterprise.

Does Cyber Insurance Include a Deductible?

Just like any other insurance policy, cyber insurance has a deductible. Insurance companies will give organizations a deductible choice and the deductible price will determine the insurance premiums. The lower the deductible, the more an organization will pay for its premiums.

Why isn’t Cyber Insurance Meant to Replace a Security Strategy?

It might seem like cyber insurance is the magic bullet for a data breach. But it should be used only as a supplemental addition to your cybersecurity strategy, never the entire strategy. It’s important to read the cyber insurance policy to ensure that all terms and conditions are met. This includes a plan that covers the infrastructure necessary to protect data.

A data breach is expensive. Cyber insurance does not cover future revenue from newly released products and business growth. This lost revenue from brand damage and costs associated with a data breach can permanently dampen future revenue. For an organization to sustain itself, it must have a cybersecurity strategy that helps reduce risk and avoid a compromise.

Coverage of Cybersecurity Events

In 2017, several major cybersecurity events destroyed data for large organizations and government entities across the globe. WannaCry, Petya, and NotPetya were a few of the ransomware attacks affecting small and large organizations. It would seem like cyber insurance would cover the damage from these ransomware attacks. But forensics experts suggested that the attacks could be targeting specific countries.

As mentioned above, “acts of war” are not covered in most cyber insurance policies. Following ransomware attacks in 2017, some insurance companies claimed it was an act of war. With this claim, they said they did not need to pay for the damage. This left several organizations left to cover the expenses after ransomware damage, one of today’s most expensive attacks.

What Do You Need to Acquire a Cyber Insurance Policy?

The first step towards acquiring cyber insurance is to audit your infrastructure and document your cybersecurity policies and systems. To determine coverage and costs, a cyber insurance company will want to know what cyber defenses are in place. As with any insurance company, a cyber insurance company won’t cover a company with no cybersecurity strategy or infrastructure in place. Such an organization is sure to be a victim of a data breach, if not multiple breaches.

After an audit of cybersecurity infrastructure, it’s time to shop for a policy by contacting various insurance companies. Every company will have its own policy standards, exceptions, and costs. So ensure that you read the policy terms and conditions before agreeing to a policy.

An insurance company will review current cybersecurity strategies to determine your level of risk. If the risk is too high they may not be willing to write a policy for you.

What is the Future of Cyber Insurance?

Cybersecurity events cost organizations billions every year. The costs of a single event can run well into six figures. This includes containing, fixing, investigating, and covering the monetary loss from brand damage and compliance violations. Organizations are realizing the high cost of cybersecurity events and data breaches, and are buying insurance policies to cover the damages.

Insurance companies always tailor their policies so that they make money on premiums. That means you should always be aware of the exclusions written into the contract. Large payouts are expensive to insurance providers. They add limitations to ensure that coverage only applies to incidents where the organization took necessary cyber defense measures.

Insurance providers are more hesitant to write policies for organizations with poor cybersecurity controls. Therefore, you must put specific strategies and infrastructure in place before shopping around for a provider. Better cybersecurity controls will also reduce risk—and therefore reduce insurance premiums and costs for coverage. Before shopping for a policy, an organization can lower premium payments by installing effective cybersecurity infrastructure across its environment.

How Much Does Cybersecurity Insurance Cost?

Data breach insurance costs vary depending on the size of your company and how much coverage your business needs. If you have a smaller company, you may not need as much coverage. If this is the case, your premiums will be lower than a larger company with many areas that need protection.

How can LBMC help with Cybersecurity Insurance?

Cybersecurity insurance should never replace an organization’s cybersecurity program. In fact, most providers of these policies will want to know that you have certain security processes in place before they commit to providing coverage. It’s important to know that cybersecurity insurance does not cover stolen intellectual properties, such as product designs or business plans, and it can’t always easily restore an organization’s damaged reputation or sales loss. Before investing in cybersecurity insurance, organizations should perform a risk assessment and impact analysis to fully understand any main areas of vulnerability. Without understanding your risk as well as your risk tolerance, your insurance buying decision will likely be driven more by what seems affordable than what you might need.

Our vCIO team can help your business source the coverage and institute any software or solution requirements for your business.

For more information on Cybersecurity Insurance and other cyber threats to protect you and your organization, check out our podcast.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.