5 Things to Know If You Are Considering Getting Cyber Insurance

As cyber attacks continue to increase in number and sophistication, more and more companies are purchasing cyber insurance. If you are considering getting this type of policy for your business, here are five things to keep in mind.
Discovering that a hacker just conned your business out of a large amount of money is probably one of your worst nightmares. For one organization, this nightmare came true. In December 2018, the Connecticut-based Save the Children Federation revealed that it fell victim to a business email campaign (BEC) scam the year before. The charity unwittingly transferred nearly $1 million to the hackers’ account.

Fortunately, the charity had cyber insurance, which covered most of the stolen money. The charity ended up losing only $112,000.

With BEC scams and other types of cyber attacks increasing in number and sophistication, more and more organizations are turning to cyber insurance to mitigate the risks and offset the costs of cyber attacks and other Internet- and IT-related liabilities. In the United States alone, the market is expected to grow from $2 billion to $15 billion in the next decade.

If you are considering purchasing cyber insurance for your business, here are five things to keep in mind:

1. Cyber Insurance Is Continually Evolving

Cyber insurance is not new. Its roots are in errors and omissions (E&O) insurance policies. Around 20 years ago, add-ons were attached to tech companies’ E&O policies. These add-ons covered incidents such as a tech company’s software program bringing down another company’s network. Eventually, the add-ons evolved into separate policies that covered a lot more types of incidents (e.g., data breaches). As the kinds of coverages increased, so did the interest in these policies by companies outside the tech industry.

Nowadays, there are many different types of cyber insurance policies being purchased by many different kinds of businesses. And as the Internet, cyber crime, and IT systems evolve in the future, so too will the cyber insurance policies.

2. Comparing Policies Can Be Challenging

Cyber insurance policies can be hard to compare because there is no set standard for underwriting this type of insurance. It is up to each insurance company to decide what it will cover and how to market that coverage. As a result, you might find that:

• Some insurance companies simply add cyber insurance extensions to existing insurance policies. Most insurers, though, have separate cyber insurance policies. Stand-alone policies are usually more comprehensive than extensions, according to experts.
• Some insurance companies put different types of coverages into separate policies. For instance, they might have a policy covering just data breaches and a policy covering cyber liability. In contrast, other companies offer one policy in which they include all their coverages (e.g., one policy covering both data breaches and cyber liability).
• A few insurance companies offer different cyber insurance policies for different types of organizations. For instance, they might have separate policies for small businesses, tech companies, and public sector entities.
• Like other types of insurance, the cost of the cyber insurance depends on many factors beyond the type of coverage provided. For instance, a business’s gross revenue, industry, and data risks are factored into the cost.

3. Types of Expenses That Are Commonly Covered

Although there is no standard for underwriting cyber insurance policies, they cover many of the same types of expenses. Insurance companies typically cover cyber incidents caused by both internal actors (e.g., errors and omissions by employees) and external actors (e.g., cyber attacks by hackers). Examples of items usually covered include:

• Lost revenue due to network downtime or a business interruption resulting from a cyber incident
• Cyber extortion costs (e.g., ransomware payment)
• The expenses incurred from a forensics investigation of a cyber attack
• The costs incurred to restore data and systems after an attack
• The expenses associated with notifying customers and other parties about a cyber incident
• The cost of hiring a PR firm to minimize a cyber incident’s impact on a company’s reputation
• Regulatory fines
• Defense costs to handle lawsuits levied by individuals or businesses adversely affected by a cyber incident or a lawsuit imposed by a government entity (e.g., a state’s Attorney General)
• Legal settlements from lawsuits

As this list shows, cyber insurance usually covers expenses incurred by the insured business as well as third parties adversely affected by the cyber incident. This is referred to as first-party coverage and third-party coverage, respectively.

4. What Is Usually Not Covered

There are some costs and types of incidents that are not typically covered in cyber insurance policies. They include the loss of future revenue due to a cyber incident, costs to improve internal IT systems, bodily injury, and property damage.

In addition, it is important to know that a claim can be denied if a company misrepresents its security measures. Businesses are usually required to fill out an application that includes questions about the security measures they have in place. If a company submits a claim and the insurer can prove that the business did not have the specified security measures in place, the insurer can deny the claim.

5. Where to Start If You Want to Get Cyber Insurance for Your Business

Before shopping for cyber insurance, experts recommend that you start by identifying the following for your business:

• The types and sensitivity of the data used in your business
• The kinds of cyber threats your company faces
• How susceptible your business’s operations are to a network interruption and how much revenue you would lose every day if a cyber incident brought down your operations
• Whether your business must adhere to any cyber-related laws or regulations (e.g., European Union’s General Data Protection Regulation, United States’ Health Insurance Portability and Accountability Act) and the cost of noncompliance
• The contracts you have with suppliers and other business associates and what data they are able to access through joint business operations

With this information, you can get an idea of the types and amount of coverage needed. We can help you gather this information so you can get the best cyber insurance for your business.