Cyber Insurance protects an organization from exposures related to its use of technology and data. Cyber exposures typically arise from data breaches, extortion, and deceptive funds theft incidents caused by criminal activity or human error. All organizations utilize technology in the delivery of their products or services and depend on technology for a wide range of functions such as communication, payments, and data storage. Not all organizations need the same coverage, and not all Cyber Insurance policies provide the same protection. We can help.
What is Cyber Insurance?
Cyber Insurance protects an organization from exposures related to its use of technology and data and typically responds to data breaches, ransomware, and deceptive funds theft incidents. Covered costs include security and legal incident response, systems restoration, business interruption, customer notification, and even ransom payment. Cyber Insurance policies vary widely, and many come packaged with valuable risk management and incident response services.
The Cyber Insurance market expanded quickly in the early 2000s in response to an increase in significant data breaches. Cyber exposures continue to evolve rapidly as hackers create new ways to access confidential information and to attack critical systems and data, and leading underwriters are continually responding with new coverages.
Cyber Insurance policies vary widely, from comprehensive coverage to those policies providing limited coverage. eSpecialty Insurance is an expert in Cyber Insurance exposures and coverage: use our expertise to evaluate your options so you can balance coverage and cost.
Who Needs Cyber Insurance?
All organizations that use technology and need Cyber Insurance. Any organization whose operations may be subject to disruption from the failure or breach of technology should have Cyber Insurance. This includes organizations that:
Why Do You Need Cyber Insurance?
Criminal attacks and data breaches can lead to expensive and disruptive cyber incidents. Cyber Insurance provides financial protection and expert services which mitigate the impact of cyber incidents. Criminals have increased the frequency and intensity of cyber-attacks on organizations, and have become proficient at launching ransomware attacks, impairing operations, and stealing information and money.
Additionally, all states are regulating an organization’s response to a data breach, increasing the financial cost of a cyber incident.
Cyber exposures vary widely based on the type of business.
Criminals consider small and medium-sized businesses (SMBs) prime targets because they have valuable data and assets, and typically have less sophisticated IT security. In particular, SMBs are often targeted with ransomware and deceptive funds theft attacks because they can be successful. According to the Ponemon Institute 2021 Cost of Data Breach Report, the average cost of a data breach in the United States was $9.05 million. That cost only dropped to $2.98 million for organizations with less than 500 employees.
Large businesses have similar cyber exposures as small businesses, but typically have sophisticated cyber security resources and can absorb greater loss severity. In addition, a data breach is typically a more significant catastrophic exposure for large organizations. Not only should large organizations have comprehensive Cyber Insurance, but they should also ensure that their Cyber Insurance coverage provides limits adequate to cover catastrophic events.
Cyber Insurance is also available for individuals. Anyone using a computer or smartphone to communicate, store confidential information, or transact with financial and other services has cyber exposure, and criminals are finding that this can make individuals lucrative victims. Individual Cyber Insurance policies have been designed to cover expenses related to personal concerns like identity theft, fraudulent wire transfer, and cyberbullying.
What Does Cyber Insurance Cover?
A comprehensive Cyber Insurance policy will typically include both first party and third party (liability) coverages and will respond to data breaches, ransomware, and deceptive funds theft attacks. First-party coverages
respond to damages incurred by the insured organization as a result of a cyber incident, while third party or liability coverage responds to claims for damages to third parties.
The Downside of Cyber by Endorsement
Cyber coverage via endorsement is not the same as standalone Cyber Insurance coverage. While cyber coverages can be provided through a traditional Liability and Property Insurance policy via endorsement, this coverage approach is rarely robust enough. Typically, the limit is not adequate, the coverage is not comprehensive, and risk mitigation and incident response are rarely included.
While some comprehensive standalone policies include many of these listed coverages, it is important to know exactly what your Cyber Insurance policy covers, including what is sub-limited or not included.
What are Common Cyber Exposures?
Cyber exposures typically arise from data breaches, ransomware, and loss of money incidents caused by criminal activity or human error. Since policy forms vary and do not necessarily cover all three common exposures, it is important to work with an expert who understands your exposures and the coverages offered to ensure you can make an informed decision in balancing coverage and cost.
A data breach is the inadvertent disclosure or theft of confidential information. Breaches can be caused by employee error, such as a lost laptop, or by malicious criminal activity, which accounts for roughly 50% of all breaches. A breach of certain types of confidential information triggers a report to governmental agencies and a regulated response.
Cyber Insurance policies are designed to cover direct costs associated with a breach, such as the expenses associated with forensic experts, legal advice, victim notification, and credit monitoring. Most Cyber Insurance policies also include protection from liability related to a data breach.
A ransomware attack starts with malicious software encrypting critical information, causing systems to become inoperable and resulting in significant business disruption. Criminals typically demand a ransom payment in a cryptocurrency in return for the key to unlock the data, but there are variations. Criminals might threaten to destroy or divulge information publicly if the ransom is not paid, and in some cases, the key is never provided after a ransom is paid.
Cyber Insurance will cover the ransom payment, but the most significant covered costs are typically those associated with business interruption. Business interruption coverage in a comprehensive Cyber Insurance policy is similar to the business interruption coverage in a property insurance policy, except that the coverage is triggered by a cyber event.
Deceptive Funds Theft
Criminals are always looking for innovative ways to steal money, and the shift to online payments and banking has made this easier. If a criminal can get in, the money can get out.
Criminals will use various tactics to gain access to a system, typically using deceit to obtain user email credentials (phishing). Organizations that make repeated transfers of money or that send electronic payments or invoices are top targets, and criminals may deceive users into sending electronic payments directly to the criminal’s account. Another attack vector is called bank account takeover, where criminals use deception to gain access to an organization’s bank account or payments system, then transfer money out of the account.
What Do I Need To Know About Policy Forms?
Cyber Insurance policy forms are not all the same. Some forms are quite limited, while others are comprehensive and even customized in order to provide the unique coverage required by a specific organization. Because policy forms are not standardized and enhanced coverage is available, utilizing an expert with an understanding of exposures and coverages, and access to underwriters, is critical in ensuring you get the best protection.
Cyber Insurance is provided two ways: via a Cyber Insurance policy, often referred to as a standalone Cyber Insurance policy because it only covers cyber risks, and a cyber endorsement attached to another type of policy. The coverage is not the same, and the standalone Cyber Insurance policy is the better way to go. For example, cyber coverage may be added to a traditional Business Owners Policy (BOP) policy via endorsement, but this coverage approach is rarely robust and typically has low limits. A cyber incident is not the time to find out you have inadequate cyber coverage – a standalone Cyber Insurance policy (a policy providing only Cyber Insurance) is the better approach to comprehensive coverage.
What Doesn't Cyber Insurance Cover?
Cyber Insurance policies vary widely, and different types of businesses need different coverages. Unlike some types of insurance, it is unwise to generalize what Cyber Insurance covers and what it does not. Cyber Insurance policies will typically exclude claims that are intended to be covered by other types of policies. And like most other policies, intentional and criminal acts are excluded in all policies.
Are There Special Situations I Should Be Aware Of?
Technology Professionals Errors & Omissions (Tech E&O) is not the same as Cyber Insurance. However, Tech E&O policies may incorporate comprehensive cyber risk coverage because of the difficulty in distinguishing between a professional negligence claim and a cyber claim for a technology firm. Technology firms, both developers and users of technology, should consider Tech E&O to protect their organization.
Read more about our recommendations for the technology industry.
Buying or Selling a Business
Buying or selling a business that carries Cyber Insurance can be tricky based on the transaction structure and the specific Cyber Insurance policy. Often Cyber Insurance is terminated on the closing date, but this is not recommended. A cyber incident could be in progress without anyone knowing for weeks or months (or longer), and lawsuits can be brought well after an incident. There are steps that be taken to mitigate this challenge, but no two transactions are the same.
Have a question about your specific situation?
What Are Incident Response Services?
Incident response services are dedicated insurance company teams available 24/7 to assist an insured immediately, in real-time, with a cyber incident. Services vary depending on the type of cyber incident and the insurer but typically provide a quick and rough assessment of the incident, guidance on what steps to take to quickly mitigate the situation and access to cyber security and legal services for additional support.
In the best case, an incident response team can resolve the situation right over the phone with a remote connection. However, a sophisticated attack will take time and require significant work on the part of experts to resolve. You should consider whether your Cyber insurer offers 24/7 incident response in addition to Cyber Insurance as part of your proposal evaluation.
How Else Can I Protect Against Cyber Risk?
Risk management is a big part of minimizing potential exposures, and there are many risk management steps that can be taken to reduce cyber exposures. Some steps are obvious, and some require outside cyber security experts. The challenge is balancing the cost and time commitment of implementing risk management initiatives with the potential reduction in losses.
Some cyber underwriters provide valuable risk management information and services along with their insurance. Some steps to consider and may be available through your insurer:
Conduct cyber awareness and best practices trainings for all employees. Effective training is critical because 80-90% of all cyber incidents result from some level of human vulnerability.
Institute regular password changes and implement multi-factor authentication where appropriate.
Update all systems and virus protection software frequently and install all software patches immediately.
Establish payment procedures, including parallel confirmation processes, to eliminate fund transfer exposures.
Safeguard Confidential Information
Periodically review how confidential information is stored, accessed, and protected, and remove obsolete data and permissions.
Develop an incident response plan that includes PR capabilities and regulatory compliance.
Hire an expert to conduct a cyber security assessment, identifying and rectifying exposures for your specific organization.
Enlist 24/7 Support
Work with an expert to purchase comprehensive Cyber Insurance and ensure your cyber insurance provider offers professional 24/7 incident response services, rather than just claim reporting.
What Does Cyber Insurance Cost?
The cost of Specialty Insurance varies widely, and Cyber Insurance is no different. A cyber underwriter will consider an organization’s data, cyber security practices, size, industry, and other factors to determine its likely exposures. The underwriter will also factor in the specific terms being contemplated, such as limits, deductibles, and coverage extensions, to determine the cost. For the smallest organizations with strong cyber security, Cyber Insurance can cost less than $1,000, but this pricing is rare. Working with an expert like eSpecialty Insurance can help you evaluate your options, allowing you to balance coverage and cost.
How Do I Get Cyber Insurance?
eSpecialty Insurance is your specialty insurance expert. We have developed a streamlined marketplace to provide multiple proposals from a range of competitive insurers, along with the expertise to help you evaluate your exposures and choose the best combination of comprehensive coverage and price. We look forward to working with you.
Put our expertise to work as you balance comprehensive Specialty Insurance coverage and cost. Work with us!
Note: Cyber Insurance policies are not all the same. Some policies are more comprehensive than others, and some policies provide broader coverage in specific areas. In addition, each insured may have different exposures and coverage needs. We encourage you to read your policy and consult with an insurance expert such as eSpecialty Insurance.