A cyber insurance policy is an insurance policy designed to help organizations mitigate their risk exposure to cybersecurity-related data breaches or similar events. With its roots in errors and omissions insurance, cyber insurance began catching on in the early ’00s as cybersecurity incidents became much more prevalent for businesses large and small.
The first cyber insurance policies were geared toward information technology companies responsible for managing networks and systems used by other businesses and they protected a service provider from the risks involved in managing third party infrastructure. The cyber insurance space has evolved since the mid 90’s when this kind of insurance was common. Current cyber insurance protection comes in three forms: third-party written coverage, first-party written coverage, and implicit silent cyber coverage, it’s worth drilling down into these to take a look at them in closer detail.
Third PartyThird-party liability cyber insurance reimburses the insured party for the costs incurred by their clients because of data breaches, malware infections, or other cyberattacks in which the insured party was at fault. Third-party liability coverage is the cyber equivalent of medical malpractice, where businesses are insured against the harm they inflict on their clients by their action (or, as is usually the case with cyber risk, inaction). Many early policies were of this form.
First PartyIn the mid-2000s, cyber insurers began offering first-party expense coverage, which expanded insurance offerings to any company that uses technology. First-party expense cyber insurance reimburses insured parties for the costs of a cyberattack that directly affects their business. First-party policies can be broad or very specific, depending on the needs of the company, and may cover post-cyberattack expenses such as credit-monitoring and other data breach expenses, hiring crisis management consultants to restore brand reputation and manage PR, as well as data recovery costs.
SilentSilent cyber risk is a third type of cyber insurance coverage that is not a cyber insurance policy at all, but a term that refers to potential cyber-related losses stemming from traditional property and casualty policies which were not specifically designed to cover cyber risks. Say for example a buildings computer system is infected with malware, which then sets the sprinkler system off causing a patron to slip and fall. If cyber perils are not explicitly excluded, the hotel’s traditional property and casualty coverage would be expected to cover the medical bills of the injured customer and other damages.
What Should Cyber Insurance Cover?Types of cyber coverage currently available include:
Data breach coverage - This pays out for expenses that result from a data breach. Covered expenses typically include notification of the victims, setting up a call center, credit monitoring and restoration services for victims, and crisis management services.
Regulatory civil action coverage - This pays out in cases where the insured is facing fines from GDPR, or from the federal government after a violation of the Health Insurance Portability and Accountability Act (HIPAA,) or similar regulations. Some policies only cover the cost of defending against the action, while others may pay the fine as well.
Cyber extortion coverage - For cases where a hacker steals data from the policyholder and then tries to sell it back, or someone plants a logic bomb in the policy holder’s system and demands payment to disable it. Policies usually cover the cost of a negotiator, and the expense of offering a reward leading to the arrest of the perpetrator.
Virus liability - Pays in cases where the policyholder is sued by someone who claims to have gotten a virus from the policy holder’s system.
Lost income coverage - Replaces revenue lost while the policy holder’s computer system or website is down. Insurers often apply minimum downtimes of 12 or 24 hours, or require proof of actual losses.
Loss of data coverage - Pays for the cost of replacing the policy holder’s data in case of loss. Backup policies are not always effective, and accidents and sabotage happen.
Errors and omissions coverage - Otherwise known as O&M policies, this type of coverage predates cyber insurance, but is increasingly added to cyber policies to cover alleged failures by the policy holder’s software.
How Much Does Cyber Liability Insurance Cost?Depending on your business, cyber liability insurance can range in price from $500 per year to as much as $50,000 or more per year. By tailoring coverage to your business’s specific needs, you should be able to find a cyber liability policy to fits your budget and there are different factors that can affect the cost of cyber liability insurance.
Coverage limits - The higher and more complex your coverage needs, the more expensive your policy will be. For example, if your company uses multiple servers or if you store a lot of customer data, your insurance will be more expensive.
Data access - Limiting access to sensitive data can help you save money. For instance, if you grant data access only to senior employees, that could help. Having an in-house security expert can lower costs as well.
Security measures - Effective security measures, such as installing antivirus software and network firewalls and regularly updating your passwords, can lower your premiums.
Industry - A business that operates primarily online will face more cyber threats, and pay correspondingly more, than a brick and mortar business with a low-traffic website. Similarly, businesses in certain industries—like healthcare and accounting—that store the most sensitive types of data will also pay a higher premium.
Claims history - If you have a history of multiple claims, the insurance company might charge you a higher premium.
Compared to other types of business insurance, the cost of cyber liability insurance is higher because the fallout can often be much greater. When you add up all the costs involved with a cyber incident, it can be very expensive. A small business needs to contain the crisis, respond to customers, deal with public relations damage, fix damaged hardware or software, recover lost profits, and cover the cost of any legal claims.
Cyber liability coverage is still very much an evolving area of insurance. Since insurance companies are still relatively new to this space, there isn’t always a lot of clarity around what cyber liability insurance covers and doesn’t. That makes it ultra important to read through your entire policy before committing, preferably with the help of a broker or insurance professional. With the right cyber liability policy, you can avoid the costs and harm to your brand that can otherwise result from a cyber breach.