What Does a Cyber Insurance Policy Cover?
If you're a business owner, it’s a near guarantee that you're using computers to send, receive, or store electronic data on a daily basis. That data could include tax records, payroll, or any other information owned by your organization. If that information is damaged or stolen due to a data breach, it could be extremely costly, in terms of both replacing it and regaining the trust of customers.
A dedicated cyber insurance policy provides business owners with the tools to cut down on a wide range of costs in the event of a breach. For example, a system might contain sensitive data belonging to employees, vendors, or customers. If that data is lost or compromised, the client could be sued for damages. They could also incur substantial notification expenses, as most states have laws requiring businesses to inform people when their personal data has been compromised.
Although news stories generally only highlight when major corporations fall victim, small and medium-sized businesses are actually the most vulnerable to these attacks. Having a cyber insurance policy is the most straightforward and effective way to help ensure you are securing the future of your business.
What Are the Categories of Cyber Insurance?
Cyber risk insurance covers the costs of recovering from a security breach, a virus, or a cyber attack. It also covers legal claims resulting from the breach. Most cyber policies and data breach insurance include first-party and third-party coverage. Some are included automatically and others can be added “a la carte.” Here is what you need to know about these policies.
First-party coverage means paying the expenses a business directly incurs from the incident, such as the cost of informing customers of the attack. This can include the following:
- Damage or loss of electronic data. This is sometimes referred to as network asset damage or digital asset damage. This covers the cost of recovering or replacing data or programs affected by a breach. You’ll want to check which perils are covered by the policy, such as losses from crypto mining, a virus, or a denial of service attack. Policies may cover the cost of hiring IT experts to investigate and reconstruct the data.
- Loss of income. In cyber, this can be called Cyber Business interruption and can also include dependent business interruption or system failure. This covers income losses experienced as a result of business interruption from a cyber event, as well as other expenses incurred to avoid shutting down. This is an especially important point because according to the 2020 Cost of a Data Breach Report, the average cost of a breach is $3.86 million.
- Cyber extortion / ransomware. This applies when a hacker breaks into a company’s system and threatens to release a virus, denial of service attack, or encrypts the data to demand a ransom payment. This coverage typically extends to any ransom payments made, as well as any expenses incurred in the process.
Ransomware is an enormous issue for companies, with staggering numbers of companies experiencing attacks every year. According to the 2021 Sophos State of Ransomware report, 37% of organizations have experienced a ransomware attack in the past 12 months as of February 2021.
- Reputation damage. Certain policies cover the costs of marketing and public relations to protect the company’s reputation after an attack. On a cyber insurance policy sample, it may be called Crisis Management.
Not all of these will be included in every cyber policy and some will be subject to a deductible, so it’s important to look at your options in-depth to determine the right coverage for a client.
This term refers to insurance for legal claims against a business by people who have been injured by the attack. For example, if a hacker stole a customer’s personal information and posted it online, third-party coverage would pay for the cost of a lawsuit against the company. The major areas of third-party coverage include:
- Network security and privacy liability. This covers claims of negligence, errors or omissions, unauthorized access, the introduction of a virus, or any other lawsuit associated with the security breach. This includes claims alleging that a company failed to protect sensitive data, whether that data belongs to customers, clients, or employees.
- Media liability. Electronic media liability insurance covers lawsuits against a company for libel, slander, defamation, invasion of privacy, or other types of infringement. These acts are generally covered only when they are the result of a company publishing data online.
- Regulatory proceedings. Due to data breach laws, a company may incur fines from regulatory agencies in the event of a breach. Third-party coverage can pay for these expenses, as well as the cost of hiring an attorney to assist in response to any legal/regulatory proceedings.