What Is Cyber Insurance?

What is cyber insurance?

Data breaches and other cybercrimes can damage a business’s reputation and put both customers’ and employees’ personal information at risk. Breaches can also result in significant fines and legal fees for companies of all sizes. Cyber insurance can help protect against these negative outcomes by covering a business’s liability for any data breaches involving sensitive customer information, including credit card data, bank account numbers, health records, driver’s license numbers and Social Security numbers. This is something not covered by general liability insurance. 

Cyber insurance can help companies notify customers about data breaches involving their personal information. (This process is mandatory in most states and can quickly become expensive.) Cyber insurance policies also protect businesses against cyberattack damages and help cover the cost of restoring and recreating any lost or compromised data. Finally, cyber insurance can offer free credit monitoring and public relations services following a data breach and help restore the identities and credit history of any affected customers. [Read related article: How to Do a Cybersecurity Risk Assessment]

What are the different types of cyber insurance?

Getting a cyber insurance policy is part of cybersecurity best practices and risk management. Generally speaking, cyber insurance packages cover one of three major issues: risks to the business, liability for claims and any consequences of those claims. As such, there are three primary categories of cyber insurance that cover each of these issues: first-party liability, third-party liability and general benefits.

First-party liability cyber insurance

A first-party cyber insurance package protects all people directly involved in the data breach or incident. It typically offers coverage to the victim for various issues, including data destruction, extortion, online theft, hacking, and deliberate or accidental denial of service. The package is designed to cover the policyholder’s costs for the fees, damages and inconvenience resulting from the incident. These are some common insurance configurations:

• Fraud and theft. You can use a fraud and theft cyber insurance policy to pay for any costs associated with data loss due to theft, fraud or other criminal matters. It can also cover any risks related to funds transfer or crimes of dishonesty.
• Forensic work. This policy can pay for the technical or legal services required for a forensic investigation. In addition, forensic work cyber insurance can cover prospective, concurrent or even retrospective costs.
• Business interruptions. If you can’t conduct business as usual because of a cyberattack, business interruption cyber insurance can cover many of the costs, including loss of income.
• Cover for extortion and blackmail. Some cybercriminals extort a business owner under the threat of blackmail, requiring them to pay out the ransom to save their company from further damage. Cyber insurance for extortion and blackmail can help cover these costs and gather evidence about the perpetrators.
• Loss of data and restorative work. This type of policy covers the possibility of data loss and any necessary restoration following that loss. This may include repairing or replacing a damaged computer, hardware, software, or lost data and information.

>> Learn More: Business Insurance Guide

Third-party liability cyber insurance

Third-party liability cyber insurance protects policyholders who offer professional services to other businesses, specifically if those services are susceptible to digital threats. These may include errors of commission, errors of omission, data breaches, data theft or business secrets, and defamation and related negative publicity. These are some common options in liability insurance:

• Litigation coverage. A litigation package covers the costs of any obligations associated with a data breach, including court judgments, lawsuits, penalties and fines.
• Regulatory coverage. This type of coverage is for the costs of forensic and technical services (and any associated fines) mandated by a government agency.
• Communications and notifications. This type of policy covers the full costs associated with notifying employees and clients of a cyberattack.
• Crisis measures and emergencies. In case of an emergency or unexpected event, this type of cyber insurance policy will cover all the necessary costs of overcoming the crisis.
• Credit monitoring and review. This package covers the costs of credit-monitoring services and anti-fraud measures in response to an incident.
• Liability for media issues. In the event of copyright infringement or media issues following an incident, this cyber insurance package covers the associated costs.
• Liability for breach of privacy and confidence. This covers a business’s liability for threats to customers’ confidentiality, such as hackers gaining access to clients’ bank accounts or publishing their account information online.

General benefits cyber insurance

A general benefits package covers various other benefits associated with cyber insurance. These may include structured and planned security audits, post-incident management, public relations initiatives and support, criminal reward funds, and major investigations and reports.

Who needs cyber insurance?

Any company handling or using digital information can benefit from extra protection. However, certain business types or activities increase the need for a cyber insurance policy: 

• Organizations using any online or offline computer system to handle sensitive customer data (such as names, addresses, health information, credit card data and Social Security numbers) should strongly consider purchasing cyber insurance. 
• Businesses in industries with specific standards for customer confidentiality — such as healthcare, education and finance — would also be wise to look into cyber insurance.
• Large businesses should opt for a cyber liability insurance package, which broadly covers financial losses due to cyberattacks or other tech risks, as well as any privacy investigations or lawsuits. This level of protection may not be necessary for small businesses dealing with lower volumes of customer data. Instead, they may consider purchasing data breach insurance, a type of cyber insurance that helps companies respond to a breach involving lost or stolen personal information.

However, it is still possible for small businesses to fall victim to a major cyberattack, especially as more and more people work remotely. A comprehensive cyber insurance package covering data breaches and attacks is the safest option for most businesses.

On top of investing in cyber insurance, businesses must also take proactive steps to prevent issues from occurring in the first place.

“By taking proactive steps to combat cyberattacks, organizations avoid not only massive breaches but also the consequences of the breach’s aftermath,” said Grant Burst, director of solutions engineering at Wallix. “Spending money and time to invest in proactive cybersecurity solutions has countless benefits for organizations. While most companies don’t think their information will ever be compromised, with the increase of breaches in the last few years, it’s not a matter of if your company will face a breach, but when.”

Burst added that businesses could suffer financial loss, loss of trust and operational downtime if they don’t take cybersecurity seriously. 

What does cyber insurance cover?

While the exact coverage will depend on the specific policy or type of coverage you seek, cyber insurance can generally protect businesses against the ramifications of a cyberattack or data breach.

In the event of a data breach, cyber insurance can help pay to notify any affected clients or employees and hire a PR firm to mitigate reputational damages. It can also offer credit-monitoring services to victims of the breach, a typically voluntary act that can go a long way in fostering goodwill with your customers.

Cyber insurance can also help cover a variety of fees for businesses that fall victim to a cyberattack. These include:

• lost income
• paid extortion
• regulatory fines from state or federal agencies
• legal services to help you meet state or federal requirements
• lawsuits related to customer or employee privacy and security
• the expenses of notifying affected customers

What does cyber insurance not cover?

It’s important to understand that cyber insurance does not cover every type of claim. You may need to purchase other types of insurance to receive appropriate protection for every facet of your business. These are some types of insurance policies cyber insurance doesn’t generally include:

• General liability insurance. Sometimes called business liability insurance or commercial general liability insurance, this type of insurance protects your company against claims of bodily injury and property damage.
• Commercial property insurance. Commercial property insurance is necessary to protect your business’s rented or owned facilities and equipment.
• Employment practices liability insurance. Employee claims of harassment, discrimination or wrongful termination are all covered under this type of insurance.
• Professional liability insurance. This helps cover claims of negligence, misrepresentation or inaccurate advice in your professional services.

How much does cyber insurance cost?

The average cost of cyber insurance in the U.S. is $1,740 per year (or $145 per month). However, several factors impact how much your business will pay for coverage: 

• Larger companies tend to pay more than smaller companies because of their increased risk of phishing and social engineering attacks. 
• Organizations in high-risk industries, such as healthcare and higher education, also face higher fees.
• The amount and sensitivity of data will also impact the cost of cyber insurance. For example, local businesses with a small customer base will pay less than hospitals with large amounts of sensitive personal and health data. These companies will need third-party coverage in case customers blame them for a data breach. 
• Companies with higher revenue are seen as bigger risks, so they have to pay more for cyber insurance. Insurers will also look into your claim history. If you have made multiple insurance claims, you will probably have a higher premium.
• Coverage limits and deductibles will influence the cost of your cyber insurance. Coverage limits typically range from $500,000 to $5 million per occurrence; the higher your coverage limit, the more your business will pay. However, higher deductibles lead to lower premiums (and vice versa). Ultimately, cyber insurance is a necessary expense. 

Businesses can lower these premiums by dedicating resources and efforts to preventing cybercrime, which cyber insurers often reward. You may also be able to save by bundling your policy, or paying your premium annually instead of monthly. [Read related article: The Cost of Cybersecurity and How to Budget for it]

What should you consider when looking for cyber insurance?

In conjunction with other types of insurance, cyber insurance can protect your business when something goes wrong. Buying the proper coverage is well worth the peace of mind that your business has enough support to make it through potential cyber disasters.

Here’s what to consider when looking for cyber insurance:

Past reports

“Cyber insurance companies should have cybersecurity analysis reports that they send out to their clients,” said David Vranicar, managing partner and founder of FBS Fortified and Ballistic Security. “Ask to see past reports. See what the cyber insurance company’s responses have been to [past] situations, or at least make sure they’ve been on top of them … if they’re not transparent about that information, they’re not for you.”

War clauses

Before you sign with any insurance company, carefully look over the contract for situations that allow the insurer not to pay the policy. One particular item to watch out for is “war clauses.”

“‘War clauses’ have caused problems in the past,” said Mark Stamford, founder and CEO of OccamSec. “Cyberattacks which are believed to have originated with a nation-state, such as WannaCry, enable insurers to not pay out on policies, since it’s considered an act of war. So reading any ‘war clause’ fine print is crucial, especially given how difficult attribution is for an attack.”

Policy payout

Finally, make sure you know how much the policy will pay out, and weigh that against the cost of the insurance.

“There is an old security formula which states the cost you spend to address something should be less than the cost you will incur if the event happens,” Stamford said. “So, if your cyber insurance policy is going to cost you $50,000, but your maximum loss is (you believe) $25,000, then don’t do it.”

However, Stamford warns that estimating the maximum loss from a cybersecurity breach is difficult. The potential loss in time, money and consumer trust may be so great that your business will never be the same again.

How do you choose a cyber insurance company?

When you choose a cyber insurance company, take the following steps to help you make the right decision for your business.

Determine your needs.

Every business has different insurance needs. And you don’t need to pay for features in a plan your business won’t benefit from. Common cyber insurance policies may cover issues like data leaks, lawsuits and extortion. Think about how your business exists online. What issues or risks do you commonly face? What kind of insurance might your customers expect you to have?

Research providers.

Before committing to a cyber insurance provider, look into all of your options — and don’t be afraid to speak to brokers or agents to get a full breakdown on their coverage. You may be able to find specific providers that specialize in your industry and offer exactly what your business needs. Others may be less suited for your business. You may even discover that certain providers require you to have specific security measures in place before being covered.

Gather quotes.

Your cyber insurance will likely come with high premiums. Each year, you may need to pay anywhere from a few hundred to a few thousand dollars. This price will depend on how the provider assesses your liability, history, clients and level of risk. You may have trouble getting an accurate quote without all the pertinent information, so provide the insurance company with as many details as you can. 

>> Learn how to get quotes from the best business insurance companies on the market. 

Read reviews.

Although speaking to insurance agents can be helpful, keep in mind that company representatives are ultimately looking to make a sale. Find reviews for each of your potential providers online; some review platforms even allow you to filter reviews by customers similar to yourself. Do your best to find both positive and negative reviews — even if you have to hunt for them. Look out for recurring issues and complaints. 

Consider insurance and deductible costs. 

As you determine the right provider for your business, compare deductibles and coverage costs. Your deductible will need to be met with out-of-pocket payment before your insurance kicks in. Make sure your business can cover the deductible and that the coverage you receive is worth the cost.

Review the policy.

Not every policy will cover every cyber concern. In fact, some policies may leave you vulnerable to a particular kind of threat. Even if the most basic policy works for your wallet, it may not provide the best protection — and every provider will have differing standards for their most basic policy. Carefully read the fine print to see if the insurer can meet your business’ needs. 

Kimberlee Leonard and Danielle Fallon-O’Leary contributed this article. Source interviews were conducted for a previous version of this article.