What To Know About Your Businesses Cyber Insurance Policy
A comprehensive cyber policy should cover ransomware strikes, business email compromise threats, phishing attacks, and other common cyberattacks.
Cyber insurance provides critical protection against the legal and financial repercussions caused by incidents like data breaches and other cybersecurity issues such as theft, system hacking, ransomware extortion payments and more, but policy terms vary widely among insurers.
Organizations of all kinds, from global companies to mom and pop shops, actively benefit from using technology to do business.
Technology is only becoming more complex and sophisticated, which unfortunately means so are the cyber threats we’re being faced with, making them harder to defend aganist.
You should have cybersecurity insurance if your business handles customer data orstores sensitive information online or on a computer.
Every organization needs to be prepared with both cyber liability insurance and an effective cyber security plan to manage and mitigate cyber risk.
Being without it means it’s not a question of if your organization will suffer a breach, but when.
What are the Types of Cybersecurity Coverage?
Cybersecurity insurance generally comes as either first-party or liability coverage; these policies protect companies in different circumstances.
Some insurers offer cyber insurance as an add-on to a business owner’s policy, but you can also purchase this coverage separately.
Cybersecurity insurance can cover the cost of notifying your customers about a breach, legal defense and more.
First-Party Coverage
First-party cybersecurity insurance covers the costs of things like:
- Investigation of the incident.
- Risk assessment of future cyber incidents.
- Lost revenue due to business interruption.
- Ransomware attack payments based on coverage limits.
- Notifying customers about the cyber incident and providing them with anti-fraud services such as credit monitoring.
The most common first-party cybersecurity coverage is data breach insurance.
Third-Party or Cyber Liability Coverage
Cyber liability coverage can protect your business if a third party sues you for damages as a result of a cybersecurity incident.
Cyber liability coverage generally pays for:
- Attorney and court fees associated with legal proceedings.
- Settlements and court judgments.
- Regulatory fines for noncompliance.
General liability insurance excludes coverage for data-breach-related liability claims, so if your business stores customer data, you’ll want to consider a separate cyber liability insurance policy.
Daniel R. Stoller at Bloomberg Law had an excellent observation about the risks of phishing related cyberattacks to general crime policies.
Phishing attacks are the practice of malicious actors sending fraudulent communications that appear to come from a legitimate trusted source.
The goal of the attack is to steal victims sensitive data like credit cards and login information or to install malware on the victim’s device.
Phishing is one of the most common types of cyberattacks so, it’s apparent that everyone learn about them in order to protect themselves and their organizations.
The Bloomberg Law article: “The Travelers Cos. will argue May 2 that cash payments made in connection with a phishing attack aren’t covered under a general crime insurance policy.
The litigation before the U.S. Appeals Court for the Sixth Circuit highlights issues facing companies that seek to use broad insurance policies to regain losses after a phishing attack, where hackers use email credentials to trick others into sending sensitive information or cash payments.
Half of crime fraud insurance plans include coverage on phishing attacks that lead to wire fraud, but the other half do not. This lack of coverage clarity has caused litigation from consumers.
Reliable insurance brokers will verify that either a cyber or crime policy covers phishing attacks, but others may not see that there is an exclusion for wire-fraud related cyberattacks.
Attorneys said, insurers are trying to to clarify coverage terms by explicitly excluding cybersecurity incidents in their general policies. Even in extreme situations, there are “sub-limits of coverage” that usually range from $250,000 to $500,000.
Check out the full article below, and we recommend you share this with your CEO, Chief Risk Officer and/or your Legal team. Bloomberg Law: “Gone Phishing: Travelers Claims Plan Doesn’t Cover Cyber Losses”
Technology Errors and Omissions
A technology errors and omissions, or E&O, policy kicks in if a cybersecurity incident occurs in a customer’s business because of an error on your part. You should consider buying this coverage if your business manufactures a technology product or provides technology services.
For example, if a customer’s financial data is stolen from your computer, first-party or liability insurance would provide coverage.
However, if you write an accounting software program that has an error in the code and the customer’s data is stolen directly from their computer as a result, you’re now in tech E&O territory.
Technology E&O pays for items similar to that of cybersecurity liability insurance, such as legal fees, court costs, and judgments or settlements but only in covered circumstances relating to products or services.
Which Businesses Need Cybersecurity Insurance?
Almost any business — no matter its size — can be at risk for cybercrime. Cybersecurity insurance is especially important for:
- Businesses that store important data online or on computers: If your business stores important data, such as phone numbers, credit card numbers or Social Security numbers — either online or on a computer — you are at risk of a cyberattack. You should consider data breach insurance. If you store sensitive customer data, consider cyber liability coverage, too.
- Businesses with large customer bases: Insurance can help cover certain regulatory fines these businesses might be subject to following a data breach. Notifying customers of data breaches is often required by state law, and first-party policies can cover this cost, which can be significant for companies with large consumer bases.
- Businesses with high revenue or valuable digital assets: The costs associated with cyber incidents can be difficult to predict, and larger companies are likely to have more valuable data, which could come with a more expensive ransom.
What Does Cybersecurity Insurance Exclude?
Cybersecurity insurance does not pay for the following:
- Property damage: Cybersecurity insurance generally doesn’t pay for any property damage stemming from a data breach or cyberattack, such as hardware that was fried during the cyber incident. These sorts of claims are usually covered by commercial property insurance.
- Intellectual property: During a cyber incident, intellectual property losses and any lost income associated with it are commonly excluded from cybersecurity insurance coverage.
- Crimes or self-inflicted cyber incidents: Virtually no cybersecurity policy is going to cover a business that is charged with committing a crime related to or causing a cyber incident. Commercial crime insurance generally covers theft by employees, though.
- Costs for proactive preventive measures: Protective measures to avoid a future cyberattack, like training employees on cybersecurity and setting up a virtual private network, probably won’t be covered by a cyber insurance policy.
Check Your Policy
Obtaining a thorough social engineering, or phishing, attack plan could help a company avoid litigation over coverage, they may not have ample opportunity to get one.
Social engineering crimes perpetrated by using a computer are relatively new and the law regarding insurance coverage for those losses is evolving.
Insurers tend to take the position that social engineering losses are not covered under a crime policy’s computer fraud or funds transfer fraud coverages, and are only covered if the insured purchased social engineering coverage.
Phishing coverage is relatively new, and the cyber insurance industry is still growing. You should have a detailed conversation with your insurer about what your organization wants to protect.
Companies that do buy insurance to cover potential cybersecurity losses should check to make sure specific cyberattacks aren’t excluded from their coverage.
Those that only scan a portion of an insurance plan will often miss out on “dozens of exclusions,” such as providers’ refusal to pay for “redirection of funds”—a term that would typically encompass phishing losses.
Cyber insurance coverage also requires extra due diligence, compared to other business risks, because of the nascent stage of the industry.
A total of 88% of small business owners feel vulnerable to a cyberattack, according to a recent SBA survey. If your business is the victim of cybercrime, recovery costs can be expensive, including specialized repairs and legal fees.