Cyber insurance (also cyber liability insurance coverage or cyber risk insurance) is a type of insurance policy that helps organizations cover financial damages related to cyber attacks or data breaches. Cyber insurance is especially important as the cost of a data breach continues to rise, and the amount of cyber attacks is higher than ever.
Insurance providers that offer cyber insurance must assess an organization's security posture to determine the type of liability coverage to provide. Depending on the organization's risk profile, some cyber insurance providers may reject an organization’s attempt to purchase if its security programs are immature or charge extremely high premiums to insure an organization if they have extremely high risk.
Some insurance providers also offer cybersecurity consulting services to help organizations with tools and software for cybersecurity prevention and monitoring and forensic service providers to help identify and mitigate incidents.
Keep reading to discover why cyber insurance is important, how it works, what it covers, how to lower premiums, and why businesses and organizations need to consider purchasing a policy.
Why is Cybersecurity Insurance Important?
In the last few years, there has been a significant rise in cybercrime, which has led to the average cost of a cyber threat reaching $4.62 million, a record high. As cybercrime increases, organizations must prioritize their cybersecurity efforts.
Cyber insurance is important for organizations because it can cover the damages resulting from cybercrime like data breaches, phishing, ransomware, malware, and social engineering attacks. Additionally, a cybersecurity insurance policy may also cover liability claims and additional legal costs that come with the attacks or breaches.
It’s important to note that cyber insurance doesn’t prevent cyber attacks from happening and only covers the financial damages and costs after an attack has occurred. Insurance should be viewed as a backup plan in case of damages and part of a more comprehensive security program.
What Does Cyber Insurance Cover?
Cyber liability insurance can insure businesses and cover damages from:
- Data breaches or leaks
- Data recovery efforts
- Cyber theft or extortion
- Ransomware attacks
- Social engineering or phishing attacks
- DDoS (distributed denial of service) attacks
- Network outages leading to loss of data
- Hardware and software replacement costs
- Lawsuits and other legal fees
- Public relations (PR) costs
- Cyber forensic analysis and investigation costs
- Customer reparation costs
What Does Cyber Insurance Not Cover?
Most cybersecurity policies exclude security issues resulting from human error or business oversight that are considered preventable and negligent. These may include:
- Poor data management and mishandling of IT and digital assets
- Insider attacks like fraud or criminal misconduct
- Preexisting cyber events that occurred before the policy was implemented
- Claims in the form of criminal proceedings like criminal action, criminal investigation, or grand jury proceeding
- Funds not associated with cybercrime coverage, which includes the loss, theft, or transfer of funds, securities, and currencies
- Environmental disasters that lead to business interruption, like floods, gas leaks, or electrical failures
- Unresolved vulnerabilities that the company had prior knowledge of but failed to remediate
- Cybersecurity enhancement and risk management program implementation costs
- Business interruption costs from computer system failures that are owned and controlled by third parties not insured by the provider (except for covered business interruptions by the dependent system failure)
- Incidents experienced by subsidiaries outside of a company’s control and ownership
What are the Different Types of Cyber Insurance?
Cybersecurity insurance policies generally have two main types:
- First-party coverage - The most common type of coverage that covers cyber-related losses directly impacting a business.
- Third-party coverage - Covers losses suffered by third-party entities or companies from a cyber incident.
It’s also worth mentioning silent cyber risk insurance or indirect cyber risk insurance. Silent cyber risk coverage is a specific coverage type that covers costs from rare and unlikely scenarios.
Silent cyber risk insurance is a legal term and not a specific policy available for purchase that details potential cyber-related losses that stem from traditional property and casualty policies that do not specifically cover cyber risks.
For example, if a malware attack successfully sets off a building’s sprinkler system and a customer subsequently slips and injures themselves, a cyber risk policy could potentially cover the resulting damages, lawsuits, or related medical bills.
Who Needs Cyber Insurance?
Any business or organization with online exposure should consider purchasing cyber insurance policies. As more businesses transition to cloud storage and computing, cyber insurance is quickly becoming a necessity rather than a luxury. Ultimately, organizations need to weigh the costs of purchasing a policy against the potential financial losses should a cyber attack occur.
Businesses should strongly consider buying cyber insurance if they:
- Store payment information, such as credit card numbers or bank account numbers
- Store sensitive customer information, such as healthcare data, social security numbers, or contact information
- E-commerce data, including sales numbers, confidential product information, business plans
- Own valuable digital assets, including cryptocurrency data, non-fungible tokens (NFTs), classified reports, or confidential documents
If cyber insurance is not purchased, businesses must be prepared to pay the costs of incident response, remediation services, brand and reputational damage, litigation fees, compliance fines, and customer reparations.
Do Small Businesses Need Cyber Insurance Coverage?
Since small businesses are often restricted to smaller budgets, they are a common target for cybercriminals because they tend to prioritize spending for operations, staffing, and marketing over cybersecurity. Most small businesses also lack a proper cybersecurity infrastructure compared to larger companies.
Implementing a strong security program can be challenging and can often take years of investment, meaning that smaller organizations must consider purchasing cyber insurance to protect their assets and sensitive information.
Smaller businesses are also much less likely to recover from a cyber attack than large corporations, making cyber insurance an area of high prioritization and need, much like other types of business insurance. A single security incident could cripple the entire operation with little to no chance of recovery due to business disruption.
According to a Ponemon report from 2017, security breach costs for small and medium-sized businesses have reached an average of $2.24 million, with 53% having experienced multiple breaches. Additionally, the same study claims that 60% of the polled business owners agree that cyberattacks have grown more severe and advanced year over year.
Post-Pandemic Cyber Attacks
With the global pandemic that ushered in a new era for businesses and introduced remote work, cyber risk has become even more prevalent as cybercriminals continue to use increasingly sophisticated attacks that threaten small businesses.
Cybercrime has increased by almost 300% since the pandemic began, with over 40% of cyberattacks targeting small businesses. Over 60% of them suffered a cyberattack in the past year, and around 50% state that they cannot properly mitigate these attacks.
The transition into e-commerce businesses, remote access work, and endpoint user policies make it even more important for ALL organizations to purchase cyber insurance.
E&O Insurance vs. Cyber Insurance
Before cyber insurance, there was E&O insurance, also known as technology error and omission (E&O) coverage. E&O coverage refers to product liability policies for companies that sell physical or digital products, and it works in conjunction with a standard liability policy and protects companies from errors in the technology services and the products they offer.
Unlike cyber insurance, which covers the costs of data loss and cyber incidents caused by external factors, E&O insurance doesn’t cover the loss of third-party data. It only protects the costs relating to errors, negligence, and unintentional technological failures of a company’s products and services.
Although some cyber insurance policies have provisions for E&O, most insurers sell these as separate policies and plans, so cyber insurance shouldn’t be confused with E&O insurance. In some cases, E&O insurance can complement a cyber insurance policy.
Why Commercial General Liability Insurance Doesn’t Cover Cyber Crimes
While general liability insurance policies cover physical injuries, property insurance, and product and service damages for policyholders, they do not cover cybersecurity damages due to the unprecedented nature of cyber risk. Many insurance experts argue that cyber insurance is still in its infancy, requiring more work and modification to standardize coverage policies that can support the needs of modern-day businesses.
Cyber-related damages can reach sky-high prices — something that general liability insurance providers don’t account for in their general liability policies. Additionally, the risk volume is also a major contributing factor in insurance premiums, which hinders actuarial calculations, especially as businesses increase their work environment, infrastructure, and staff members.
Since cybersecurity insurance is a relatively new concept, service providers can often change what their policies offer, given the fluctuating nature of cybersecurity risks. However, this can also be challenging since underwriters of cybersecurity insurance policies have limited, insufficient data required to calculate insurance policy coverages, rates, and premiums.