Cyber Insurance protects an organization from exposures related to its use of technology and data. In today’s world, virtually every organization utilizes technology in its communications, supply chain, data storage, and delivery of products and services, exposing it to cyber risk. Exposures typically arise from data breach, extortion, and loss of money incidents caused by criminal activity or human error.
In the event of a cyber incident, an organization incurs a variety of expenses to resolve the network security failure and restore business operations. Examples of these costs include professional incident response, business interruption, customer notification, PR or reputational damages, even ransom payment.
Cyber Insurance coverage can vary widely from policy to policy. In response to an increase in significant breaches in the early 2000s, the Cyber Insurance market has expanded quickly. Because cyber exposures continue to evolve rapidly as hackers create new ways to access confidential information and to attack critical systems and data, leading underwriters continue to respond with new coverages. Generally, policy forms have been developed independently by underwriters, so there is no standardization. For this reason, utilizing an expert with an understanding of Cyber Insurance exposures and coverages is critical in ensuring appropriately balance coverage and cost.
Who Needs Cyber Insurance?
Any organization that digitally stores or transmits confidential information, or whose operations may be subject to disruption from the failure or breach of technology, should have Cyber Insurance. This includes organizations that:
Why do you need Cyber Insurance?
Organizations utilizing technology to conduct business in our modern world inadvertently put themselves at risk of data breach, ransomware, and loss of money cyber incidents. In recent years, hackers have increased the frequency and intensity of cyber attacks on companies of all sizes. Cyber incidents can lead to disruption or suspension of business operations and significant financial loss. Additionally, states have put in place regulations and statutes that dictate company response to an incident, increasing the financial cost of a cyber breach. Cyber Insurance provides you with the financial and expert resources to address these cyber-related losses.
Cyber exposures are not consistent between industry types.
An insurance agency may have a lower exposure to data breach, but an increased exposure to loss of funds through payment transfer fraud.
A healthcare organization typically utilizes detailed patient medical data and relies on sophisticated technology for patient treatment. Healthcare organizations are subject to HIPPA regulation, increasing the consequences of a data breach, and may have to shut down operations if systems are disrupted, potentially from a ransomware attack.
A non-profit may rely on systems and data in multiple ways, creating exposures from data breach, ransomware and fraudulent funds transfer.
A law firm specializing in real estate will have some exposure to both data breach and ransomware, but significant exposure to fraudulent funds transfer related to real estate closings.
SMBs (small & medium-sized businesses) are increasingly targeted by ransomware and loss of money attacks, as they have enough money to make a criminal venture worthwhile and likely with less sophisticated cyber security than a large company has. And unfortunately, for these small businesses, cyber attacks can be devastating. According to the Ponemon Institute, the average cost of a data breach in the United States in 2021 was $9.05 million. That cost only dropped to $2.98 million for organizations with less than 500 employees.
Large businesses have the same cyber exposures as small business, but typically have sophisticated cyber security resources and the potential for increased severity of loss. Not only should large organizations have comprehensive Cyber Insurance, they should ensure that they have adequate limits.
Make sure you work with an expert to understand your primary cyber exposures and the cyber coverage needed, and to ensure that you can make an informed decision to balance coverage and cost.
Cyber Insurance is also available for individuals. Anyone using a computer or smartphone to communicate, store important information, or transact with financial and other services has cyber exposure, and criminals are finding that this can make individuals lucrative victims. Individual Cyber Insurance policies have been designed to cover expenses related to personal concerns like identity theft, fraudulent wire transfer, and cyber bullying.
What does Cyber Insurance cover?
We are glad you asked because Cyber Insurance policy forms are not all the same. Some provide limited coverage with aggressive exclusions, while others are comprehensive and even customized in order to provide the unique coverage required by a specific industry or organization. Because policy forms are not standardized and enhanced coverage is available from specialty insurance markets, utilizing an expert with an understanding of exposures and coverages, and access to these markets, is critical in ensuring you get the best protection.
A comprehensive Cyber Insurance policy typically will include both first party and third party (liability) coverages. First party coverage refers to expenses incurred by the insured organization as a result of a cyber incident, while third party or liability coverage provides for costs incurred due to a third party lawsuit resulting from a cyber incident. These generally included coverages are:
Business interruption (loss of income and extra expense)
Fraudulently induced fund transfer
Liability to others for cyber incidents, and associated legal & other costs
Reimbursement for legal costs, including civil damages
Breach notification costs and related legal expenses
Ongoing credit monitoring for victims of breach
Crisis management and/or reputational damage
While some comprehensive standalone policies include many of these listed coverages, it is important to know exactly what your Cyber Insurance policy covers, including what is sub-limited or not included.
Note: cyber risk coverage via endorsement is not the same as standalone Cyber Insurance coverage. While Cyber Insurance coverages are sometimes provided through a traditional Liability and Property Insurance policy via endorsement, this coverage approach is rarely robust enough. Typically, the limit is not adequate and the coverage is not comprehensive. In addition, risk mitigation and incident response services are rarely included.
What are incident response services and why are they important?
Incident response services are dedicated teams provided by the cyber insurer that are available 24/7 to assist immediately, in real time with a cyber incident. Services vary depending on the type of cyber incident, but typically provide a quick and rough assessment of the incident, guidance on what steps to take immediately to mitigate the situation, and access to cyber security and legal services for additional support.
In the best case, an incident response team can resolve the situation immediately. However, a sophisticated attack will take time and require a significant work on the part of experts to resolve. As part of your purchasing decision, you should consider whether your insurance provider offers 24/7 incident response in addition to cyber coverage.
What are common Cyber Insurance exposures?
Cyber exposures typically arise from data breach, ransomware, and loss of money incidents caused by criminal activity or human error. Since policy forms vary and do not necessarily cover all three common exposures, it is important to work with an expert who understands your exposures and the coverages offered to ensure you can make an informed decision in balancing coverage and cost.
A data breach is the inadvertent disclosure or theft of confidential information. Breaches can be caused by employee error, such as a lost laptop, or by malicious criminal activity, which accounts for roughly 50% and growing of breaches.
Cyber Insurance policies are designed to cover direct costs associated with a breach, such as the expenses associated with forensic, legal advice, PR support, victim notification and credit monitoring. In fact, it was a series of serious breaches that drove state governments to pass data breach laws, beginning with California in 2003, that triggered coverage adjustments to provide insureds with financial and expert resources to effectively comply. Many policies also include some protection from liability related to a data or security breach.
Hitting the headlines with increasing frequency, ransomware is a targeted attack in which criminals use malware (malicious software) to locate and encrypt sensitive information stored locally or in the cloud. The encryption restricts access to critical data, causing key systems to become inoperable. The criminals typically offer to unlock the data, and may threaten to divulge proprietary information publicly, unless a ransom is paid, often in cryptocurrency.
A fast response is critical to effectively restoring systems, data and operations in the event of a ransomware attack. In addition to covering the costs of recovering the data, restoring systems and resuming operations, Cyber Insurance underwriters can provide immediate incident response services. The cyber coverage typically will cover the cost of the ransom, in the event that paying it becomes the only available option. Additionally, comprehensive policies will cover costs of business interruption, crisis management, and reputational harm associated with a ransomware attack.
Loss of Money
Criminals are always looking for ways to steal money, and unfortunately, with the shift to online banking and payments, there are many ways to access an organization’s funds electronically.
Most commonly, businesses are infiltrated by business email compromise, whereby a criminal gains access to an email account and uses it to deceive the recipient into sending money to the criminal. Firms that make repeated transfers of money, such as closing agents, and companies that send electronic invoices are top targets. Another attack vector is called bank account takeover, where criminals directly takeover an organization’s bank account by obtaining bank account user credentials, then transferring money out of the account. A variation on this attack is using the same approach to access an organization’s online payment platform, such as a payroll system.
Some Cyber Insurance policies, but not all, will reimburse some or all funds stolen or sent to fraudulent accounts, whether from a client account or the business’ own account.
What doesn’t Cyber Insurance cover?
A standard cyber insurance policy will generally not cover:
Incidents that an insured knows about prior to coverage incepting
Lawsuits related to vulnerabilities leading to data breach
Data breach by a foreign power (acts of war exclusion)
Additional costs to upgrade security systems after a data breach
Theft of intellectual property or patent infringement
Utility infrastructure disruption, such as water, electricity, or gas (although coverage may be available on a custom basis)
Criminal proceedings related to cyber security breach
Note: Technology Professionals Errors & Omissions (Tech E&O) is not the same as Cyber Insurance, although Tech E&O policies may include cyber risk coverages. Technology professionals develop technology and related services for individuals and organizations and need Professional Liability (E&O) Insurance to protect themselves from client lawsuits. eSpecialty Insurance can provide a range of comprehensive and sophisticated Tech E&O products for all types of technology professionals. Please reach out to us if you have questions about appropriate coverage.
What does Cyber Insurance cost?
Short answer... it depends. Long answer, it can vary greatly depending on a number of factors including:
Size of business
Number of personally identifiable information (PII) and protected health information (PHI) records
The sophistication of an organization’s cyber security
Coverage needs and exposures (limit, deductible, etc.)
The cost of Cyber Insurance varies as increasing competition and significant loss frequency create challenges for underwriters. Policies can start as low as $500 but may not provide appropriate coverage or limit for your specific need. For this reason, we recommend purchasing Cyber Insurance by coverage, not by cost. Working with an expert like eSpecialty Insurance can help you balance the comprehensive coverage and cost.
How can I protect against Cyber Risk?
Risk mitigation is a big part of minimizing potential exposures, and there are a variety of steps you can take to prevent and moderate incidents before they ever happen:
Conduct trainings for all employees on cyber security best practices. Effective training is critical because 80-90% of all cyber incidents result from some level of human error.
Enforce regular password changes and implement multi-factor authentication where appropriate
Update all systems and virus protection software frequently and install all software patches immediately
Address potential third-party exposures and establish funds payment procedures with banks and other professional service providers to eliminate fund transfer exposures
Periodically review how confidential information is stored and accessed, removing obsolete data and permissions
Develop an incident response plan that includes PR capabilities and regulatory compliance
Hire an expert to conduct a cyber security assessment, identifying and rectifying exposures for your specific organization
Ensure your cyber insurance provider offers professional 24/7 incident response services, rather than just claim reporting
Work with an expert to purchase appropriate and comprehensive Cyber Insurance
How can I get Cyber Insurance?
Work with us! At eSpecialty Insurance, we are the experts so you don’t have to be. We specialize in providing comprehensive Cyber Insurance coverage at competitive prices from top insurance companies, and we have developed a hassle-free, streamlined approach to quoting that makes getting covered easy. We can provide you with a variety of coverage options, fully customizable to your specific needs and limits. To find out more, please contact us.