Many insurance companies are diving into the cyber risk insurance game, and some have names you already recognize (such as Progressive Business and Travelers). Your business’ current insurance company may offer cyber risk insurance as an add-on to your existing policy.

The concept of cyber risk insurance has only been around since 2005 and is an offshoot of Errors and Omissions insurance. That means the industry is relatively new and still evolving.

Cyber risk insurance may be an entirely new idea for you, but it’s definitely something that you should include in your cybersecurity strategy along with your back-up and recovery solutions. Cyber risk insurance can help you recoup losses, pay for investigations, cover legal costs, and give you the funds you need to get your business back up and running.

What is Generally Covered Under a Cyber Risk Insurance Policy?

Most cyber risk insurance policies cover the fallout from a breach, helping to cover the costs directly related to the incident. Depending on the policy you choose, this coverage can include:

1. Network security damages as a direct result of a cybercrime, such as:

• Payment of ransomware
• Data breach notifications
• Identity restoration and credit monitoring
• IT forensics
• Legal expenses
• Data restoration
• Public relations intercessions

2. Business Interruptions

This allows the policy holder to recover some expenses following a breach, such as fixed operational expenses and lost profits. These clauses generally cover system failures, human error, and security failures.

Some cyber risk insurance policies also cover profit losses due reputational damages following a cyber breach.

3. Legal Fees Incurred Due to Breach of Contract

If a breach has kept you from fulfilling customer and client obligations, you can be held legally liable for damages. A good cyber risk insurance policy can help you mitigate these costs.

4. Breach of Privacy

Many verticals have stringent privacy rules and regulations. HIPAA is one that most people think of, with fees and fines for any violation they deem “negligent.” These regulations cover every employee working in the office, remotely from home, and even third-party vendors. Most cyber risk insurance policies will cover the legal costs and fees for violations resulting from a cyber breach that exposes data. It can also cover your business from class-action litigation actions and penalties awarded by the courts following a breach.

5. Replacement Hardware

Since many forms of malware can render hardware useless, a good cyber risk insurance policy will cover the replacement of damaged equipment following a cyberattack.

What is Usually Not Covered

Again, reading the fine print will help you understand the limitations of your cyber risk insurance policy. Many small to medium-sized businesses were taken by surprise when their claims relating to COVID-19 security breaches were not covered. All insurance coverages are different, but you need to double check your policy to make sure it covers:

1. BYOD and Remote Worker Claims

Be aware for exclusions on BYOD and remote workers. Some of these exclusions can be very specific, like not covering a device that is unencrypted or refusing to cover employees who haven’t signed an acceptable use policy. In these cases, an employee’s personal device replacement costs will not be covered, even if it was destroyed as part of a malware attack. Read the fine print and make sure your coverage includes BYOD and remote worker claims.

2. “Acts of War”

This stipulation has been snuck into some cyber risk policies to disallow payment for cyberbreaches occurring from state-sponsored actors and foreign hackers. Considered “an act of terrorism,” you may be unpleasantly surprised to find your coverage doesn’t protect you from larger, organized groups of hackers.

3. Potential Profit Loss in the Future

Your cyber risk insurance policy may cover profit loss to a degree, but many will not cover “future” losses and may have a limited amount of time following the breach where they will reimburse you for lost profits.

4. Upgrading Technology

Unless the devices and hardware were damaged because of a cyberattack, most cyber risk insurance policies will not cover updating or upgrading equipment even if doing so increases your overall cybersecurity.

Choosing the Best Cyber Risk Insurance Policy for Your Business

Choosing the right policy, like choosing your car insurance or health insurance, will depend on your company’s size and your industry’s threat levels. When comparing coverage, look for these key points:

Deductibles

Cyber risk insurance will have deductibles, just like any other insurance policy. The average deductible, per a study from AdvisorSmith Solutions Inc., is around $10k for $1 million in liability coverage. The annual cost of a policy averages $1500 per year for that same $1 million policy, based on location and industry.

Stand-Alone Policy vs Add-On

Your existing business insurance company may offer cyber risk insurance as an add-on to your coverage. Look at what they offer and compare the pricing and coverages to cyber risk insurers; most of the time, a stand-alone policy will provide more comprehensive coverage than add-on policies.

Accidental Actions

Since employees accidentally cause 90% of breaches , it’s important to choose a policy that covers unintentional employee actions such as responding to a phishing attempt, clicking infected attachments, or falling for a “spoofed” website. Make sure your policy covers “social engineering,” a blanket term that includes most of these email-related attacks.

Just like getting a car insurance discount for taking a safe-driving course, your policy may include discounts for employee cyber-security awareness training.

APTs (Advanced Persistent Threats)

APT cybercyber risk insurance coverage is tricky. The threat is not a single targeted incident; it is a slow process taking place over weeks, months, and even longer. Check to see how the cyber risk insurance carrier covers APT’s and choose a policy with longer time frames to collect for damages caused by them.

Third-Party Coverage

Any policy you find will cover breaches to your own business…but what if the threat came from a third-party vendor? Your point-of-sale software, your financial institution, your MSP, and even your accountants or attorneys are all closely connected with your business. When bad actors hack third-party vendors, they are looking for the bigger prize at the end of the game…your business’ sensitive data. Your customers will still hold you responsible, even if this breach wasn’t your fault. What type of coverage does the insurance company offer for damages resulting from third-party vendor breaches?

Attack Target

Some breaches occur because hackers cast out a wide net hoping to catch anyone they can while other attacks target a company specifically. There may be hidden clauses in the policy stating that you are only covered in the event of a targeted attack and not a wider spread hacking scheme.

Qualifying for a Cyber Risk Insurance Policy

As part of the process of underwriting a policy, insurance providers typically conduct a basic audit of the potential customer’s cybersecurity practices. Most insurance provides look for the “minimal security controls” a potential customer has in place. Companies can best prepare for buying a cyber-insurance policy by conducting their own audits before the insurance company does.

A good cyber-insurance risk assessment considers whether a potential customer:

• Has deployed perimeter firewalls and antivirus software
• Uses strong and complex passwords
• Installs software patches regularly
• Has a user management process in place
• Uses end-of-life hardware and software
• Has physical security controls
• Encrypts mobile devices that interact with sensitive or regulated data

In addition to the above list, companies should have a written cybersecurity policy in place, provide basic security training to employees, and consistently review and respond to security monitoring alerts. All of these are very basic steps, and any company in today’s world not following those practices will likely have far bigger problems to worry about than being denied insurance.

At the most basic level, continual monitoring of network traffic is an absolute requirement. Security teams need to detect and respond to breaches before serious damage is done.

Prospective cyber-insurance clients should also do technical control assessments to ensure their security controls are up-to-date. We see that many companies will look at the regulatory compliance requirements they face and, upon meeting the bare minimum for those requirements, consider their cybersecurity job done. In today's environment of constantly evolving threats, this can be a grave mistake.

Contact us today to begin the process of getting your cyber risk insurance implemented.