All businesses, large and small, are potential targets for cyberattacks. Someone intent on doing harm can:
- Hack, steal and sell your data
- Delete or destroy your data
- Modify your data
- Encrypt your data and demand ransom
- Send fraudulent invoices or instructions to your clients or employees to redirect payments or transfer money to a cyberthief’s account
- Exploit your company’s access to third-party systems to breach vendor, supplier, affiliate or subcontractor systems
All it takes is a missing patch, a failure to make a timely software update, a weak or shared password, an angry employee or a determined competitor—not to mention state-sponsored criminals.
Even if your cyber security controls are rock solid, what about everyone else’s? In this age of digital interconnectivity, cybercriminals can enter your backdoor through weaknesses in the systems of your suppliers, partners and customers, also known as your digital supply chain.
This blog post discusses cyber insurance coverages and shares what you should know when buying a policy.
What Are the Types of Cyber Insurance Coverage?
While cybercrimes don’t occur every day, they happen frequently enough that risk managers should meet with a knowledgeable broker to assess the cyber-related needs of the business. Then, ensure that the right types of coverages are in place. Pay close attention to policy definitions as well as actual exclusions that leave your organization vulnerable.
Informational Security and Privacy Liability
This is coverage for defense costs and indemnity claims against you for alleged theft, loss or unauthorized disclosure of personally identifiable information, protected health information or third-party information, such as trade secrets or credit card information, that is in your custody and/or for which you are legally liable.
It also protects you against your company’s alleged failure to prevent a security breach that causes damage to data stored on your computer systems. This definition may extend to systems operated by a third-party service provider used to store your electronic data. A third-party allegation of malicious codes having been transmitted to someone else’s computer systems or your participation in a denial of service attack directed against someone else’s computer system is also covered.
Privacy Breach Response Services/Notification/Crisis Management Costs
In the event of a breach or cyberattack, this coverage reimburses you for things such as computer security expert services (e.g., forensics, prevention of future breaches), legal services, notification services (to alert anyone whose information was breached), call center services, breach resolution and mitigation services (e.g., credit monitoring, identity monitoring) and public relations expenses.
Regulatory Defense and Penalties
This coverage reimburses you for claims, expenses, fines and penalties that you become legally obligated to pay because of a regulatory proceeding (e.g., federal, state, local, foreign enforcement agency) brought against you for a violation of privacy law, such as by a state attorney general for violation of a state data breach notification statute.
Other Fines and Penalties
This coverage takes care of other civil fines and penalties arising out of a cyber peril (e.g., loss of consumer information or data protected by HIPAA, GDPR, etc.) to the extent insurable by law.
Payment Card Industry (PCI) Fines, Expenses and Costs
If contractual claims are made against you under a merchant service agreement (credit and debit card payments) for fines, expenses, assessments and other costs, this coverage applies. Note that the insurer will not defend these claims.
Website Media Content Liability
This coverage applies to damages and expenses resulting from claims made against you by third parties for covered acts committed while displaying materials on your website or social media sites. Covered acts include defamation and other torts, violation of privacy rights, invasion of the right of publicity, plagiarism, copyright or trademark infringement, and improper deep linking.
Network Business Interruption Loss
This coverage protects you against business interruption losses sustained due to a cyber event or security breach data loss. Business interruption losses may include income, dependent business loss (e.g., breach of security systems of a critical contractor/vendor that in turn causes your loss), extra expenses incurred to minimize income loss and consequential reputational damage (loss of future income).
System Failure Loss
This coverage is for losses due to a bad patch, bug or bad line of code getting into the network and bringing the system down. Business interruption occurs without the involvement of threat actors.
Cyber Extortion Coverage and Ransomware Insurance Coverage
Extortion payments and related expenses resulting from threats (e.g., malware, ransomware) made during a policy period are taken care of with this coverage. It generally covers threats other than those made by the company’s officers, directors, managers and partners.
Computer Data Loss and Restoration
This coverage is for the cost to regain access to replace, restore, reassemble or recollect any data asset (software, hardware or electronic data) that has been altered, destroyed, deleted or damaged or that you cannot access due to a cyberattack or security breach.
What’s Different About Cybercrime Insurance Coverage?
If a computer is used to steal money, securities or other property, a crime policy rather than a cyber policy is likely to apply. Following are some examples.
Computer fraud coverage is for the direct loss of money, securities and other property resulting from a computer violation, such as a person other than an employee gaining unauthorized access to your computer system.
This coverage applies to financial loss resulting from the insured’s financial institution paying or transferring money out of the insured’s account based on fraudulent third-party instructions to do so.
Telecommunications fraud is unauthorized third-party access and use of a business’s telecommunications services (e.g., VOIP). Add-ons to cyber liability policies can provide coverage for financial loss resulting from telecommunications fraud.
Coverage is available to pay a reward for information that leads to the arrest and conviction of individuals committing illegal acts related to coverage under your policy.
Deception Fraud (Social Engineering) Coverages
Deception fraud coverage applies to the loss of money—and sometimes securities or other property—resulting from a person purporting to be an employee, vendor or client tricking an authorized employee into transferring such money to a bogus account. This is not a standard crime insurance policy coverage and must be added by endorsement. Some of the terms contained within these coverages include the following.
The psychological manipulation of people to trick them into performing actions or divulging confidential information that may set up a fraud scheme is known as social engineering.
This is a social engineering technique in which a fictional situation is created to obtain personal and sensitive information from an unsuspecting individual. It usually involves researching a target and using his or her data for impersonation or manipulation.
Spear phishing is the fraudulent practice of sending emails ostensibly from a known or trusted source to induce targeted individuals to reveal confidential information.
The fraudulent practice of sending emails purporting to be from reputable companies to induce individuals to reveal personal information, such as passwords and credit card numbers, is known as phishing.
What Does Cyber Insurance Not Cover?
Not all losses following a cyber event are covered by a cyber insurance policy. If an attack occurs before a cyber policy is purchased, but the event is discovered afterward, the losses won’t be covered unless full “prior acts” coverage has been purchased without a retroactive date. If intellectual property is lost due to a cyberattack, it’s possible that some types of losses could be covered by cyber insurance but that other kinds of losses would be covered only by a separate intellectual property insurance policy.
Further, cyber insurance policies don’t automatically cover all losses that occur with the aid of a computer. For example, if a cybercriminal tricks an employee via email into voluntarily transferring company funds or sharing sensitive information, cyber insurers likely will not consider it a cyberattack. It’s known as “social engineering” or “funds transfer fraud” and is treated like theft. Depending on the carrier, a crime policy or a cyber social engineering insurance endorsement would be needed to protect the company from loss.
Finally, organizations often mistakenly assume that other insurance policies, such as errors and omissions, property and other liability policies, will cover cyber-related losses. This isn’t typically the case. In fact, some carriers are inserting cyber exclusions into these policies to protect themselves further.
Learn more by reading “Protecting Your Business from Silent Cyber Coverage Exclusions.” Risk managers should speak with their cyber insurance brokers to fully understand all their coverages.
How Much Does Cybersecurity Insurance Cost?
The cost of cyber liability coverage for a small business generally starts at $2,500. For medium- and large-size businesses, the yearly premium could be a few thousand dollars to tens of thousands of dollars per $1 million in coverage. However, the cost will vary for each business, depending on the following.
Some industries such as healthcare, higher education, retail and manufacturing organizations are targeted by cybercriminals more often than others. Organizations in these sectors store the types of data (e.g., social security numbers, credit card information, bank account numbers, etc.) most prized by threat actors, putting them at greater risk for a cyber event. In the case of manufacturers, cybercriminals know that companies lose a lot of money every hour a line is down and that chaos can quickly erupt, pressuring the organization to pay a high-dollar ransom quickly.
Number of Employees
The greater the number of employees, the more opportunities cybercriminals have to access a company’s sensitive information and infrastructure. Unfortunately, employees are the most significant cyber weakness in any organization.
The more money an organization has, the more attractive it becomes to cybercriminals. However, smaller organizations are typically easier targets because they don’t usually have the in-house cybersecurity resources that larger organizations have. This makes small companies attractive, too.
Risk Profile and Claim History
Insurers want proof that a company has done everything possible to prevent cyber events. Actions include such things as training employees to recognize phishing scams, implementing multifactor authentication and endpoint detection and response, patching software regularly, and more. Read “6 Steps to a Better Cyber Insurance Policy” to learn more. Of course, those with no claims will be in the best position to obtain cybersecurity coverage.
Deductibles and Limits
As with most types of insurance, the deductible (the amount a company will pay before its insurance kicks in) and the limits (the maximum amount the insurer will pay for a claim) impact the cost of the premium. Generally, the more risk an insured is willing to assume, the lower the premium. When a company is willing to assume more risk, it signals to the carrier that the organization is confident in its cybersecurity measures.
Use This Cyber Insurance Coverage Checklist
Insurance is not the first line of defense against a cyberattack. Planning and preparation are. Before you and your broker approach the cybersecurity insurance coverage marketplace, be prepared to show all the planning and steps your organization has taken to prevent a cyber event.
Use this checklist to get started.
- When was the last time you conducted a complete cyber risk assessment?
- How frequently do you perform penetration testing?
- How frequently do you perform vulnerability scans?
- How frequently do you conduct phishing tests?
- What is your patch management cadence?
- How often is your anti-virus software updated?
- Have you implemented multifactor authentication and endpoint detection and response tools?
- How do you manage system access?
- Do you have an incident response plan in place? If so, what cybersecurity framework do you use (e.g., NIST, ISO, etc.)?
- When was your incident response plan last updated?
- How frequently do you conduct incident response tabletop training exercises?
- Do you have offline backups?
Working with RSM, the nation’s leading provider of consulting services focused on the middle market, Hylant has created a free online cybersecurity assessment that will help you determine if your cyber posture meets insurance carrier expectations. Take it now to better understand your cyber maturity level and to be able to address issues that can limit your cyber insurance options.
Working with the Right Cyber Insurance Team
Cyber risk management is complex, and the consequences of a poor plan or insurance policy can be severe. It pays to work with experts.
Hylant’s dedicated cyber risk and insurance team works with IT organizations to help their leadership teams, boards of directors and risk managers understand and address their cyber risks. We provide risk profiling, exposure quantification, insurance procurement and negotiation, risk readiness and incident response planning services. Working with our clients, we minimize the potential financial and reputational impacts of cyber events on their organizations.
The above information does not constitute advice. Always contact your insurance broker or trusted advisor for insurance-related questions.