OVERVIEW
Organizations are familiar with traditional risks such as property damage and injuries. However, in today's digital economy, organizations also face risks from technology. Cyber crimes continue to rise in frequency and severity, leaving businesses vulnerable to various attacks.
That’s why it’s recommended that all businesses, in every industry, and of every size add cyber insurance to their insurance portfolio.
Cyber insurance enables businesses to transfer the costs associated with recovery from the tangible and intangible losses related to a cyber-related security breach or similar event. Traditional insurance policies often do not cover these digital risks. By bridging the gap between physical and digital risks, cyber insurance allows companies to get back online and resume normal business operations faster.
In this article:
Why do organizations need cyber insurance?
Protecting your physical locations is a required aspect of insuring businesses against risk. All businesses take steps to ensure their locations remain protected against physical damage and resulting liabilities. However, traditional insurance policies weren’t designed with cyber risks in mind.
General Liability (GL) insurance protects business owners from third-party claims of injury, property damage, and negligence related to their business activities. The confusion associated with General Liability coverage for cyber incidents centers around the resulting third-party property damage coverage provided in GL policies. Unfortunately, in the world of GL insurance, property only encompasses tangible property and not your digital assets. Nor do GL policies.
For IT providers and consultants, GL policies do often include an endorsement titled "Digital Data Protection Endorsement." Where this endorsement is present, the GL policy will cover the loss of data, but only for situations where third-party data is lost due to property damage.
When potential cyber events and losses are not explicitly covered or outright excluded by traditional policies, this may be called silent cyber or non-affirmative cyber. Due to the confusion regarding what is covered by a traditional policy vs. a cyber insurance policy, policyholders risk having unexpected coverage gaps.
What does cyber insurance cover?
Cyber insurance is a type of insurance that provides coverage for the various loss exposures companies face (both first-party and liability to third parties) that result from a cyber incident. For example, as a result of cyber incidents, businesses may face financial losses due to the costs associated with remediation or lost income if the incident renders their equipment and services completely inoperable.
Coverage provided by cyber insurance policies includes first-party coverage against losses such as data destruction, cyber extortion, theft, hacking, ransomware, denial of service attacks, or even systems failure events that cause business interruption losses. Cyber insurance policies often include third-party coverage (also called third-party liability) indemnifying companies for damages suffered by other entities as a result of their purported negligence or failures. Examples of third-party liability losses include failure to safeguard data, multimedia wrongful acts such as defamation, and regulatory fines and penalties.
Often, a cyber incident can expose customer information, including sensitive information such as credit card data, social security numbers, or medical data. Some cyber liability insurance policies will include notification and credit monitoring services as well as to help businesses report the incident to the appropriate regulators.
What are the benefits of cyber insurance?
Cyber insurance varies widely in what's included. Some policies cover only specific types of cyber events, such as data breaches, where an organization loses its employee and/or customer data to a threat actor. Many carriers have pulled back on covering ransomware attacks, a specific type of cyber attack wherein an organization's data is held hostage. Some cyber insurance policies offer preventative services such as technology scans and monitoring, while others do not.
The immediate benefits of cyber insurance include breach response costs, indemnifying businesses for immediate out-of-pocket expenses incurred to investigate and remediate a cyber incident. These costs include legal fees and expertise, forensics investigation, notification, and public relations or extra expenses associated with restoring businesses back to operations.
What is not covered in a cyber insurance policy?
As with most insurance policies, there are specific exclusions that a cyber insurance policy may not cover. Things that may be exclusions in your cyber insurance policy include:
Resulting loss of future revenue - that is to say, loss of revenue or income that extends beyond the indemnity period, or the period in which cyber policies will provide business interruption and extra expense coverage, typically 180 days. | Cyber attacks can result in brand or reputation damage, and while cyber insurance coverage can extend to reputation harm, that doesn't extend to a company's valuation. |
Errors and Omissions liability - cyber policies will provide third-party protection for claims arising from a security failure, data breach, and/or privacy liability. Still, they may not respond to a claim against you for a violation of your reasonable standard of care with your professional services. Specific industries can purchase Technology E&O to mitigate this risk. | Cyber insurance does not cover employment, discrimination, and directors & officers-related claims. You’ll need a separate policy for management liability insurance. |
For an extensive list of coverage exclusions, it is best to work with a qualified cyber insurance broker to review specific policy language and any unique requirements for your region or industry.
How much does cyber insurance typically cost?
Two components go into pricing: actuarial science and underwriting. Each views exposure through a different lens.
An actuary produces rating plans based on big picture items — the insured's industry, revenue, company size, and more — that help the insurer predict risk. Because cyber attacks can have a tremendous domino effect, actuarial factors must include the business' technology stack, including their operating systems, hardware, software, and internal controls.
Coalition determines each business' risk using our proprietary data platform that evaluates a company’s externally facing exposures while monitoring current and emerging cyber threats. By adopting the perspective of threat actors and viewing business exposures through the lens of their vulnerabilities, this results in a more accurate depiction of their risk, which we incorporate into pricing. Our scanning tools provide early indicators of exploitable cyber targets which then help inform the underwriting process. Technology is a dynamic risk, and by gathering threat intelligence data through constant scans of the internet, we can price our policies appropriately.
How is cyber insurance underwritten?
Coalition's data-driven underwriting process utilizes proprietary algorithms and thousands of data points in our Active Risk Platform to analyze a company's risk posture. This information, combined with a simple online application, enables Coalition to determine coverage eligibility, quoted premium rates, and minimum self-insured retentions (SIR) based upon the coverages selected.
The entire application and underwriting process can be completed, in most cases, within four minutes for small and medium-sized businesses. However, in some circumstances, a quote may require further review. When this happens, we aim to complete our review within a few business days of application completion (subject to the availability of any additional information requested). At this point, the policy may be bound.
Our underwriters look at the severity of exposure from vulnerabilities outside the scope of technology-based rating factors. Examples of technology-based underwriting decisions include:
A single domain allows quick identification of any relevant associated domains and IPs.
Comprehensive scanning of the public web includes thousands of ports and up to billions of relevant IP addresses and multiple threat vectors.
Integration of organizational data including financial, HR, M&A, regulatory, and compliance helps to build a complete risk profile.
Proprietary incident response and claims data allows proactive identification of risks that result in claims.
Leveraging insight from data and emerging threats with applied artificial intelligence, data science, and machine learning.