Cyber insurance has dramatically evolved since the first coverages were added to other policy forms in the 1990s. Traditionally, cyber coverages were only considered necessary in the technology industry — or for those providing technology-related professional services.

It was the dawn of the digital age and growing cyber risk exposures across all industry classes that led to the evolution of cyber as a stand-alone insurance product. Today, purchasing cyber insurance is considered essential by business leaders in nearly every sector.

At first look, cyber coverages can be confusing for a small business owner. A broad spectrum of exposures are possible, with the top insurers offering a variety of products to protect against them, often bundled into unique package solutions with different levels of coverage. Here’s what to know when you’re shopping for coverage for your business.

Each Insurer Does It Differently

Cyber policies vary widely. While many insurers have adopted base forms created by the Insurance Services Office (ISO) for popular products such as general liability and property, no such standardized form currently exists for cyber products. Instead, each insurer has their own wordings and structure for cyber policies and coverages.

Cyber policies are also fairly unique within the insurance world in that they provide two different types of benefits. First- and third-party exposures are usually protected against with different policies. But cyber coverages often combine them.

This combination of cyber benefits results in dual-purpose policies, which offer:

  • First-party coverage designed to reimburse the policyholder for their own costs resulting from an insured event.
  • Third-party coverage designed to defend the policyholder and to pay any damages owed to third parties because of the policyholder’s alleged wrongful acts.

Common First-Party Cyber Coverages

Within the first-party category of protection, you will find that there are actually multiple forms first-party coverage, each designed to protect against different risks and expenses. Some of the most common cyber events fall under this first-party coverage. These can include data breaches, security incidents, ransomware attacks, denial-of-service attacks and the theft of physical documents.

When a business experiences such a first-party loss, multiple expenses are often incurred to investigate, mitigate and remediate the event. While the exact coverage included depends on the insurer, cyber policies may include some or all of the following forms of first-party coverage to protect against these risks:

1. Incident Response

This is coverage for expenses to analyze, contain and/or mitigate privacy or security breaches. These expenses fall into a few categories and sometimes may have their own separate insuring agreements in policies:

  • Legal Advisors: Expenses associated with the retention of legal advisors to help a policyholder investigate and remediate the incident and determine a course of action to mitigate any future harm.
  • Forensics: Expenses associated with the retention of cybersecurity firms to examine the cause of an incident and extent of potential damage to a policyholder’s network and data, and to determine whether there is any data/information compromise.
  • Notifications: Expenses incurred to provide notice to affected parties.
  • Crisis Management: Expenses to retain crisis communication services to mitigate negative publicity resulting from a covered event.
  • Call Center Services: Expenses associated with setting up and maintaining a center for affected parties to call with questions regarding the incident.
  • Credit and Identity Monitoring: Expenses associated with providing affected individuals with credit and identity monitoring.

2. Data Restoration

This is coverage for costs to restore or recover data, computer programs or software lost from system damage due to covered events such as malware, ransomware, computer viruses, denial-of-service attacks or unauthorized access.

3. Cyber Extortion

This coverage can offer reimbursement for ransom payments and associated costs (where such payment is legally permissible).

4. System Failure

This is coverage for loss of income and expenses to restore operations as a result of an accidental, unintentional and unplanned interruption of an insured’s computer system.

5. Business Interruption

This is coverage for loss of income and expenses to restore operations as a result of a covered incident. This may include the voluntary shutdown of systems to minimize the business impact of the event.

Within business interruption coverage, some policies will offer additional coverage, called dependent business interruption. This protection offers reimbursement for the policyholder’s loss of income and expenses to restore operations as a result of an interruption to the computer system of a third party upon which the policyholder relies to run its business.

6. Reputational Harm

This is coverage for damage to a business’s reputation, brand and goodwill that can occur when an actual or potential cyber event becomes public.

These first-party coverages can often help protect an insured organization’s balance sheet in the event of a cybersecurity crisis, but note that not every policy will have all of these coverages. You’ll need to review your current cyber policy to familiarize yourself with the coverages you have purchased. When shopping for new coverage, be sure to ask about included forms of first-party coverage.

Common Third-Party Cyber Coverages

While first-party coverages reimburse the policyholder for their own losses and expenses, third-party insuring agreements are designed to protect the policyholder from liability for losses sustained by third parties — including individuals, businesses and regulators — for that policyholder’s alleged wrongful acts.

Third-party claims can include written demands alleging privacy violations, class-action lawsuits alleging compromises of personally identifiable health information and regulatory inquiries from state attorneys general regarding the handling of notifications to affected individuals from ransomware incidents.

The extent of coverage, again, depends on the insurer, but key third-party coverages typically include:

1. Privacy Liability

This is coverage for reasonable and necessary expenses incurred to defend and settle claims for damages because of liability to third parties resulting from privacy injuries. This coverage is designed to pay for expenses to defend and resolve claims against a policyholder alleging that they did not properly manage and safeguard the private and confidential information of those third parties. These types of claims can arise from allegations of:

  • Unauthorized access to confidential and private information.
  • Failure to provide notification of a data breach where required by law.
  • Failure to destroy confidential information.
  • Failure to comply with the organization’s privacy policy.
  • Wrongful collection of private or confidential information.

2. System Security Liability

This is coverage for reasonable and necessary expenses incurred to defend and settle third-party claims alleging that a policyholder did not properly manage its network and systems thereby causing harm to third parties. These types of claims involve allegations that a policyholder failed to prevent a security compromise that resulted in the inability of authorized users to gain full access to their computer systems and data.

3. Regulatory Liability

Reasonable and necessary expenses for a policyholder to defend against administrative and regulatory proceedings, civil and investigative demands brought by domestic or foreign government entities or claims made by those entities as a result of alleged wrongful privacy, security or media acts. This can also include coverage for fines and other amounts paid to regulators—as consented to in writing by the insurer—to resolve the allegations of wrongful acts (to the extent permitted by law).

4. PCI-DSS Fines and Penalties

PCI-DSS is short for Payment Card Industry Data Security Standards, a widely accepted set of standards to safeguard credit, debit and cash card transactions and protect cardholders against misuse of their personal information. This type of coverage can protect against fines, penalties and assessments incurred as a result of a breach of contract with a card brand or payment processor. Assessments can also include fraud losses and card reissuance costs.

Third-party claims involving these four types of liabilities are often very expensive to defend and resolve. Fees and costs associated with retaining legal advisors and the potential need for experts can quickly add up. Those expenses do not even account for any settlements entered into by a cyber insurance policyholder or judgments entered against them.

What’s Not Covered by Cyber Insurance?

A robust cyber insurance policy can respond to a variety of cyber risks. However, certain cyber exposures are either not covered by a cyber policy or are covered under another type of policy. Here are three common exclusions:

1. Infrastructure Failures

Cyber policies have various exclusions that can preclude coverage for losses that may seem like traditional cyber exposures. For example, infrastructure failures, such as cable and internet outages, are certainly cyber related, but are typically excluded from standard policies.

2. Cyber Crime

Cyber crime, such as the electronic theft of funds, typically is not typically covered under traditional cyber policies. Instead, this exposure is often addressed with a separate crime policy or crime coverage endorsement. This is another area where policies vary, so be sure to ask your insurance representative about the specific forms of crime risks you need to protect against.

3. Security Upgrades

After a cyber attack, a policyholder may seek to upgrade its systems. This is a prudent choice and it’s often recommended by experts. However, such betterment costs are very seldom covered because insurance is designed to return a policyholder to the state it was in before a loss.

Working With the Right Insurance Advisor

A significant cyber attack can place tremendous stress on your organization’s financial well-being. The expenses associated with investigating and remediating an incident—coupled with business interruption losses and reputational damage—can be devastating.

The cyber insurance market has also changed dramatically over the last decade. Scope of coverage and policy wordings continue to evolve, and the availability of coverage can depend a lot on a policyholder’s underwriting profile and a particular insurance carrier’s appetite for the risk. Coverage is also now more expensive than it was previously and underwriting scrutiny around security controls is far more stringent than it was just five years ago.

A well-designed cyber policy can provide valuable coverage for many of these exposures. But it’s important to work with the right insurance advisor, who can help you evaluate your unique cyber exposures, help you design an insurance program to meet your specific needs and find the best risk transfer solution given the current state of the insurance market.

Lockton Affinity’s CyberLock Defense aims to be your trusted advisor for managing your cyber risk. You’ll learn about potential cyber risks and impact on your organization, consult on best practice controls to help improve your risk posture and gain access to customized solutions that effectively guard against your exposures.

Our program leads the industry in its protection, with broad coverage and flexible limits tailored to suit the particular risks of your industry. Discover more benefits for your business today. Visit CyberLockDefense.com or call us at (913) 652-7520 to get started.