Cyber
What Is Cyber Insurance?
January 15, 2024
According to IBM Security’s Cost of Data Breach Report, the average cost for a data breach now stands at $4.35 million. This is a 12.7% increase from 2020, and data breaches are just one type of attack. No wonder so many companies are inquiring about cyber insurance.
Cyber liability insurance, also referred to sometimes as cyber risk insurance, cyberattack insurance or cybersecurity insurance coverage, helps companies respond to and recover from the financial impacts of cyber-related events. In addition to data breaches, these events could include malware infestation, email compromise and denial of service/ransomware attacks.
What to Expect from a Cyber Insurance Policy
Cyber coverage is complex and nuanced. Risk managers need to understand what these cyber insurance policies cover, what they don’t cover, and what may be covered by other types of insurance policies.
What Does a Cyber Insurance Policy Cover?
Cyber insurance can include first-party and third-party coverages. First-party cyber insurance coverage helps protect an insured company from direct losses, such as the cost to recover data or money paid as ransom. Third-party cyber insurance coverage helps protect the insured company from losses suffered by others as a result of a cyber event, such as if the company must offer identity theft services to clients after a data breach.
While every policy is unique, typical types of cyber coverage include the following:
- Business interruption losses
- Computer forensics
- Data recovery and restoration
- Damaged or compromised systems repair or replacement
- Legal fees related to regulatory issues or third-party lawsuits
- Crisis communication/public relations fees
- Customer notification
- Call center setup and operation
- Credit monitoring services
- Ransom payment
- Transferrable/lost funds
- Customer credits and refunds
- Reputational damage
Read “Cyber Insurance Coverages 101” to learn more about cyber coverages.
What Doesn’t a Cyber Insurance Policy Cover?
Not all losses following a cyber event are covered by a cyber insurance policy. If an attack occurs before a cyber policy is purchased, but the event is discovered afterward, the losses won’t be covered unless full “prior acts” coverage has been purchased without a retroactive date. If intellectual property is lost due to a cyberattack, it’s possible that some types of losses could be covered by cyber insurance but that other kinds of losses would be covered only by a separate intellectual property insurance policy.
Further, cyber insurance policies don’t automatically cover all losses that occur with the aid of a computer. For example, if a cybercriminal tricks an employee via email into voluntarily transferring company funds or sharing sensitive information, cyber insurers likely will not consider it a cyberattack. It’s known as “social engineering” or “funds transfer fraud” and is treated like theft. Depending on the carrier, a crime policy or a cyber social engineering insurance endorsement would be needed to protect the company from loss. To learn more about this, read “Cyber Insurance Coverages 101.”
Finally, organizations often mistakenly assume that other insurance policies, such as errors and omissions, property and other liability policies, will cover cyber-related losses. This isn’t typically the case. In fact, some carriers are inserting cyber exclusions into these policies to protect themselves further. Learn more by reading “Protecting Your Business from Silent Cyber Coverage Exclusions.” Risk managers should speak with their cyber insurance brokers to fully understand all their coverages.
What Is the Difference Between Cyber Liability and Data Breach Insurance?
In addition to carefully reading policies to understand what is and is not covered, insureds need to understand carriers’ cyber terminology and the impact it has on cyber insurance coverages. For example, the terms “cyber liability insurance” and “data breach insurance” are generally interchangeable, but it’s possible to have a cyber breach that is not a data breach. A hacker may lock down an organization’s data and demand ransom. If the ransom is paid and data is unlocked, that is a cyber breach. However, if the organization has good backups and refuses to pay the ransom, the hacker may sell the accessed data on the dark web. Now there is also a data breach.
Unlike other types of insurance that have been around for a century, cyber coverage is still in its infancy. Policy forms are inconsistent from one carrier to another. A broker plays a vital role in helping insureds understand what they need and how to get it.
Who Needs Cyber Insurance?
Every organization is at risk of cyberattacks today. Any organization with an email address or a bank account should invest in cyber insurance. If a company stores credit card numbers, customer data, personally identifiable information (PII) or protected health information (PHI), the company should invest in cyber liability coverage. If an organization has a website, processes online payments or is part of an industry that has many regulations around customer data, it should secure a cyber insurance policy.
Further, no business is too small for cybercriminals to target. Data security and networking company Barracuda Networks reports that small businesses with less than 100 employees are three times more likely than larger companies to be targets of social engineering attacks. A social engineering attack occurs when a threat actor tricks an employee into sharing sensitive information or making a security mistake.
Small organizations are likely targets because they don’t have the large technology budgets that large organizations have. However, there are things small businesses can do to strengthen their cyber defenses. Read “5 Cybersecurity Best Practices for Small Businesses” to learn more.
How Cyberattacks Can Affect Your Business
Just as the size of a company doesn’t make it immune from cyberattacks, neither does its industry. Industries currently considered most at risk for ransomware attacks include healthcare, higher education, retail and finance organizations. But other sectors are being exploited, too. Consider the consequences.
The largest county in New Mexico was the victim of a ransomware attack in early 2022, and services were disrupted to more than 600,000 citizens. The county clerk’s office couldn’t register voters, issue marriage licenses or approve deed transfers, an issue for realtors and their clients. The attack also disabled security cameras and automatic doors at the jail. Inmates were confined to their cells and weren’t allowed visitors until the systems could be fixed. The county had to notify a federal court because the constant confinement was a potential breach of a legal agreement related to inmate treatment.
Also, early in 2022, three of Toyota’s suppliers were victims of cyberattacks. Fourteen of the automaker’s plants had to shut down, which reduced its production capacity substantially. In April, it was rival General Motors’ turn. Cybercriminals used data from previous attacks and loaded it into the manufacturer’s rewards database. Anytime a match occurred, the cybercriminals deleted the GM customer’s rewards points.
During the summer, Holiday Inn’s booking sites and mobile apps were attacked. And social media giant Twitter also was a victim, with attackers sending out messages to those with verified accounts (e.g., influencers, politicians, activists, etc.), telling them that their account would be suspended within two days if they didn’t complete the authentication process. If they re-verified, of course, criminals gained access to their account.
How Strong Is Your Cyber Risk Profile: Free Assessment
Because the number and complexity of cyberattacks have ballooned in recent years, cyber liability coverage has become increasingly challenging to secure. Companies with gaps in their cybersecurity plans are often rejected when applying for coverage, which magnifies the impact of a breach. Those who have taken steps to create a robust cyber risk profile are better positioned to compete for and negotiate coverage.
Hylant and RSM Alliance have partnered to offer a free cyber assessment for companies considering cyber liability coverage. The assessment helps organizations understand the security features prioritized by insurance carriers and determine whether they are eligible for coverage. Click here to take the assessment, then download the results and use them as a roadmap for remediating risk and improving insurability.
Why Do You Need Cyber Insurance Coverage?
It’s a cliché, but it’s true. It’s not if a cyberattack will impact an organization; it’s when. Recovery takes time and money while the company deals with business interruptions, missed contract deadlines, public relations issues, client notifications and more. Cyber insurance may be what keeps the business afloat after an attack.
Companies with shareholders should especially consider cyber coverage and limits carefully. Recently stakeholders brought suit against a company’s board members after a cyberattack. They alleged mismanagement because the company had not secured enough cyber insurance coverage, thinking it was too expensive.
Types of Cyber Threats and Risks
Cyber threats and risks can generally be grouped into four categories. The first is lost or stolen credentials. When bad actors gained access to the servers of retail giant Target, they did it by using credentials stolen from one of its HVAC contractors. The criminals accessed information tied to millions of customer debit and credit cards.
The second category is the exploitation of security vulnerabilities. For example, late last year, a dangerous zero-day vulnerability (i.e., a previously undetected software flaw) was discovered in the popular Java logging library Apache Log4j. This logging utility is used to make applications run smoother. Malicious actors actively exploited it to install ransomware and cryptocurrency-mining software. Some of the impacted systems and services included IBM, Cisco, Adobe, Oracle, Microsoft Azure and Amazon.
Human error (e.g., social engineering, phishing links) attacks are the third category. A cybercriminal poses as a known or trusted source and tricks innocent parties into clicking on links, divulging sensitive information or transferring funds. Social engineering attacks go by various names such as business email compromise, phishing, vishing/smishing, pretexting and baiting. Because it is easier to trick people than to attack well-protected servers, social engineering is one of the most common risks today.
Related Reading: Protecting Your Organization from Phishing Social Engineering Attacks
Related Reading: 5 Cybersecurity Best Practices for Small Businesses
Botnets are the fourth threat category. A botnet, or robot network, is a group of malware-infected devices connected over the internet that are unknowingly being controlled by a hacker called a “bot herder.” The bot herder uses the herd to attack or infect other devices and networks.
Cybersecurity Strategies and Management
Insureds have a duty to do everything possible to prevent cyber losses. A cyber policy will not pay for losses due to preventable security issues. Before cyber insurers consider underwriting a cyber liability policy, they want to know the steps a business has taken to reduce its cyber risks—also known as improving its “risk profile” or “risk posture.”
For example, cyber insurance underwriters will want to know whether the organization has implemented multifactor authentication and endpoint detection and response technology. Carriers will ask how well the organization controls access to its systems (read “A Guide to Understanding Your Data Supply Chain” for more on this topic). They will ask about the organization’s patching cadence. Insurers will want to know how often the organization backs up data and how and where they store it. They will also want to know whether and how employees are trained to recognize cyber threats.
Working With the Right Cyber Insurance Team
Cyber risk management is complex, and the consequence of poor plan or insurance policy performance is costly. It pays to work with experts.
Hylant’s dedicated cyber risk and insurance team works with IT organizations to help their leadership teams, boards of directors and risk managers understand and address their cyber risks. We provide risk profiling, exposure quantification, insurance procurement and negotiation, risk readiness and incident response planning services. Working with our clients, we minimize the potential financial and reputational impacts of cyber events on their organizations.
Contact Hylant today to discuss your cyber insurance and risk management needs.
The above information does not constitute advice. Always contact your insurance broker or trusted advisor for insurance-related questions.