PRACTICAL IP - Cybersecurity Insurance 101
Updated: Jan 30
Cybersecurity Insurance 101
Does your business have cybersecurity insurance?
If not, does it need cybersecurity insurance?
And, if it does, why?
Cybersecurity insurance protects businesses against financial losses caused by incidents like data breaches and theft, system hacking, ransomware extortion payments and more. If your small business stores sensitive information online or on a computer, you may want to consider carrying at least some cyber insurance coverage.
Many insurance companies Some insurers offer cyber insurance as an add-on to a business owner’s policy, but you can also purchase this coverage separately. Here's what cybersecurity insurance covers and where you can buy a policy.
What are types of cybersecurity coverage are available?
Cybersecurity insurance generally comes as either first-party or liability coverage. And if you’re a technology business, you may want to consider adding the different, but related, technology errors and omissions coverage, as well.
· First-party cybersecurity insurance covers the costs of things like:
· Investigation of cyber incidents.
· Risk assessment of future cyber incidents.
· Lost revenue due to business interruption.
· Ransomware attack payments based on coverage limits.
· Notifying customers about the cyber incident and providing them with anti-fraud services such as credit monitoring.
The most common first-party cybersecurity coverage is data breach insurance.
Third-party or cyber liability coverage
Cyber liability coverage can protect your business if a third party sues you for damages as a result of a cybersecurity incident and it generally pays for:
· Attorney and court fees associated with legal proceedings.
· Settlements and court judgments.
· Regulatory fines for noncompliance.
It is important to understand that general liability insurance, oftentimes referred to as a “CGL policy,” excludes coverage for data-breach-related liability claims, so if your business stores customer data, you’ll want to consider a separate cyber liability insurance policy.
Technology errors and omissions
A technology errors and omissions, or E&O, policy kicks in if a cybersecurity incident occurs in a customer’s business because of an error on your part. You should consider buying this coverage if your business manufactures a technology product or provides technology services.
Technology E&O pays for items similar to that of cybersecurity liability insurance, such as legal fees, court costs, and judgments or settlements but only in covered circumstances relating to products or services.
Does your business need cybersecurity insurance?
Almost any business can be at risk for cybercrime, but cybersecurity insurance is especially important for:
· Businesses that store important data online or on computers. If your business stores important data, such as phone numbers, credit card numbers or Social Security numbers — either online or on a computer — you are at risk of a cyberattack. You should consider data breach insurance. If you store sensitive customer data, consider cyber liability coverage, too.
· Businesses with large customer bases. Insurance can help cover certain regulatory fines these businesses might be subject to following a data breach. Notifying customers of data breaches is often required by state law, and first-party policies can cover this cost, which can be significant for companies with large consumer bases.
· Businesses with high revenue or valuable digital assets. The costs associated with cyber incidents can be difficult to predict, and larger companies are likely to have more valuable data, which could come with a more expensive ransom.
If you are unsure whether you need cybersecurity insurance, consider speaking to a business insurance agent near you to assess your risk level and potential premiums to determine if it's the right investment for your company.
What does cybersecurity insurance exclude?
Cybersecurity insurance does not pay for (a) property damage, (b) intellectual property losses or injury, (c) crimes or self-inflicted cyber incidents, and, perhaps surprisingly, (d) costs associated with proactive preventive measures. This doesn’t mean that a business shouldn’t take reasonable steps to protect its data and systems from attack. On the contrary, the fact that most policies exclude such coverage only makes them that much important.
Ask any business that has had to deal with a cybersecurity breach, especially a serious breach, and they will tell you that had they known the potential repercussions of a breach, including the costs and headaches that always result, they would have taken them more seriously and made certain that they had the proper protocols to deal with them as well as the proper insurance to back them up.