Cyber Insurance Explained - Part 1

Getting (and staying compliant with the required cybersecurity controls of) cyber insurance can be daunting for business owners. Most business owners understand that there is a LOT of cybersecurity risk for small businesses, but they often lack the technical knowledge required to apply for and stay compliant with cyber insurance. It doesn't help that the sheer volume of claims and huge dollar amounts paid out has forced cyber insurance carriers to increase premiums AND deductibles, while increasing the required cybersecurity controls to obtain and maintain coverage. Many small businesses have seen their coverage dropped altogether.

This is a 3-part series on helping small business owners understand cyber insurance - what cyber insurance covers, what to look out for, and understanding the required cybersecurity controls.

What Cyber Insurance Covers

Every small business faces cyber risk. The most prominent cyber risks are privacy risk, security risk, operational risk, and service risk.

Generally, cyber insurance is designed to protect your small business from these primary risks through four distinct types of coverage:

• Network security and privacy liability
• Network business interruption
• Media liability
• Errors and omission

In particular, network security and privacy liability can include both first-party and third-party costs. Let’s go into each element and what specific cyber risk it covers

Network Security

Network Security Coverage is important for most small businesses, including those subject to information risk and privacy risk. This aspect of cyber insurance covers your business in the event of network security failure, which can include a data breach, malware infection, cyber extortion demand, ransomware, or business email compromise.

Network security coverage includes first-party costs—expenses that you incur?directly?as a result of the cyber incident, including:

• Legal expenses
• IT forensics
• Negotiation and payment of a ransomware demand
• Data restoration
• Breach notification to consumers
• Setting up a call center
• Public relations expertise
• Credit monitoring and identity restoration

Privacy Liability

Privacy liability coverage is also important for most small businesses, particularly those with information risk or privacy risk.

Customer and employee information can be sensitive and breaches or violations that expose such data not only threaten the security of those compromised but expose your business to liability.

Privacy liability coverage protects your company from those liabilities arising out of a cyber incident or privacy law violation. These third-party costs can arise, for example, from liabilities required in a contractual obligation, all the way to regulatory investigations by governments and law enforcement.

Here are two examples of what privacy liability coverage covers:

1. Defending your organization from consumer class action litigation and funding a potential settlement in the event of a cyber incident or data breach
2. Legal expenses, fines, and/or penalties incurred due to a regulatory investigation by government or law enforcement, both federal and foreign.

Network Business Interruption

How dependent is your small business on technology to operate? Network business interruption coverage provides a solution for companies that face an operational cyber risk.

When your network or the network of a provider that you rely on to operate goes down due to an incident, you can recover lost profits, fixed expenses, and extra costs incurred during the time your business was impacted.

This includes loss arising from:

• Security failures, like a third-party hack
• System failure, such as a failed software patch or human error

Media Liability

This provides coverage for intellectual property infringement, other than patent infringement, resulting from the advertising of your services. It often applies to both your online advertising, including social media posts, as well as printed advertising.

Errors and Omissions

A cyber event could keep you from fulfilling your contractual obligations and delivering services to your customers. E&O covers claims arising from errors in the performance of or failure to perform your services.

This can include technology services, like software and consulting, or more traditional professional services like those provided by lawyers, doctors, architects, and engineers.

E&O coverage addresses allegations of negligence or breach of contract should this occur. It can include legal defense costs or indemnification resulting from a lawsuit or dispute with your customers.

When it comes to the impact of cyber risk on E&O claims, many companies are looking to address the aggregation of risk due to a failure of their service. Think of this as a cyber event causing your service to go down and all your customers being impacted at one time, as opposed to a single customer having a problem with your product or service. This aggregation of risk can add up quickly and requires a thoughtful approach to the amount of insurance you purchase.

We hope you have learned the basics of cyber insurance. If you'd like to learn more about how to gain the required cybersecurity controls to obtain cyber insurance, reach out to us for a complimentary Cybersecurity Discovery call. And stay tuned for Cyber Insurance Explained - Part 2 next week.