The Ultimate Guide to Cyber Insurance

Cyber insurance is the number #1 policy business owners and C-level leadership should be looking at to protect themselves against the financial repercussions of cyber threats and data breaches.

This comprehensive guide is to give you the key components of a cyber insurance policy in plain English. At the end, I've also included a detailed explanation of the terms involved and common exclusions.

The Role of Cyber Insurance

Cyber insurance serves as a financial safety net, designed to mitigate the risks associated with our dependence on computers. It’s a line of defense for businesses against the financial strain of cyber incidents, ensuring continuity in the face a catastrophic hack.

Decoding Cyber Insurance Terms

• Per Claim Limits: This cap on the payout for a single claim ensures that insurers can manage risk effectively. For example, if a cyber attack results in a loss of $200,000 but the per claim limit is $150,000, the insurer will cover up to the $150,000 mark.
• Aggregate Limit: The ceiling on the total payout within a policy period. If a series of cyber incidents exhausts this limit, the business must bear any additional costs.
• Financial Rating: Reflecting an insurer’s fiscal health, this rating, akin to a credit score, gauges the insurer’s ability to fulfill its obligations. You want an A- or better from AM Best ratings.
• Deductible: The insured’s share of the loss, this amount must be paid before the insurer’s coverage begins. It’s a risk-sharing mechanism that can influence the policy’s premium.

First Party Coverages

• Data Breach Event Response & Recovery: Following the Ascension hospitals breach caused by a malicious file download, this coverage would handle the costs of identifying and rectifying the breach.
• Business Interruption: Similar to the disruptions caused by ransomware attacks in 2024, this coverage compensates for the income lost during the downtime.
• Contingent Business Interruption: If a third-party provider, like a cloud service, suffers an outage, this coverage steps in, reflecting the interconnected nature of modern businesses.

Third Party Coverages

• Information Privacy Liability: In the wake of incidents like the Ticketmaster data breach, this coverage protects against claims from third parties affected by a privacy breach.
• Network Security Liability: This shields against claims related to network security failures, which are increasingly common as cyber threats evolve.
• Regulatory Liability: With regulations tightening, this coverage handles potential fines and penalties from regulatory bodies.

Special Provisions and Exclusions

• War Exclusion Carve-back: Despite standard exclusions for acts of war, this provision ensures coverage extends to acts of cyber terrorism, a growing concern in international relations.
• Prior Knowledge Exclusion: This clause excludes coverage for incidents known to the insured prior to the policy’s inception, emphasizing the importance of transparency.

Cyber insurance is an essential component of a comprehensive risk management strategy. With cyber threats becoming more sophisticated, as seen in the use of emojis by hackers to command malware, the need for robust protection is undeniable. Understanding the nuances of your cyber insurance policy can make all the difference in safeguarding your business’s future.

Generalist insurance agents, while knowledgeable about a broad range of insurance products, may not always be up-to-date with the nuances of cyber insurance coverages and exclusions. This isn’t due to a lack of expertise, but rather the specialized nature of cyber insurance which is a relatively new and rapidly changing field.

Here’s why it’s crucial to have a detailed discussion with your agent about cyber insurance:

• Specialized Knowledge: Cyber insurance requires a deep understanding of technology, data privacy laws, and the specific risks that businesses face online. A specialist in this area would be more likely to have the latest information on emerging threats and how policies are adapting to cover them.
• Tailored Coverage: Every business has unique needs based on its operations, size, and industry. Generalist agents might offer a one-size-fits-all policy, which may not provide adequate protection for your specific risks. Asking about specific coverages and exclusions ensures that the policy is tailored to your business.
• Policy Updates: The cyber world changes quickly, and so do the insurance products designed to protect against these risks. It’s important to ask if the policies being offered are the most current and include recent updates that address new types of cyber incidents.
• Exclusions: Some policies have exclusions that are not immediately apparent. For example, certain acts of cyber terrorism may be covered, while others may fall under a war exclusion clause. Understanding these details can prevent unexpected gaps in coverage.
• Claims Experience: Ask about the agent’s experience with cyber claims. An agent who has handled cyber claims will have practical insights into how policies respond in the event of an incident.

To ensure you’re getting the best possible coverage, consider the following tips:

• Ask for Examples: Request real-world scenarios where the policy would come into play. This can help clarify the extent of the coverage.
• Clarify Terms: If there’s any jargon or terms you don’t understand, ask for an explanation in simple language.
• Review Regularly: Cyber risks change rapidly, so it’s important to review and update your coverage regularly.
• Consider a Specialist: If your business is particularly reliant on digital operations, it might be worth consulting with a cyber insurance specialist.

Remember, the right insurance agent will welcome your questions and be able to explain your coverage options clearly. It’s better to ask and fully understand your policy now than to discover a coverage gap when it’s too late.

Schedule a free 15 minute consult with me to go over your cyber insurance needs and audit your current program.

....

Bonus terms and exclusions you should ask your cyber broker about:

Additional First Party Coverages

• Funds Transfer Fraud: If someone tricks the system into sending money where it shouldn’t, this coverage helps get that money back.
• Social Engineering: This is when someone is tricked into giving away secret info or company money. The insurance helps cover the losses.
• Invoice Manipulation Coverage: If a hacker changes the details on an invoice to steal money, this part of the policy helps cover the loss.
• Criminal Reward: If the company offers a reward for information that leads to catching a cyber thief, this coverage can pay for that reward.
• Utility Fraud: This covers losses if someone hacks into things like the electricity or water bill and use your utilities without your permission.
• Cryptojacking: If hackers use the company’s computers to mine cryptocurrency without permission, this coverage helps with the costs.
• Telecommunications Fraud: This helps cover losses if someone illegally uses the company’s phone or internet services.
• Bodily Injury (First Party): If someone gets hurt because of a cyber issue, like an employee injured by malfunctioning equipment, this coverage helps with the costs.
• Property Damage (First Party): If the company’s property is damaged due to a cyber event, this helps pay for repairs.
• Court Attendance Costs: If employees have to go to court because of a cyber issue, this helps cover the costs of being there.
• Bricking Coverage: If a hacker’s attack turns the company’s devices into useless “bricks,” this helps replace or repair them.

Additional Third Party Coverages

• PCI DSS Liability: If the company doesn’t follow credit card security rules and something goes wrong, this coverage helps with the fallout.
• Bodily Injury Liability: If a cyber issue causes harm to someone outside the company, this coverage helps protect the business.
• Property Damage Liability: If the company’s cyber problem damages someone else’s stuff, this coverage helps pay for it.
• Media Liability: If the company’s online content, like a blog post or tweet, gets it into legal trouble, this coverage helps sort it out.

Special Provisions and Exclusions

• War Exclusion Carve-back: Normally, war isn’t covered, but this says if there’s a cyber attack that’s like an act of war, the insurance will still help.
• Prior Knowledge Exclusion: If the company knew about a cyber problem before getting the insurance and didn’t say anything, this means the insurer won’t cover it.
• Mandatory Reporting of Circumstances: If the company thinks something bad might happen, they have to tell the insurer, or they might not be covered later.

If you made it this far, you've become a cyber insurance master, so congratulations. Be sure to subscribe to get more exciting cybersecurity and cyber insurance content. :)

Hungry for more cybersecurity content? Check out the 14 steps to protect your business' data.