You have been hearing a lot about Cyber Insurance and Cyber attacks in the news recently. As technology evolves and more business transactions are done online, hackers, criminals, and insiders will continue to use Cyber attacks for their financial benefit.
While businesses can mitigate their Cyber risk by improving their security standards and refining their data storing process, they are still at huge risk of experiencing huge losses that will harm their reputation and can even cause them to file for bankruptcy. But there’s more.
What is Cyber Insurance?
Cyber Insurance Liability is a first and third-party coverage designed to protect businesses in the event they experience a Cyber breach that causes loss of data or business interruption. According to a 2019 survey by Statista, one-third of companies in the US purchased a stand-alone Cyber Insurance Policy. In addition, 44% of clients discussed their Cyber Insurance coverage with their insurance broker. Why did they discuss Cyber? See below.
Cyber Insurance Market Over the Years
The Cyber Insurance market is evolving fast. New risks are emerging every day and cyber attacks are becoming very frequent. Cyber started as a small broad coverage on Property and Errors & Omissions policy forms, and now the Cyber insurance market alone has a market value of over $9 billion, and is expected to be at $25 billion by 2025.
What is driving demand for cyber insurance? There isn’t one simple clear answer. It’s a combination of concerns from business owners about the data they store, more cyber attacks hitting large companies, and huge media coverage for such attacks.
In 2019, ransomware attacks alone have more than doubled. Hackers are not only attacking more, they are also asking for bigger amounts, and why wouldn’t they when insurance companies keep on paying such demands?
We have seen situations in which hackers go on a company’s system, get access to their financials, and then use those financials in their ransomware negotiations with the company. They tell the company “We know you can pay, we have seen your financials.”
Why do you need Cyber Insurance?
If your business collects or stores customer information, or use the cloud for data storage, you should consider buying cyber insurance. The more you use the internet for your business, the more likely your network will be attacked. Cyber attacks could range from large scale malware to targeted phishing attempts.
Another common question we get is “What if I store my data with a third party?” Our answer is the third party will be liable if they experience a Cyber event. However, collection of data is under your business name, which means you are still liable since you are collecting the data.
The types of data you are liable for include Personal Identifiable Information (PII), Payment Card Information (PCI), and Personal Health Information (PHI).
When purchasing Cyber Insurance, you want to make sure you purchase it for the right reasons. Cyber is one of the unique coverage as it’s new to the market, and it’s not nearly as mature as other lines of insurance such as Property Insurance or Casualty Insurance.
Ok your business stores personal information and you probably need Cyber insurance, but what exactly does it cover?
What is covered by Cyber Insurance?
To simplify how Cyber insurance works, we split the coverages into two types. First party and Third party coverages. First party liability is when you experience loss. Third party liability is when a third party experiences loss because of you.
First party coverages include:
- Business Interruption expenses: this is a coverage for loss income and extra expenses you incur due to an interruption in your network or the network of a third party provider you’re dependent on.
- Social Engineering: according to a study, 90% of data breaches are caused by human error. This sub-limit in the cyber policy will trigger if one of your employees accidentally transfers money to the wrong party due to a phishing email.
- Cyber Extortion (Ransomware): the cyber extortion coverage will be triggered if a bad actor disturbs your network and holds your data hostage. The cyber policy will pay for the demand payment to release your data and restore the system.
- Security Liability: this encompasses the most basic cyber coverage. It triggers when your network Security is threatened and it covers legal and IT forensics costs.
- Hardware Replacement (Bricking): this is a new unique coverage to the market. It is a reimbursement coverage to replace devices that become useless and are no longer viable (like a brick) due to a cyber damage.
Third party coverage includes:
- Privacy Liability: most businesses nowadays store private information including names, addresses, or banking information of their customers and employees. This coverage is there for you to defend against third party litigation due to data breach. In addition, it can respond to fines and penalties you incur from regulatory bodies such as GDPR and CCPA.
- Data Breach Expenses: there are very strict rules on how to deal with a data breach. Many governments give a maximum period of 90 days to notify all Individuals whose information affected. Public relations, Credit Monitoring, and Call Center expenses will be covered under this.
- Media Liability: this is coverage for infringement and defamation as a result of errors in marketing or advertisement. However, this doesn’t cover patents and trade secrets.
- Reputation Harm: your business experiences a cyber event, but the impact in income doesn’t show until few months. This coverage is made to respond in such scenarios where your brand reputation was damaged resulting in loss of income.
- Errors and Omissions: coverage to protect you against third party allegations due to a breach of contract on your side, specific to technology services. For example, you have an application that third parties use and you are contractually obligated to serve them. Due to a technology error, the application doesn’t function as usual and the third party sues you. This is the type of coverage you want to have in such a case.
What is not covered by Cyber Insurance?
Every insurance policy you will ever see will have some sort of exclusion on it. Cyber is no different. It’s important you understand what’s not covered in your policy, and that’s why we recommend consulting with you broker about your business and coverage needs. Below is a list of exclusions we see on many policy forms:
- Betterment exclusion: costs made to improve your technology systems, not just restore it to what it was before damages
- War exclusion: Cyber events that are tied to a government or military group are excluded. However, there are some carve backs to this exclusion that improve the language
- Future Income Loss: unless it’s tied to an adverse media event, it won’t fall under reputation harm and will not be covered in the policy
- Intellectual Property: any trade secrets and or patents you own are completely excluded
Top 10 Cyber Insurance companies
There are multiple factors you should consider when looking for the best insurance company to cover your business. We put this list together of markets that have the most experience in the market as well as have written significant premiums in cyber:
- 1. AIG
- 2. BCS
- 3. Chubb
- 4. Hiscox
- 5. AXA XL
- 6. Zurich
- 7. Liberty
- 8. CNA
- 9. Travelers
- 10. Sompo
Now you think your business needs cyber insurance and you know why you need it, but the question is how much?
What does Cyber Insurance cost?
Cost for cyber insurance depends on your business revenue and record count. The cost ranges from $500 to $3,000 for most small businesses. Insurance companies will consider a few factors such as how much limits and retention you want, your claims history, and the strength of your security system.