Cyber security and Cyber insurance

What is Cyber Insurance and Why you Need it

You have been hearing a lot about Cyber Insurance and Cyber attacks in the news recently. As technology evolves and more business transactions are done online, hackers, criminals, and insiders will continue to use Cyber attacks for their financial benefit. 

While businesses in Illinois can mitigate their Cyber risk by improving their security standards and refining their data storing process, they are still at huge risk of experiencing huge losses that will harm their reputation and can even cause them to file for bankruptcy. But there’s more.

What is Cyber Insurance? 

Cyber Insurance Liability is a first and third-party coverage designed to protect businesses in the event they experience a Cyber breach that causes loss of data or business interruption. According to a 2019 survey by Statista, one-third of companies in the US purchased a stand-alone Cyber Insurance Policy. In addition, 44% of clients discussed their Cyber Insurance coverage with their insurance broker. Why did they discuss Cyber? See below.

Cyber Insurance Market Over the Years 

The Cyber Insurance market is evolving fast. New risks are emerging every day and cyber attacks are becoming very frequent. Cyber started as a small broad coverage on Property and Errors & Omissions policy forms, and now the Cyber insurance market alone has a market value of over $9 billion and is expected to be at $25 billion by 2025. 

Cyber Insurance Market Size

What is driving demand for cyber insurance? There isn’t one simple clear answer. It’s a combination of concerns from business owners about the data they store, more cyber attacks hitting large companies, and huge media coverage for such attacks.

In 2019, ransomware attacks alone have more than doubled. Hackers are not only attacking more, they are also asking for bigger amounts, and why wouldn’t they when insurance companies keep on paying such demands? 

We have seen situations in which hackers go on a company’s system, get access to their financials, and then use those financials in their ransomware negotiations with the company. Hackers tell the company “We know you can pay, we have seen your financials.”  

Why do you need Cyber Insurance?

Phishing attacks

If your business collects or stores customer information, or use the cloud for data storage, you should consider buying cyber insurance. The more you use the internet for your business, the more likely your network will be attacked. Cyber attacks could range from large scale malware to targeted phishing attempts.

Another common question we get is “What if I store my data with a third party?” Our answer is the third party will be liable if they experience a Cyber event. However, businesses are still liable as long as they collect data.

You are liable for data that includes Personal Identifiable Information (PII), Payment Card Information (PCI), and Personal Health Information (PHI). 

When purchasing Cyber Insurance, you want to make sure you purchase it for the right reasons. Cyber is one of the unique coverage as it’s new to the market, and it’s not nearly as mature as other lines of insurance such as Property Insurance or Casualty Insurance. 

This is why it’s important you familiarize yourself with what the cyber policy covers and not covers.

What is covered by Cyber Insurance?

To simplify how Cyber insurance works, we split the coverages into two types. First party and Third party coverages. First party liability is when you experience loss. Third party liability is when a third party experiences loss because of you. 

Closed sign

First party coverages include: 

  • Business Interruption expenses: this is a coverage for loss income and extra expenses you incur due to an interruption in your network or the network of a third party provider you are dependent on. 
  • Social Engineering (Phishing): according to a study, 90% of data breaches are caused by human error. This sub-limit in the cyber policy will trigger if one of your employees accidentally transfers money to the wrong party due to a phishing email.
  • Cyber Extortion (Ransomware): the cyber extortion coverage will trigger if a bad actor disturbs your network and holds your data hostage. The cyber policy will pay for the demand payment to release your data and restore the system. 
  • Security Liability: this is the most basic cyber coverage. Security liability triggers when your network security is threatened and it covers legal and IT forensics costs.
  • Hardware Replacement (Bricking): this is a new unique coverage to the market. Bricking a reimbursement coverage to replace devices that become useless and are no longer viable (like a brick) due to a cyber damage.

Data Breach

Third party coverage includes:

  • Privacy Liability: most businesses nowadays store private information including names, addresses, or banking information of their customers and employees. This coverage is there for you to defend against third party litigation due to data breach. In addition, it can respond to fines and penalties you incur from regulatory bodies such as GDPR and CCPA.
  • Data Breach Expenses: there are very strict rules on how to deal with a data breach. Many governments give a maximum period of 90 days to notify all Individuals affected. Some expenses you will incur include Public relations, Credit Monitoring, and Call Center expenses.

Media liability

  • Media Liability: this is coverage for infringement and defamation as a result of errors in marketing or advertisement. However, this media coverage doesn’t cover patents and trade secrets – see exclusions section.
  • Reputation Harm: assume you experience a cyber event, but the impact in business income didn’t show until few months from the event. This coverage responds in such scenarios where you lose income because of damage in brand reputation.
  • Technology Errors and Omissions: a special coverage to protect you against third party allegations due to a breach of contract on your side, specific to technology services. For example, you create an application that third parties use and you have an obligation to serve them. Due to a technology error, the application didn’t function as usual and the third party ends up suing you. This is the type of coverage you want to have in such a case.

What is not covered by Cyber Insurance?

Claim Denial

Every insurance policy you will ever see will have some sort of exclusion on it. Cyber is no different. It’s important you understand what the cyber policy doesn’t cover. This is why we recommend consulting with your broker about your business and coverage needs. Below is a list of exclusions we see on many policy forms:

  • Betterment exclusion: costs made to improve your technology systems, not just restore it to what it was before damages 
  • War exclusion: Cyber events that are tied to a government or military group are excluded. However, there are some carve backs to this exclusion that improve the language 
  • Future Income Loss: unless the loss is tied to an adverse media event, it won’t fall under reputation harm and the policy will not cover it 
  • Intellectual Property: any trade secrets and or patents you own are completely excluded 
  • Infrastructure exclusion: you will not receive coverage if your internet provider or any other utility company you depend on is down due to a cyber event.

Top 10 Cyber Insurance companies

There are multiple factors you should consider when looking for the best insurance company to cover your business. We put this list together of markets that have the most experience in the cyber market as well as have written significant premiums:

  1. 1. AIG 
  2. 2. BCS 
  3. 3. Chubb
  4. 4. Hiscox  
  5. 5. AXA XL
  6. 6. Zurich 
  7. 7. Liberty 
  8. 8. CNA 
  9. 9. Travelers 
  10. 10. Sompo

Now you think your business needs cyber insurance and you know why you need it, but the question is how much?

Cyber Insurance Cost

What does Cyber Insurance cost in Illinois? 

Cost for cyber insurance  in Illinois depends on your business revenue and record count. The cost ranges from $500 to $3,000 for most small businesses. Insurance companies will consider a few factors such as how much limits and retention you want, your claims history, and the strength of your security system.