STILL Don’t Have Cyber Insurance?

Cyber threats aren't just an abstract worry for big or small businesses. For navigating in our increasingly digital world, they're a daily reality. Whether it's phishing scams, ransomware attacks, or accidental data leaks, the financial and reputational damage can be severe. That's why more companies are beefing up their cybersecurity and turning to cyber insurance to mitigate the risks.

Cyber insurance policies are not ‘one size fits all.’ Be mindful that they are not all are created equal. Many business owners believe they're covered, only to find out (too late) that their policy has major gaps. Simply having this insurance, and selecting the right one for you, may make the difference in your company’s survival.

So, let’s break down exactly what's usually covered, what's not, and how to choose the right cyber insurance policy for your business.

How important is cyber insurance?

Do not be lulled into the false presumption that your business is too small to become a target for hackers. In fact, small businesses are increasingly vulnerable. According to the 2023 IBM Cost of a Data Breach Report, 43% of all cyberattacks now target small to mid-sized businesses. The financial fallout from a breach can be staggering, with the average cost for smaller businesses reaching $2.98 million. That can be a substantial blow for any growing company.

Regulators are cracking down on data privacy violations, and today's customers expect businesses to protect their personal data. A good cyber insurance policy helps cover the cost of a breach but also ensures compliance with regulations like GDPR, CCPA, or HIPAA, which makes it a critical safety net.

What is covered in a cyber insurance policy?

Cyber insurance policies usually offer two main types of coverage: first-party coverage and third-party liability coverage. Both provide different forms of protection based on your business's unique needs and the type of incident you're facing:

First-Party Coverage

This policy is designed to protect your business directly when you experience a cyberattack or breach. First party coverage helps your business recover financially from the immediate costs associated with the attack.

First Party policies typically include:

Breach Response Costs

Right up front, first-party coverage addresses the cost of managing a breach. After a cyberattack, you'll likely need to:

Determine how the breach happened and what was affected

Obtain legal advice to stay compliant with laws and reporting rules

Immediately Inform any customers whose data was exposed

Offer credit monitoring if personal details were stolen

Business Interruption

Data breaches cause network downtime which can disrupt business operations, resulting in revenue loss. How significant that loss is depends on how quickly the disruption is remedied. Business interruption coverage helps mitigate the financial impact by compensating for lost income during downtime. It allows you to focus on recovery without worrying about day-to-day cash flow.

Ransomware and General Cyber Extortion

Every year, ransomware attacks continue to increase, and by locking up essential data they can not only paralyze your business but force it to close its doors forever. Cyber extortion coverage is designed to help businesses navigate these situations by covering:

The cost the ransom itself.

The cost of paying professionals to negotiate with hackers to lower the ransom and recover data.

The costs to restore access to files that were encrypted in the attack.

Restoration of Data

No matter how it’s resolved, a major cyber incident can result in the loss or damage of critical business data. Data restoration coverage ensures that your business can recover data, whether through backup systems or through a data recovery service. This helps minimize disruption and keeps your business running smoothly.

Reputation Management

Once it becomes known that customer data has been stolen it's crucial to rebuild the trust of customers, partners, and investors. Many policies now include reputation management as part of their coverage. This often includes:

Hiring PR (Public Relations) firms to manage crisis communication, create statements, and mitigate any potential damage to your business's reputation. This is your ‘disaster Guru,’ teaching you how to communicate with affected customers and stakeholders to maintain transparency.

Third-Party Coverage

This type of coverage also helps protect your business from claims made by external parties (such as customers, vendors, or partners) who are affected by your cyber incident. When a breach or attack impacts those outside your company, this important coverage steps in to defend you financially and legally.

Privacy Liability

A Privacy Liability policy protects your business if sensitive customer data is lost, stolen, or exposed in a breach. It typically includes:

Coverage for legal costs if you're sued for mishandling personal data. It may also cover costs if a third party suffers losses due to your data breach.

Compliance Violation Defense

Since they often compromise consumer information, cyber incidents come under the scrutiny of regulatory bodies, such as the (FTC Federal Trade Commission) or other industry-specific regulators. If your business is investigated or fined for violating data protection laws, regulatory defense coverage can help with:

This policy can be set up to cover fines or penalties imposed by a regulator for non-compliance, helping to mitigate the costs of defending your business against regulatory actions, which can be considerable.

Media Liability

If online defamation is a factor in your cyber-attack that results in copyright infringement or the exposure of sensitive content (such as trade secrets), media liability coverage helps protect you. It covers:

Defamation Suits - If a data breach leads to defamatory statements or online reputational damage, this policy helps cover the legal costs of defending the claims.

Infringement Suits - If a cyberattack leads to intellectual property violations, media liability coverage provides the financial resources to address infringement claims.

Defense and Settlement Costs

If your company is sued following a data breach or cyberattack, third-party liability coverage can help cover legal defense costs. This can include:

Paying for attorney fees in a data breach lawsuit.

Covering settlement or judgment costs if your company is found liable.

Custom Coverage and Optional Riders

Based on your specific needs or threats, cyber insurance policies often allow businesses to add extra coverage. These optional riders can offer more tailored protection for unique risks your business might face.

Social Engineering Fraud

Social engineering fraud is one of the most common types of cyber fraud today. This involves phishing attacks or other deceptive tactics designed to trick employees into revealing sensitive information, transferring funds, or giving access to internal systems. Social engineering fraud coverage helps protect against:

Financial losses if an employee is tricked by a phishing scam.

Financial losses through fraudulent transfers by attackers.

‘Bricking’

Some cyberattacks cause physical damage to business devices, rendering them useless, a scenario known as "bricking." This rider covers the costs associated with replacing or repairing devices that have been permanently damaged by a cyberattack.

Technology Errors and Omissions (E&O)

This is especially important for technology service providers, such as IT firms or software developers. Technology E&O protects businesses against claims resulting from errors or failures in the technology they provide.

What isn't covered by cyber insurance?

Understanding what's excluded from a cyber insurance policy is just as important as knowing what's included. Here are common gaps that small business owners often miss, leaving them exposed to certain risks.

Poor Cyber Hygiene and Negligence

Poor cybersecurity practices can very likely be a reason your claim can be denied – if you are given a policy at all. Many insurance policies have strict clauses regarding the state of your network and data protection. If your company fails to implement basic cybersecurity practices, such as using firewalls, Multi-Factor Authentication (MFA), or keeping software up to date, all bets are off.

Insurers increasingly require proof of good cyber hygiene before issuing a policy. Be prepared to show that you've conducted employee training, vulnerability testing, and other proactive security measures.

Known or Ongoing Incidents

Just like trying to buy car insurance after a wreck, a cyber insurance policy will not cover cyber incidents that were already in progress before your policy was activated. For example, if a data breach or attack began before your coverage started, the insurer won't pay for damages related to those events. Likewise, if you knew about a vulnerability but failed to fix it, your insurer could deny the claim.

Always double-check that your systems are secure before purchasing insurance, and immediately address any known vulnerabilities.

State-Sponsored Attacks: The War Exclusion

Many insurers now include a "war exclusion" clause due to high-profile cyberattacks like the NotPetya ransomware incident. This means that if a cyberattack is attributed to a nation-state or government-backed actors, your policy might not cover the damage. Such attacks are often considered acts of war, outside the scope of commercial cyber insurance.

Check your policy's terms and stay informed about such clauses.

Insider Threat Exclusion

Insider threats/acts are not typically covered by cyber insurance. These threats include malicious actions taken by your own employees or contractors unless your policy specifically includes "insider threat" protection. This can be a significant blind spot, as internal actors often cause severe damage.

You should be somewhat aware of who may be an insider threat in your business: disgruntled employees or those who are leaving to join a competitor. If you are concerned about potential insider threats, discuss specific coverage options with your broker to ensure your policy includes protections against intentional damage from insiders.

Reputation and Potential Lost Business

Many cyber insurance policies usually don't cover the long-term reputational damage or future business losses that can result from a cyberattack, even though they may offer PR crisis management services. The fallout from a breach, such as lost customers or declining sales due to trust issues, often falls outside the realm of coverage.

If your business is especially concerned about brand reputation, consider investing in additional coverage or crisis management services. Reputational harm can have far-reaching consequences that extend well beyond the immediate financial losses of an attack. Remember the breach of the ‘cheaters’ site Ashley Madison about 10 years ago? You can bet your bottom dollar that a lot of cheaters fled the site.

How to choose the right cyber insurance policy?

Take an assessment of your risk factors. Start by evaluating your exposure:

Customer, financial, and health data, all require different levels of protection, so take stock of what types of data you store.

Assess how much you rely on digital tools or cloud platforms. If your business is heavily dependent on technology, you may need more extensive coverage for system failures or data breaches.

Establish or bolster access management practices if third-party vendors have access to your systems. Vendors can be a potential weak point. Ensure they're covered under your policy as well.

Know the Right Questions to Ask

It’s crucial to ask these questions before signing a policy:

Is ransomware and social engineering fraud covered?
These are growing threats that many businesses face, so it's crucial to have specific coverage for these attacks.

Does it cover legal fees and regulatory penalties?
If your business faces a legal battle or must pay fines for a breach, you'll want coverage for these costly expenses.

What's Included and Excluded?
Understand the fine print to avoid surprises if you file a claim. Know what you are and are not getting.

Seek Out a Second Opinion

Consult with either your IT support department or your outsourced Managed IT Services provider. If you don’t have an ongoing IT vendor – GET ONE. Don't go it alone – someone who understands both the technical and legal aspects of cyber risk. They'll help you navigate the complexities of the policy language and identify any gaps in coverage. Having a pro on your side can ensure you're adequately protected and help you make the best decision for your business.

Coverage Limits and Deductibles

These are things you absolutely need to know. Cyber insurance policies come with specific coverage limits and deductibles. Make sure that the coverage limit aligns with your business's potential risks. For example, if a data breach could cost your business millions, make sure your policy limit reflects that. Similarly, check the deductible amounts, these are the costs you'll pay out of pocket before insurance kicks in. Choose a deductible that your business can afford in case of an incident.

Review Policy Renewal Terms and Adjustments

Cyber insurance generally evolves at the same rate that the cyber risks you face evolve – but not always. A policy that covers you today may not cover new threats tomorrow. Check the terms for policy renewal and adjustments. Does your insurer offer periodic reviews to ensure your coverage stays relevant? Ensure you can adjust your coverage limits and terms as your business grows and as cyber threats evolve. It's important that your policy evolves with your business needs.

Maintaining cyber insurance is a smart move for any business. Just be sure you understand what you're buying. Knowing the difference between what's covered and what's not could mean the difference between a smooth recovery and a total shutdown.

Do your due diligence: assess your risks, read the fine print, and ask the right questions. Combine insurance coverage with strong cybersecurity practices, and you'll be well-equipped to handle whatever the digital world throws your way.