Cyber 101: Understand the Basics of Cyber Liability Insurance

Cyber risk has grown demonstrably in frequency and severity in the past 10 years—and, in tandem, the cyber insurance policy has grown in breadth and complexity. This past year, a record number of organizations fell victim to the scourge of ransomware, and others have had to battle the onslaught of phishing emails and social engineering attacks driven by cybercriminals using generative artificial intelligence. The impact of cyber events on organizations continues to be a leading concern for executives, and a cyber insurance policy is an important element of an effective cyber risk management strategy. Understanding the breadth of a cyber policy is essential for executives to ensure balance sheet protection from a costly and evolving risk. 

This article will explain the basic tenets of cyber insurance and what it covers.

What Cyber Insurance Covers

Cyber insurance is a specialized insurance product designed to guard against the financial impacts of a cyber event. This could be loss of income due to a disruption to operations caused by a ransomware attack, or a network failure caused by a vendor in the organization's ecosystem. Cyber insurance also provides coverage for legal actions that may occur because of a cyberattack, like a class-action lawsuit claiming the organization failed to safeguard information and caused consumers harm. A comprehensive cyber insurance policy is comprised of:

1. First-party coverages, which respond to risks that originate from within the organization and impact its own operations, finances, or reputation.
2. Third-party coverages, also known as liability insurance, protect organizations from claims made by others, including regulators, customers, or those persons affected by a cyber event or a data breach.

First-Party Cyber Coverages

Cyber Event Management 

These are the expenses an organization incurs directly because of a cyber event, including:

Legal expenses

During a cyber event, legal counsel plays a crucial role in guiding the response, ensuring compliance, and mitigating potential legal and reputational risks by providing legal advice, coordinating communications, and managing investigations. This coverage provides legal fees and other costs incurred associated with responding to the cyber event.

Digital forensic investigation

Legal counsel retains a DFIR (Digital Forensics and Incident Response) professional during a cyber event to identify, investigate, and remediate the event. Primarily, a DFIR professional will collect and preserve digital evidence to understand the attack and ensure that the evidence can be used in legal proceedings if necessary. A DFIR professional is also crucial in containing an attack, monitoring the network for an active threat, and eradicating cyber criminals from the network. This grant covers the fees and expenses incurred to retain a DFIR professional to respond to a cyber event.

Data and system restoration

This coverage grant is essential for organizations experiencing an encryption event due to a ransomware attack. It provides coverage for retaining restoration and recovery professionals to restore affected systems, data, and services to their operational state as quickly as possible while minimizing disruption to business operations. When retained, a data recovery and restoration specialist will assess the impact of the cyber event, identify the most effective and efficient path to restore the network, and then use specialized techniques and tools to recover or restore data. This may include the cost of removing malicious elements from devices and recovering data from backups. In some circumstances, the restoration and recovery specialist may be required to go on-site to rebuild and restore data access and IT infrastructure after a cyberattack or other disruptive event, aiming to minimize damage and resume operations quickly. This grant covers the cost incurred in retaining a recovery and restoration professional.

Replacing bricked devices

When impacted by a ransomware attack, some organizations may experience physical damage to devices in their network. Devices can be "bricked," or in other words, rendered unusable, when malicious software corrupts or erases critical firmware or system files, preventing the device from booting or functioning.  A bricking coverage grant provides for the costs incurred to replace electronic devices rendered unusable due to a cyberattack. The insurance market has several different understandings and limitations around this coverage. It is important to review it with a broker.

Breach notification

This coverage is for organizations that have experienced a data breach due to a cyber event provide for the costs incurred fulfilling legal obligations to notify individuals who were subject of the breach. The coverage also provides for the expenses incurred by an organization relating to communications, mailings, and credit monitoring services provided to impacted persons.

Crisis management

During a cyber event, an organization may need a crisis management professional to assist in minimizing damage, protect reputation, contain any misinformation or negative information, and communicate in an appropriate and timely manner internally and externally.  This coverage provides for the costs incurred retaining a crisis management professional to manage reputation damage, including media relations, press releases, and internal crisis communications.

Cyber Extortion

Cyber extortion coverage provides for the costs incurred in retaining a professional negotiator and/or threat intelligence analyst to respond to cyber extortion. Cyber extortion exposures are, most frequently, from a ransomware attack, but the coverage grant should also be broad enough to include other cyber extortion attacks. One example is a malicious bug bounty extortion, where a vulnerability found in the victim's network is threatened to be exploited if the cybercriminal is not paid. Additionally, the coverage grant will include reimbursement for payments made to eliminate the threat of extortion or to pay a ransom.

Business Interruption 

Organizations may suffer financial losses when operations are suspended or degraded due to a cyber incident, network failure, or voluntary network shutdown. The business interruption grant covers the business income an organization would have earned had the cyber event not occurred. 

This coverage intends to compensate the organization for losses from the period of downtime or reduced productivity, but importantly, it is not intended to provide a windfall to the insured organization. Accordingly, the construction of this coverage grant varies widely in the market. Work with a broker to clarify terms and ensure the organization has a comprehensive grant that aligns with how it recognizes revenue and measures its business impact from a cyber event. It’s also important to confirm that:

• The policy covers both degradation and suspension of operations
• It provides for an adequate length of time of interruption for that organization’s recovery
• The trigger for the coverage includes not only a disruption caused by a cyberattack, but also a technical failure in the network or a voluntary shutdown of the network in response to a cyberattack. 

A common example of a business interruption loss is when a ransomware attack disrupts an organization's network and operations, causing employees to be unable to process orders, communicate with customers, or operate online services. The operational challenges result in lost income to the organization. When calculating the loss, a policy with a comprehensive coverage grant will provide for the loss of income or sales that occurred “but for” the disruption less continuing or fixed expenses during the proscribed period stated in the policy.

Gathering the necessary information, and evaluating and computing the business interruption loss, can be challenging. Many carriers provide a coverage enhancement—a grant for the cost of retaining a forensic accountant to help the organization calculate and submit the loss to the carrier. 

Contingent Business Interruption (CBI)

Organizations may incur financial losses when a third-party service provider experiences a network disruption or degraded services due to a cyber event. CBI intends to cover the income losses from those circumstances. 

One example of a CBI coverage scenario is when an organization relies on an outsourced web hosting provider and it experiences an outage due to a cyberattack. This impacts the insured organization’s network ability to sell, leading to lost income. The CBI coverage, much like BI coverage, intends on providing for lost income; the difference in CBI is the precipitating events that trigger this coverage are a cyber disruption from a third party as opposed to a cyber event experienced by the insured itself.  

This is another coverage that can be limited in the market. We recommend at a minimum reviewing whether 1) there is a limitation in the type of third-party service provider and analyzing the impact on the insured organization, 2) whether the limits are adequate and the period of restoration is appropriate for the projected recovery time of the organization, and 3) whether the necessary triggers for both cyber incidents and network failure are present. It is important to engage a broker to help assess the breadth and the application of this coverage to the organization. 

Extra Expense

When trying to mitigate the effects of a cyber event, an organization may incur additional costs beyond its normal operating expenses. This could include overtime paid to employees to assist in the system recovery or the cost of putting in place a temporary server to keep some operations running during the cyber event. The intent of extra expense coverage is to provide for those costs incurred. 

Reputational Harm 

Organizations can incur financial losses due to damage to their reputation following a cyber security event. One example is when an organization experiences a cyberattack that results in a data breach of personal information for many customers, followed by negative news stories that cause the organization's brand to decline and result in a loss of trust from current and potential customers. A reputational harm coverage grant covers lost earnings arising from damage caused by adverse media reports from the cyber event.

Social Engineering and Cyber Crime 

Companies can incur financial loss from social engineering attacks. Employees or other individuals may be tricked into divulging sensitive information or transferring funds through deceptive tactics like phishing emails, pretexting, or other forms of social engineering. 

A common social engineering attack may involve phishing, where an attacker disguises as a legitimate entity (like a bank or IT support) in an email or text message to trick a victim into revealing sensitive information or clicking on a malicious link. 

This coverage typically protects against losses resulting from the good-faith transfer of money, or securities as a direct result of fraudulent instructions given by someone pretending to be an authorized person.

Third-Party Cyber Coverages

Cyber and Privacy Liability

Third-party cyber and privacy liability coverage protects businesses from financial consequences when a cyber incident or data breach impacts clients or other third parties, covering legal fees, settlements, and damages resulting from claims against the insured.  The coverage includes legal defense costs, settlements, damages, and regulatory fines and penalties.

Data Breach Liability 

Data breaches have always carried the risk of litigation, but this threat has intensified over the last few years. We have observed that the plaintiffs' bar is becoming more active, in part due to the significant increase in litigation funding and the ease of identifying and recruiting potential plaintiffs. It is becoming increasingly common for litigation to commence in parallel with regulatory investigations, which underscores the importance of this coverage. Data breach liability coverage protects organizations from liability arising from a cyber event or data privacy breach where sensitive information was impacted.

Non-Breach Privacy Liability

While the impacts of cyber attacks and ransomware events often grab media attention, non-breach privacy litigation risk is growing and with the implementation and use of artificial intelligence technology in organizations, it will only continue to grow. However, the availability of affirmative coverage for non-breach privacy or wrongful data use and collection varies in the insurance market. 

A non-breach privacy risk is a circumstance where privacy is impacted, not through a data breach (unauthorized access or disclosure), but due to other factors like wrongful data collection, poor data handling practices, or lack of transparency. Non-breach privacy risk has impacted many organizations in the past few years as litigation relating to cross-border data transfers, misuse or sharing of personal data, online safety, and shortcomings in privacy policies has skyrocketed. One example of a non-breach privacy exposure is when an organization collects voiceprints from employees at its distribution centers without providing proper notice and consent. In this scenario, the organization may be liable for violating the Illinois Biometric Information Privacy Act, which carries the potential for large statutorily dictated damages. Organizations looking for comprehensive coverage for risks related to data collection and processing should work with their broker to ensure the insurance policy covers these risks.

Regulatory Liability

Regulatory liability coverage is designed to provide coverage for the legal expenses, fines, and penalties that an organization incurs from an investigation by a state, federal, or foreign agency or body, due to a violation of a privacy law. A common scenario for the application of this coverage is after a data breach, a state attorney general opens an investigation into an organization's data protection practices. That organization may incur legal fees in responding to the investigation and may even be fined. Regulatory liability coverage is designed to cover the expenses and losses incurred.

Organizations should work with their broker to ensure that their regulatory coverage is not too narrow in scope. Some regulatory coverage grants are drafted prescriptively and list a set of laws that will fall within the ambit of coverage. However, this approach may exclude laws that should be contemplated in this coverage grant, like violations of broader cybersecurity laws, among others. One example is the New York Department of Financial Services’ Cybersecurity Regulation, 23 NYCRR 500, which mandates cybersecurity requirements for financial institutions conducting business in New York to ensure the protection of sensitive customer information and the integrity of information systems. If that law is not listed, the coverage may not be sufficient for an organization regulated by that law. Work with a broker to ensure that the regulatory coverage grant is comprehensive enough to meet your organization's risk profile.

PCI DSS Liability 

This coverage grant protects organizations in relation to the Payment Card Industry Data Security Standard (PCI DSS) for credit card processing. It provides coverage for financial penalties, assessments, and costs arising from cyber events and data breaches and the investigation, litigation, response, and assessments related to the organization’s legal responsibilities for PCI DSS.

Ancillary Third-Party Coverages 

Most carriers also offer coverage for risks related to media content or technology products or services. These coverages are ancillary and can be added subject to your organization’s requirements.

Media Liability  

In the information era, most organizations share massive amounts of content on the internet and social media platforms. However, this increased reach and audience also expands an organization's media risk. Media liability protects an organization from financial losses resulting from claims related to their media content, such as claims for defamation, copyright infringement, and invasion of privacy.  The insurance market varies as to whether the coverage extends to both digital and print media or digital media only. For example, the availability of coverage for claims arising out of music licensing and certain copyright violations may be limited.  

A common claims scenario in media liability is that an organization publishes an article online that defames a local business, leading to a claim from that business for damages. Alternatively, an organization hires an influencer to promote its brand, and they publish a blog post that violates the privacy of another individual, which results in a lawsuit. These are the common occurrences media liability was designed to cover. 

Technology Errors and Omissions

Regardless of the industry, most organizations are becoming technology companies, as technology is integral to operations, innovation, and building competitive advantages. Technology E&O coverage protects organizations from exposures related to the technology products or services they provide to others. 

Technology E&O protects organizations from exposures like cyber consulting or network integration and provides coverage for claims of negligence or breach of contract from clients. For example, a cloud-based data service negligently fails to back up critical data, resulting in a loss for the client. The coverage would cover legal expenses and a settlement with the client. 

Similarly, technology E&O also provides coverage for liabilities arising out of technology products.

Obtain Cyber Coverage That Is Future-Proof

Cyber risk impacts all organizations differently, and an insurance solution that is crafted for a broad audience may not always be the right solution. Most cyber policies contain some combination of the above coverage elements, and in a well-brokered cyber insurance policy, the basic insuring agreements will be covered up to the full policy limits.

Beyond the basic insuring agreements, numerous coverage enhancements are available that are more nuanced and provide better coverage, especially for new buyers and situations that are not already well understood. 

These enhancements to a cyber insurance policy are not always available unless you know what to ask for, and if they are available, they are generally sublimated to an amount less than the full policy limit. 

Today, the cyber insurance market has advanced from a very niche risk transfer tool to a critical requirement for enterprise risk management. Not all cyber insurance policies provide broad comprehensive terms and limits, and having an insurance broker trained in the nuance of this line of insurance can be a valuable partnership for any business.

Cyber Insurance: What’s Typically Not Covered

As with all insurance policies, some exclusions are important to understand. 

Cyber insurance policies generally do not cover:

• Potential future lost profits
• Bodily injury and property damage*
• System upgrades
• The costs to patch or manage a vulnerability
• Loss of value due to theft of your intellectual property
• Acts of war
• Infrastructure disruptions 

*There are a growing number of markets that will offer a limited coverage grant for bodily injury and property damage. 

Value-Added Services and Solutions

A growing trend with cyber insurance carriers is that they provide technology and cyber consulting services alongside an insurance product. The idea behind offering value-added technology and services beyond the risk transfer is two-fold. Carriers are incentivized to ensure that the services and technical solutions they provide make a material impact on managing cyber risk because they are also the risk transfer partner. Additionally, carriers believe they have such rich data on the behaviors and tooling that are effective in minimizing and preventing cyber risk that they are in a good position to offer proactive risk management solutions. These solutions are not right for all organizations but are worth exploring with the brokering team. 

Examples of some of the offerings:

• Cybersecurity Training: Educating employees about cyber threats, phishing scams, and safe online practices.
• Incident Response Planning: Developing a plan to quickly and effectively respond to a cyber incident, including containment, communication, and recovery.
• Vulnerability Assessments: Regularly assessing systems and networks for weaknesses that could be exploited by attackers.
• Managed Detection and Response (MDR): Employing specialized tools and expertise to continuously monitor for and respond to cyber threats.
• Access to Risk Management Platforms: Offering tools to assess and manage cyber risks.

Want to Know More About Cyber Insurance? 

Learn more about cyber risks and coverage with us:

• Check out our Cyber Buying Guide to learn more about the process of buying cyber insurance.
• Read the Cyber Looking Ahead Guide for trends, pricing, and predictions for this year.
• Read and subscribe to the Cyber Notebook for blogs, events, and more
• Learn about Woodruff Sawyer’s cyber services, beyond insurance.

Why Manage Your Cyber Insurance with Woodruff Sawyer?

We’re experts in cyber insurance. Our dedicated team of cyber risk experts constantly evaluates the latest threats and negotiates with carriers to drive improvements in cyber coverage.

Many buyers often wonder: How does my organization’s risk fit within my cyber policy? Our team can help make sense of the basics included in every policy and where coverage can be expanded and enhanced for an organization’s particular needs.

Our team also guides organizations beyond cyber insurance coverage; we believe a healthy cyber approach addresses all aspects of your cyber risk—before, during, and after possible attacks. 

We take a personalized approach to serving every client. When you become our client, we become your champion. Your dedicated team of specialists will advocate fiercely for you and help you solve your business challenges.