According to the World Economic Forum, cyber attacks are cited as No. 2 in the top 10 global business risks.
For years, we at Woodruff Sawyer have talked about how nearly every company—large, small, in healthcare, technology, manufacturing, and more—has a cyber risk. And almost every day now, we learn about yet another cyber security incident.
This trend will continue through 2021 and is exacerbated by cybercriminals taking advantage of the pandemic.
In its early days, cyber insurance coverage was offered through either expensive, highly manuscripted policy forms or cheap, sublimited endorsements to other policies. Today the cyber insurance market has advanced from a very niche risk transfer tool to a critical requirement for enterprise risk management.
Many clients still ask us some version of the question: What exactly is covered in a cyber insurance policy? Some companies even wonder if cyber risk is insurable.
The good news is that yes, cyber risk is insurable. In this article, we’ll cover how cyber insurance works.
What’s New in 2021
Even before the pandemic, cyber insurers were tightening their underwriting guidelines and asking for more details to better understand the risk they were insuring. Whether it is details on backup procedures or questions on specific security controls in place, companies looking for cyber insurance in 2021 can expect a more rigorous underwriting process.
After the pandemic hit, entire workforces migrated from working in an office, where cyber security was more controlled, to working from home. This presented immediate challenges, as cyber criminals took advantage of new security and human vulnerabilities. Major challenges included bandwidth and unsecure connectivity, employee access issues and phishing, social engineering, and other “human” cyber risks.
Fortunately, cyber insurance was there each step of the way. Policies have responded due to broad coverage language for incidents both big and small—whether it involved network outages, data breaches, financial fraud, or ransomware.
But not all cyber insurance policies are created equal, and the pandemic has highlighted a few areas of concern. Insureds were advised to look at key definitions within their cyber policies, like “computer system” to ensure that employees working from home on a personal computer were covered.
Potential exclusions included voluntary shutdowns and personal network outages, such as when an employee lost internet access at their home or had a slower connection than what was available at the company office.
- Get Ready: Cyber Insurance Underwriting is Changing
- The Cyber Risks of Working Remotely During the Coronavirus Pandemic
- Coronavirus Impact on Cyber Insurance Coverage
What Cyber Insurance Covers
Every company faces cyber risk, no matter their size. But the bigger you are, the more areas of vulnerability you have.
The most prominent cyber risks are privacy risk, security risk, and operational risk.
Generally, cyber insurance is designed to protect your company from these primary risks through five distinct insuring agreements:
- Network security, privacy
- Network Business Interruption
- Media liability
- Errors and omissions
In particular, network security and privacy liability can include both first-party and third-party costs. Let’s go into each element and what specific cyber risk it covers.
A network security coverage grant is important for most companies, including those subject to information risk and privacy risk. This aspect of cyber insurance covers your business in the event of network security failure; which can include a data breach, malware infection, cyber extortion demand, ransomware, or business email compromise.
Network security coverage includes first-party costs––expenses that you incur directly as a result of the cyber incident, including:
- Legal expenses
- IT forensics
- Negotiation and payment of a ransomware demand
- Data restoration
- Breach notification to consumers
- Setting up a call center
- Public relations expertise
- Credit Monitoring and Identity Restoration
- Multi-Factor Authentication: A Small Step for a Big Decline in Cyber Attacks
- What Is Remote Desktop Protocol and Why Is It a Cyber Risk?
- Ransomware Attacks and Your Cyber Insurance: A Complete Action Plan
Privacy liability coverage is also important for most companies, particularly those with information risk or privacy risk.
Customer and employee information can be sensitive and breaches or violations that expose such data not only threaten the security of those compromised, but expose your business to liability.
Privacy liability coverage protects your company from those liabilities arising out of a cyber incident or privacy law violation. These third-party costs can arise, for example, from liabilities required in a contractual obligation, all the way to regulatory investigations by governments and law enforcement.
Here are two examples:
- Defending your organization from consumer class action litigation and funding a potential settlement in the event of a cyber incident or data breach
- Legal expenses, fines, and/or penalties incurred due to a regulatory investigation by government or law enforcement; both federal and foreign. Imagine what would happen to your company if a foreign governmental body investigated and levied a penalty on your company for a privacy event or violation, especially with new regulations such as GDPR and CCPA granting consumers increased rights with regard to their personal information. Another cyber risk area is FTC privacy consent decrees and their respective fines or penalties
- EU-US Privacy Shield Is Dead, but the Risk Is the Same
- How Biometric Privacy Litigation Could Mean Trouble for CCPA
Network Business Interruption
How dependent is your organization on technology to operate? Network business interruption coverage provides a solution for companies that face an operational cyber risk.
When your network or the network of a provider that you rely on to operate goes down due to an incident, you can recover lost profits, fixed expenses and extra costs incurred during the time your business was impacted.
This includes loss arising from:
- Security failures, like a third-party hack
- System failure, such as a failed software patch or human error
This provides coverage for intellectual property infringement, other than patent infringement, resulting from the advertising of your services. It often applies to both your online advertising, including social media posts, as well as printed advertising.
Errors and Omissions
A cyber event could keep you from fulfilling your contractual obligations and delivering services to your customers. E&O covers claims arising from errors in the performance of or failure to perform your services.
This can include technology services, like software and consulting, or more traditional professional services like lawyers, doctors, architects, and engineers.
E&O coverage addresses allegations of negligence or breach of contract should this occur, and can include legal defense costs or indemnification resulting from a lawsuit or dispute with your customers.
The Best Cyber Insurance Is As Unique As You Are
A one-size-fits-all policy is rarely the best fit for most companies. It’s true that most cyber policies contain some combination of the above coverage elements; and in a well-brokered cyber insurance policy, the basic insuring agreements will be covered up to the full policy limits.
But beyond the basic insuring agreements, there are numerous available coverage additions which are more nuanced, and provide better coverage––especially for new buyers and situations that are not already well understood.
These enhancements to a cyber insurance policy are not always available unless you know what to ask for, and if they are available they are generally sublimited to an amount less than the full policy limit.
Here are just a few:
Those pesky phishing emails can do real damage to your cash flow. Social engineering coverage is designed to protect companies from funds transfer fraud situations. The most common example is an employee duped into sending money from your bank accounts to a malicious hacker.
Social engineering coverage can also be found on most modern crime insurance policies, sometimes at higher sublimits and broader coverage than on a cyber-specific insurance policy.
It’s important to work with your broker to understand how a cyber and crime insurance policy can work together on social engineering coverage to your benefit.
Reputational harm is the continuing profit impact of a cyber event due to brand reputation damage. This is usually limited to a specific time period and includes aversion to a brand following a publicized cyber event, such as a privacy event or security breach.
This enhancement covers the replacement cost of technology equipment that is rendered useless by a malware attack. If your laptop or server becomes as useful to your corporate network as a masonry brick, you’ll know where to look for coverage.
Cyber Insurance: What’s Typically Not Covered
As with all insurance policies, there are exclusions that are important to understand. Cyber insurance policies generally do not cover:
- Potential future lost profits
- Loss of value due to theft of your intellectual property
- Betterment: the cost to improve internal technology systems, including any software or security upgrades after a cyber event
Be aware that just because you have other policies that may be activated in the event of a cyber incident, there are probably gaps around which damages they’ll actually pay. In fact, there are a number of lawsuits from companies against insurance carriers due to their cyber claims not being covered by non-cyber policies.
These lawsuits bring up the important concept of “Silent Cyber”–otherwise understood as traditional insurance policies such as property liability, general liability, or directors and officers insurance being silent on whether they will cover some of the consequences of a cyber attack.
Want to Know More About Cyber Insurance?
Learn more about cyber risks and coverage with us:
- Check out our Cyber Buying Guide to learn more about the process of buying cyber insurance.
- Contact our National Cyber Practice Leader, Dan Burke.
- Read more on all things Cyber Liability in our blog.
- Sign up for our newsletters to learn more.
- Check out our virtual education on all things cyber.
- Learn about Woodruff Sawyer’s cyber services, beyond insurance.
Why Manage Your Cyber Insurance with Woodruff Sawyer?
We’re experts in cyber insurance. Our dedicated team of cyber risk experts constantly evaluates the latest threats and negotiates with carriers to drive improvements in cyber coverage.
But many are left wondering: What’s actually covered by cyber insurance? Our team can help make sense of the basics included in every policy and where coverage can be expanded and enhanced for your particular needs.
Our team also guides organizations beyond cyber insurance coverage; we believe a healthy cyber approach addresses all aspects of your cyber risk—before, during, and after possible attacks.
We take a personalized approach to serving every client. When you become our client, we become your champion. Your dedicated team of specialists will advocate fiercely for you and tackle your unique problems.
It’s clear that clients value our service philosophy, because our 2020 Net Promoter Survey® (NPS) score is 87.4%, which is considered world-class in service and puts us on par with the nation’s top corporations and service leaders in any industry.
About Woodruff Sawyer
Great companies know that innovation requires risk. At Woodruff Sawyer, we’ve been insuring innovation for over 100 years.
Our mission is simple: to provide our clients with deep expertise, thoughtful counsel, and fierce advocacy. We protect your people and your assets by identifying and mitigating your risk and reducing your costs.
We’re one of the largest insurance brokerage and consulting firms in the US. Working as an extension of your team, we tailor your program and coverage based on truly knowing you and your business.
You’ll get access to experts with decades of experience, as well as proprietary data that empowers you to make decisions with confidence. If a claim does occur, you’ll have strong advocates with a specialized claims team to help drive the best result. Because when you win, we win.
Our combination of expertise, advocacy, stability, and service has earned us one of the highest client satisfaction rankings in our industry. It’s also the reason why thousands of companies choose us as their long-term partner.
Before an Attack, Incident Response, and Cyber Insurance
IN THE NEWS
Related Blog Posts
Multi-factor authentication (MFA) is an increasingly important solution to thwart account compromise attacks, especially when the workforce is remote and gaining access to key corporate networks and applications is vital.
Learn more about the constant evolution of social engineering attacks, how insurance responds to attacks, coverage requirements, and best practices for reducing your risk.