Cyber risk is more prominent than ever—and insuring cyber risk is getting more complex. For years, we at Woodruff Sawyer have talked about how nearly every company—large and small, in healthcare, technology, manufacturing, and more—has a cyber risk. And almost every day now, we learn about yet another cyber security incident.
Be it ransomware, phishing emails with embedded malware, or even social engineering attacks, companies are finding themselves the target of a cyberattack all too often. And for many leaders at these companies, a cyber insurance policy appears to hold a lot of value.
Yet, many clients still ask us some version of the question: What exactly is covered in a cyber insurance policy? Some companies even wonder if cyber risk is insurable.
The good news is that yes, cyber risk is insurable. In this article, we’ll cover how cyber insurance works.
What Cyber Insurance Covers
Every company faces cyber risk, no matter their size, but the bigger the company, the more areas of vulnerability it has.
The most prominent cyber risks are privacy risk, security risk, operational risk, and service risk.
Generally, cyber insurance is designed to protect your company from these primary risks through four distinct insuring agreements:
- Network security and privacy liability
- Network business interruption
- Media liability
- Errors and omission
In particular, network security and privacy liability can include both first-party and third-party costs. Let’s go into each element and what specific cyber risk it covers
A network security coverage grant is important for most companies, including those subject to information risk and privacy risk. This aspect of cyber insurance covers your business in the event of network security failure, which can include a data breach, malware infection, cyber extortion demand, ransomware, or business email compromise.
|Network security coverage includes first-party costs—expenses that you incur directly as a result of the cyber incident, including:|
Privacy liability coverage is also important for most companies, particularly those with information risk or privacy risk.
Customer and employee information can be sensitive and breaches or violations that expose such data not only threaten the security of those compromised but expose your business to liability.
Privacy liability coverage protects your company from those liabilities arising out of a cyber incident or privacy law violation. These third-party costs can arise, for example, from liabilities required in a contractual obligation, all the way to regulatory investigations by governments and law enforcement.
Here are two examples of what privacy liability coverage covers:
- Defending your organization from consumer class action litigation and funding a potential settlement in the event of a cyber incident or data breach
- Legal expenses, fines, and/or penalties incurred due to a regulatory investigation by government or law enforcement, both federal and foreign. Imagine what would happen to your company if a foreign governmental body investigated and levied a penalty on your company for a privacy event or violation, especially with regulations such as GDPR or the upcoming enforcement of the California Privacy Rights Act (CPRA) granting consumers increased rights with regard to their personal information. Another cyber risk area is FTC privacy consent decrees and their respective fines or penalties.
Network Business Interruption
How dependent is your organization on technology to operate? Network business interruption coverage provides a solution for companies that face an operational cyber risk.
When your network or the network of a provider that you rely on to operate goes down due to an incident, you can recover lost profits, fixed expenses, and extra costs incurred during the time your business was impacted.
This includes loss arising from:
- Security failures, like a third-party hack
- System failure, such as a failed software patch or human error
This provides coverage for intellectual property infringement, other than patent infringement, resulting from the advertising of your services. It often applies to both your online advertising, including social media posts, as well as printed advertising.
Errors and Omissions
A cyber event could keep you from fulfilling your contractual obligations and delivering services to your customers. E&O covers claims arising from errors in the performance of or failure to perform your services.
This can include technology services, like software and consulting, or more traditional professional services like those provided by lawyers, doctors, architects, and engineers.
E&O coverage addresses allegations of negligence or breach of contract should this occur. It can include legal defense costs or indemnification resulting from a lawsuit or dispute with your customers.
When it comes to the impact of cyber risk on E&O claims, many companies are looking to address the aggregation of risk due to a failure of their service. Think of this as a cyber event causing your service to go down and all your customers being impacted at one time, as opposed to a single customer having a problem with your product or service. This aggregation of risk can add up quickly and requires a thoughtful approach to the amount of insurance you purchase.
The Best Cyber Insurance Is as Unique as You Are
A one-size-fits-all policy is rarely the best fit for most companies. It’s true that most cyber policies contain some combination of the above coverage elements, and in a well-brokered cyber insurance policy, the basic insuring agreements will be covered up to the full policy limits.
|Read more: Buying the Right Limit with Cyber Analytics: One Size Does Not Fit All|
But beyond the basic insuring agreements, there are numerous available coverage additions that are more nuanced and provide better coverage, especially for new buyers and situations that are not already well understood.
These enhancements to a cyber insurance policy are not always available unless you know what to ask for, and if they are available, they are generally sublimited to an amount less than the full policy limit.
Here are just a few:
Those pesky phishing emails can do real damage to your cash flow. Social engineering coverage is designed to protect companies from funds transfer fraud situations. The most common example is an employee is duped into sending money from your bank accounts to a malicious hacker.
Social engineering coverage can also be found on most modern crime insurance policies, sometimes at higher sublimits and broader coverage than on a cyber-specific insurance policy.
It’s important to work with your broker to understand how cyber and crime insurance policies can work together on social engineering coverage to your benefit.
|Read more: How to Secure Optimal Coverage for Social Engineering Fraud|
Reputational harm is the continuing profit impact of a cyber event due to brand reputation damage. This is usually limited to a specific period and includes aversion to a brand following a publicized cyber event, such as a privacy event or security breach.
|Read more: Should We Call the FBI After Our Cyber Incident? The Surprising Benefits|
This enhancement covers the replacement cost of technology equipment that is rendered useless by a malware attack. If your laptop or server becomes as useful to your corporate network as a masonry brick, you’ll know where to look for coverage.
Cyber Insurance: What’s Typically Not Covered
As with all insurance policies, there are exclusions that are important to understand.
Cyber insurance policies generally do not cover:
- Potential future lost profits
- Loss of value due to theft of your intellectual property
Be aware that just because you have other policies that may be activated in the event of a cyber incident, there are probably gaps around which damages they’ll actually pay. In fact, there are a number of lawsuits from companies against insurance carriers due to their cyber claims not being covered by non-cyber policies.
These lawsuits bring up the important concept of “silent cyber,” otherwise understood as traditional insurance policies such as property liability, general liability, or directors and officers insurance being silent on whether they will cover some of the consequences of a cyberattack.
|Read more: The Devastating Effects of Silent Cyber|
Pandemic Developments: A Hard Market
Even before the pandemic, cyber insurers were tightening their underwriting guidelines and asking for more details to better understand the risk they were insuring. Whether it is details on backup procedures or questions on specific security controls in place, companies looking for cyber insurance can expect a more rigorous underwriting process.
After the pandemic hit, entire workforces migrated from working in an office, where cyber security was more controlled, to working from home. This presented immediate challenges, as cybercriminals took advantage of new security and human vulnerabilities. Major challenges included bandwidth and unsecure connectivity; employee access issues; and phishing, social engineering, and other “human” cyber risks.
Fortunately, cyber insurance was there each step of the way. Policies have responded due to broad coverage language for incidents both big and small, whether it involved network outages, data breaches, financial fraud, or ransomware.
In fact, cyber insurance policies have been responding so often that cyber insurance carriers are now facing unprecedented losses under these policies. This has resulted in a hard market, including higher prices, more scrutinized review of security controls, or limitations on coverage in the form of co-insurance or sublimits for ransomware.
Today the cyber insurance market has advanced from a very niche risk transfer tool to a critical requirement for enterprise risk management. Not all cyber insurance policies are created equal, and having an insurance broker trained in the nuance of this line of insurance can be a valuable partnership for any business.
Want to Know More About Cyber Insurance?
Learn more about cyber risks and coverage with us:
- Check out our Cyber Buying Guide to learn more about the process of buying cyber insurance.
- Contact our National Cyber Practice Leader, Dan Burke.
- Read more on all things Cyber Liability in our blog.
- Sign up for our newsletters to learn more.
- Check out our virtual education on all things cyber.
- Learn about Woodruff Sawyer’s cyber services, beyond insurance.
Why Manage Your Cyber Insurance with Woodruff Sawyer?
We’re experts in cyber insurance. Our dedicated team of cyber risk experts constantly evaluates the latest threats and negotiates with carriers to drive improvements in cyber coverage.
But many are left wondering: What’s actually covered by cyber insurance? Our team can help make sense of the basics included in every policy and where coverage can be expanded and enhanced for your particular needs.
Our team also guides organizations beyond cyber insurance coverage; we believe a healthy cyber approach addresses all aspects of your cyber risk—before, during, and after possible attacks.
We take a personalized approach to serving every client. When you become our client, we become your champion. Your dedicated team of specialists will advocate fiercely for you and tackle your unique problems.
About Woodruff Sawyer
Great companies know that innovation requires risk. At Woodruff Sawyer, we’ve been insuring innovation for over 100 years.
Our mission is simple: to provide our clients with deep expertise, thoughtful counsel, and fierce advocacy. We protect your people and your assets by identifying and mitigating your risk and reducing your costs.
We’re one of the largest insurance brokerage and consulting firms in the US. Working as an extension of your team, we tailor your program and coverage based on truly knowing you and your business.
You’ll get access to experts with decades of experience, as well as proprietary data that empowers you to make decisions with confidence. If a claim does occur, you’ll have strong advocates with a specialized claims team to help drive the best result. Because when you win, we win.
Our combination of expertise, advocacy, stability, and service has earned us one of the highest client satisfaction rankings in our industry. It’s also the reason why thousands of companies choose us as their long-term partner.
Related Blog Posts
Learn what different parts of a cyber security insurance kick in when hit with a ransomware attack and how they might apply at your company.
Learn what companies are doing to keep email secure, the common warning signs of a malicious email, and which email attachments are generally safe to open—and which aren’t.