In their recent Regional Risks for Doing Business 2019 report, the World Economic Forum listed cyber attacks as the top risk for businesses in both North America and Europe. For years, we at Woodruff Sawyer have talked about how nearly every company—large, small, in healthcare, technology, manufacturing, and more—has a cyber risk. And almost every day now, we learn about yet another cyber security incident.
While in its early days, cyber insurance coverage was offered through either expensive, highly manuscripted policy forms or cheap, sub-limited endorsements to other policies, today the cyber insurance market has advanced from a very niche risk transfer tool to a critical requirement for enterprise risk management.
And yet, many clients still ask us some version of the question: What exactly is covered in a cyber insurance policy? Some companies even wonder if cyber risk is insurable.
The good news is that yes, cyber risk is insurable. Here’s how cyber insurance works:
What Cyber Insurance Covers
Every company faces cyber risk, no matter their size. But the bigger you are, the more areas of vulnerability you have. In the Woodruff Sawyer Cyber Liability Buying Guide, we identify the most prominent cyber risks as privacy risk, information risk, and operational risk. Generally, cyber insurance is designed to protect your company from these primary risks through five distinct insuring agreements: network security, privacy, interruption to your business, media liability, and errors and omissions. In particular, network security and privacy liability can include both first-party and third-party costs. Let’s go into each element and what specific cyber risk it covers.
A Network Security coverage grant is important for most companies, including those subject to information risk and privacy risk. This aspect of cyber insurance covers your business in the event of network security failure; which can include a data breach, malware infection, cyber extortion demand, ransomware, or business email compromise. Network security coverage includes first party costs––expenses that you incur directly as a result of the cyber incident, including:
- Legal expenses
- IT forensics
- Negotiation and payment of a ransomware demand
- Data restoration
- Breach notification to consumers
- Setting up a call center
- Public relations expertise
- Credit Monitoring and Identity Restoration
Privacy Liability coverage is also important for most companies, particularly those with information risk or privacy risk. Customer and employee information can be sensitive and breaches or violations that expose such data not only threaten the security of those compromised, but expose your business to liability. Privacy Liability coverage protects your company from those liabilities arising out of a cyber incident or privacy law violations. These third-party costs can arise, for example, from liabilities required in a contractual obligation, all the way to regulatory investigations by governments and law enforcement. Here are two examples:
- Defending your organization from consumer class action litigation and funding a potential settlement in the event of a cyber incident or data breach
- Legal expenses, fines, and/or penalties incurred due to a regulatory investigation by government or law enforcement; both federal and foreign. Imagine what would happen to your company if a foreign governmental body investigated and levied a penalty on your company for a privacy event or violation , especially with new regulations such as GDPR and CCPA granting consumers increased rights with regard to their personal information. Another cyber risk area is FTC privacy consent decrees and their respective fines or penalties.
Network Business Interruption
How dependent is your organization on technology to operate? Network business interruption coverage provides a solution for companies that face an operational cyber risk. When your network, or the network of a provider that you rely on to operate, goes down due to an incident, you can recover lost profits, fixed expenses and extra costs incurred during the time your business was impacted. This includes loss arising from:
- Security failures, like a third-party hack
- System failure, such as a failed software patch or human error.
This provides coverage for intellectual property infringement, other than patent infringement, resulting from the advertising of your services. It often applies to both your online advertising, including social media posts, as well as printed advertising.
Errors and Omissions
A cyber event could keep you from fulfilling your contractual obligations and delivering services to your customers. E&O covers claims arising from errors in the performance of or failure to perform your services. This can include technology services, like software and consulting, or more traditional professional services like lawyers, doctors, architects, and engineers. E&O coverage addresses allegations of negligence or breach of contract should this occur, and can include legal defense costs or indemnification resulting from a lawsuit or dispute with your customers.
The Best Cyber Insurance Is As Unique As You Are
A one size fits all policy is rarely the best fit for most companies. It’s true that most cyber policies contain some combination of the above coverage elements; and in a well-brokered cyber insurance policy, the basic insuring agreements will be covered up to the full policy limits.
But beyond the basic insuring agreements, there are numerous available coverage additions which are more nuanced, and provide better coverage––especially for new buyers and situations that are not already well understood. These enhancements to a cyber insurance policy are not always available unless you know what to ask for; and if they are available they are generally sub-limited to an amount less than the full policy limit. Here are just a few:
Those pesky phishing emails can do real damage to your cash flow. Social engineering coverage is designed to protect companies from funds transfer fraud situations. The most common example is an employee duped into sending money from your bank accounts to a malicious hacker. Social engineering coverage can also be found on most modern crime insurance policies, sometimes at higher sub-limits and broader coverage than on a cyber-specific insurance policy. It’s important to work with your broker to understand how a cyber and crime insurance policy can work together on social engineering coverage to your benefit.
Reputational harm is the continuing profit impact of a cyber event due to brand reputation damage. This is usually limited to a specific time period and includes aversion to a brand following a publicized cyber event, such as a privacy event or security breach.
This enhancement covers the replacement cost of technology equipment which is rendered useless by a malware attack. If your laptop or server becomes as useful to your corporate network as a masonry brick, you’ll know where to look for coverage.
Cyber Insurance: What’s Not Usually Covered
As with all insurance policies, there are exclusions which are important to understand. Cyber insurance policies generally do not cover:
- Potential future lost profits
- Loss of value due to theft of your Intellectual Property
- Betterment: the cost to improve internal technology systems, including any software or security upgrades after a cyber event
Be aware that just because you have other policies that may be activated in the event of a cyber incident, there are probably gaps around which damages they’ll actually pay. In fact, there are a number of lawsuits from companies against insurance carriers due to their cyber claims not being covered by non-cyber policies. These lawsuits bring up the important concept of Silent Cyber – otherwise understood as traditional insurance policies such as property liability, general liability, or directors and officers insurance being silent on whether they will cover some of the consequences of a cyber attack.
Want To Know More About Cyber Insurance?
- Check out our Cyber Buying Guide to learn more about the process of buying cyber insurance.
- Contact our National Cyber Practice Leader, Dan Burke.
- Read more on all things Cyber Liability in our blog.
- Sign up for our newsletters to learn more.
- Meet us in person at a cyber insurance event.
- Learn about Woodruff Sawyer’s cyber services, beyond insurance.
Why Manage your Cyber Insurance with Woodruff Sawyer?
We’re experts in cyber insurance. Our dedicated team of Cyber Risk experts constantly evaluates the latest threats and negotiates with carriers to drive improvements in cyber coverage. But many are left wondering: What’s actually covered by cyber insurance? Our team can help make sense of the basics included in every policy and where coverage can be expanded and enhanced for your particular needs. Our team also guides organizations beyond cyber insurance coverage; we believe a healthy cyber approach addresses all aspects of your cyber risk—before, during, and after possible attacks.
We take a personalized approach to serving every client. When you become our client, we become your champion. Your dedicated team of specialists will advocate fiercely for you and tackle your unique problems. It’s clear that clients value our service philosophy, because our 2018 Net Promoter Survey® (NPS) score is 83.1%, which is considered world-class in service and puts us on par with the nation’s top corporations and service leaders in any industry.
About Woodruff Sawyer
Great companies know that innovation requires risk. At Woodruff Sawyer, we’ve been insuring innovation for over 100 years. Our mission is simple: to provide our clients with deep expertise, thoughtful counsel, and fierce advocacy. We protect your people and your assets by identifying and mitigating your risk and reducing your costs.
We’re one of the largest insurance brokerage and consulting firms in the US. Working as an extension of your team, we tailor your program and coverage based on truly knowing you and your business. You’ll get access to experts with decades of experience, as well as proprietary data that empowers you to make decisions with confidence. If a claim does occur, you’ll have strong advocates with a specialized claims team to help drive the best result. Because when you win, we win.
Our combination of expertise, advocacy, stability, and service has earned us one of the highest client satisfaction rankings in our industry. It’s also the reason why thousands of companies choose us as their long-term partner.