Who is cyber insurance coverage for?

We strongly encourage all our clients to consider the value of cyber insurance, especially if they handle or use digital information.

One of the first topics we cover with many new cyber insurance buyers is the business’ regulatory or contractual responsibility with regards to customers’ personal information. If your business stores customers data such as names, addresses, credit card information, Social Security numbers, and more, on any type of computer system on or offline, then there is a regulatory obligation to keep that data secure, and therefore, a higher price tag in the event of a breach.

Many are surprised to learn the real costs associated with a breach. In 2024, the average global cost of a data breach was $4.8 million, according to IBM’s 2024 Cost of a Data Breach Report, which interviewed more than 600 organizations around the world.

On top of that, the study showed that 60 percent of the businesses that were polled said that attacks are becoming more severe and more sophisticated each year.

Cyber coverage is essential for businesses of all sizes and across various industries. Here are some examples of businesses that may benefit from cyber insurance, including startups and small businesses:

• Startups and tech companies: Startups and technology companies often handle sensitive customer data, develop innovative technologies, and rely heavily on digital systems. They are particularly vulnerable to cyber threats due to their digital infrastructure and may face significant financial and reputational risks if a cyber incident occurs. Cyber coverage can help mitigate these risks.
• Financial institutions: Banks, credit unions, insurance companies, and other financial institutions handle large volumes of sensitive customer data and financial transactions. They face risks such as unauthorized fund transfers, identity theft, and ransomware attacks. Cyber insurance can help mitigate financial losses and assist in regulatory compliance.
• Professional services firms: Law firms, accounting firms, consulting companies, and other professional services firms often deal with confidential client information. They may be targets for cyber attacks aimed at stealing client data or intellectual property. Cyber insurance can provide coverage for legal expenses resulting from data breaches, privacy violations, or client claims.
• Small and medium-sized enterprises (SMEs): Small businesses may mistakenly believe that they are less likely to be targeted by cyberattacks. However, SMEs are increasingly becoming targets because they often have fewer cybersecurity resources and are seen as entry points to larger networks. Cyber coverage can help small businesses recover from the financial impact of cyber incidents.
• Healthcare providers: The healthcare industry is a prime target for cyberattacks due to the abundance of valuable patient health records and sensitive personal information. Healthcare providers, including hospitals, clinics, and private practices, should consider cyber insurance to protect against the costs associated with data breaches, regulatory penalties, and potential lawsuits.
• Law firms: Cyber insurance enables law firms to successfully negotiate the complicated aftermath of a cyberattack and reduce the damage on their operations and reputation by reducing financial risks and offering professional guidance. It can pay for the costs of prospective lawsuits, credit monitoring services, legal fees, data breach response, forensic investigations, notification to affected parties, and legal costs. Additionally, ransomware payments, regulatory fines, and business interruption losses may all be covered by cyber insurance. Visit our Lawyers Professional Liability page to learn more.

It’s important for businesses to evaluate their specific risks and consult with an insurance professional to determine the appropriate level of cyber coverage needed. Factors such as the nature of the business, volume of sensitive data, reliance on technology, and industry regulations should be taken into consideration when assessing the necessity and extent of cyber insurance coverage.

Does it sound like your business needs better coverage? Tell us more about your business to get your cyber insurance quote in under 10 minutes.

Additionally, if your business’s revenue stream has any contact with European consumers or businesses, then the recently implemented General Data Protection Regulation (GDPR) likely applies to you. Many US-based businesses have already taken measures to be GDPR compliant but that doesn’t mean your insurance has followed suit.

Why do you need it?

Unsurprisingly, cyber insurance emerged onto the insurance scene recently as a result of the fact that other traditional business insurance policies were simply not created to cover the types of risks most commonly associated with cyber insurance.

Therefore, many insurance experts will argue that cyber insurance policies are still in their infancy and a lot of work needs to be done when it comes to standardizing coverage and making sure that insurance carriers are able to support the needs of modern businesses. Not only that, education is important in order for businesses to understand the threat of cyberattacks and the seriousness of these types of threats (related: read our guide on cyber threat modeling).

A very recent report from insurers Hiscox claims that seven out of 10 firms do not have a quality cybersecurity strategy in place.

There is, however, no doubt that the cyber insurance space will continue to grow rapidly and offers will certainly be expanded and customized. Also, as is the case with most other types of insurance offers, cyber insurance policies are evolving towards more industry-specific solutions and becoming less general.

What does cyber insurance cover?

Cyber insurance is as dynamic as the companies it protects and is consequently far from standardized. However, some of the issues that cyber liability insurance typically covers include:

• Data loss, recovery, and recreation: Data loss refers to the accidental or intentional loss, corruption, or unavailability of important data caused by a cyber incident. Recovery involves locating and restoring lost data from backups or other means, while recreation entails reconstructing data that cannot be fully recovered from existing sources. Insurance may cover the costs of recovering lost data, restoring systems, and any related business interruption expenses.
• Business interruption/loss of revenue due to a breach: A financial impact and disruption to normal business operations caused by a cybersecurity breach, resulting in a loss of revenue or interruption in business activities. Coverage may include the costs associated with investigating and responding to a data breach, notifying affected individuals, and providing credit monitoring.
• Loss of transferred funds: Cyber insurance may cover financial losses resulting from a cyber incident that disrupts business operations, including revenue loss and extra expenses incurred to restore operations.
• Computer fraud: Computer fraud often involves social engineering techniques, where attackers manipulate individuals within an organization to gain access to sensitive information or perform fraudulent activities. This can include phishing emails, impersonation, or pretexting. Cyber insurance may offer coverage for losses resulting from social engineering attacks, such as funds transferred based on fraudulent instructions received via email or phone.
• Cyber extortion: Threats of data disclosure resulting in reputational damage, DDoS attacks disrupting systems, blackmail and extortion attempts using stolen information, threats of system manipulation or destruction, and doxing, which exposes personal information to harm or extortion, are just a few of the risks associated with cyber extortion. Policies may provide coverage for expenses incurred due to cyber extortion including ransom payments, negotiation costs, and legal assistance.
• Network security liability: Legal responsibility and potential financial consequences that an organization may face due to inadequate network security measures, leaving vulnerabilities that can be exploited by malicious actors. Claims arising from unauthorized access to, or use of, computer systems, networks, or electronic data, may result in financial losses for third parties.
• Privacy liability: The unauthorized disclosure or misuse of personally identifiable information (PII) or protected health information (PHI), which may result in legal actions, regulatory fines, or settlements. This risk includes the potential for legal actions, regulatory fines, and reputational harm as a result of breaking privacy or data protection rules.
• Multimedia liability: The risk of legal claims and financial losses arising from the insured organization’s cybersecurity practices or breach of privacy obligations related to multimedia content, such as unauthorized use, infringement of intellectual property rights, defamation, or invasion of privacy through digital media.

Important Note: Errors and omissions insurance is not cyber insurance and cannot serve as a substitute for proper cyber insurance, even if the E&O policy has a technology error rider.

If hackers expose or steal personal information, such as Social Security numbers, driver’s license number (in some states), address, and bank account information, a cyber liability insurance policy pays for:

• Notification costs: This expense is significant because the company bears the burden of both identifying potential victims, which requires an internal investigation and providing notification that’s reasonably calculated to give actual notice.
• Credit monitoring: In effect, your cyber insurance policy pays for victims’ insurance policies. Regulators usually dictate the kind of credit monitoring to provide and it’s a safe bet they will not be satisfied with the cheapest available protection.
• Civil damages: Most of these liability lawsuits are class actions, with hundreds of thousands of dollars in damages at a minimum, even for a very small company.
• Computer forensics: This covers costs to hire computer forensics consultants working under the direction of your attorneys to determine whether a data breach occurred, to contain and prevent further damage, and to investigate the cause and scope of the breach.
• Reputational damage: Data breaches can have profound PR implications for any business. A preferred policy will help you handle the potential fallout by covering the damages stemming from brand aversion due to a cyber incident for a certain amount of time after the breach. It can also help mitigate the potential cost by paying PR management experts.

First-party coverage vs. third-party coverage

In today’s interconnected world, the risk of cyber incidents is ever-present, and organizations need to protect themselves against potential financial losses, legal liabilities, and reputational damage. Businesses have options when it comes to their cyber insurance, including first-party versus third-party coverages.

First-party coverage protects the insured organization itself against direct losses and expenses resulting from a cyber incident. It primarily addresses the financial impact on the policyholder’s own operations, assets, and reputation.

Third-party coverage is designed to protect the insured organization against claims made by external parties as a result of a cyber incident. It focuses on addressing the legal liabilities and financial consequences arising from the insured organization’s cybersecurity or privacy obligations.

Types of losses covered

First-party coverage primarily focuses on reimbursing the policyholder for its own financial losses and expenses incurred due to a cyber incident. This can include costs associated with:

• Incident responses are the organized and coordinated action taken by businesses to manage and lessen the effects of a cybersecurity incident.
• Data recovery is the process of finding and restoring data that has been lost, compromised, or encrypted that has been impacted by the attack.
• Business interruption is used to describe how a cybersecurity issue has caused a disruption to or end to routine company activities.
• Reputational harm refers to the disruption or cessation of normal business operations as a result of a cybersecurity incident.

Third-party coverage covers legal liabilities and financial losses resulting from claims made by third parties. This can include costs related:

• Legal defense
• Settlements
• Regulatory fines
• Damages awarded to affected individuals or entities

Policyholder perspective

• First-party coverage, from the policyholder’s perspective, helps mitigate the financial impact and operational disruptions caused by a cyber incident. It assists in minimizing direct financial losses and facilitating a quicker recovery of business operations.
• Third-party coverage provides peace of mind to the policyholder by protecting against potential legal claims and liabilities arising from a cyber incident. It helps safeguard the insured organization’s reputation and provides financial support for legal defense and potential settlements.

Legal and regulatory compliance

• First-party coverage does not directly address the insured organization’s legal and regulatory obligations, but it can assist in meeting compliance requirements indirectly by covering the costs associated with incident response and data breach notification.
• Third-party coverage is more closely aligned with legal and regulatory compliance obligations. It helps protect the insured organization against liabilities arising from non-compliance with privacy regulations, data protection laws, and other applicable cybersecurity requirements.

It’s important to note that first-party and third-party cyber coverage are often complementary, and organizations may choose to have both types of coverage to ensure comprehensive protection against cyber risks.

Cyber insurance providers also have a duty to defend policyholders from related administrative actions or liability lawsuits. For instance, cyber insurance will offer privacy liability coverage. This coverage is important for most companies, particularly those storing sensitive customer and employee information on their networks. Breaches that expose such information not only compromise those affected, but may expose your business to liability lawsuits from victims of such cyber incidents. Also, it will provide coverage in cases where you’re alleged to have violated privacy laws.

Additionally, most policies also provide resources that help policyholders design cost-effective and robust security and data encryption protocol. To further minimize liability risk, consider addressing BYOD (bring your own device) procedures.

What’s not covered?

Like most coverages, there are certain exclusions that a cyber policy usually will not cover.

The policy will not respond if you are sued for any potential vulnerabilities in your systems before a breach occurs.

Most notably, cyber insurance policies will typically not reimburse you for future profits lost due to a cyberattack or data breach.

If you fear losses due to theft of your intellectual property, you’ll have to look towards a specifically tailored intellectual property insurance policy. Additionally, allegations that the policy holder’s patents infringe upon those of a third party will also not be afforded coverage.

If an agent of a foreign power causes the breach, the coverage can be denied under the acts of war exclusion.

Additionally, the cost to improve your security and technology systems after an attack will not be included in most policies (make sure to read our guides on how to respond to cyber attacks and how to recover from a cyber attack).

When considering whether you’ll be covered for cyber-related exposures it’s crucial to understand the concept of “Silent Cyber.” Many traditional insurance policies, most notably general liability insurance (CGL), weren’t designed with cyber risks in mind. This means that they don’t have precise language either implicitly including or excluding cyber exposures. However, in practice this means that CGL policies generally won’t cover cyber liability — and if they do, the coverage will be minimal at best.

It’s also important to note that social engineering attacks can be considered a special case. Social engineering refers to attacks that rely on psychological manipulation to gain access to sensitive information or funds. Victims following instructions from fraudulent emails or calls is not considered a computer system breach. Therefore, a special policy social engineering extension needs to be added to the Cyber insurance.

What does cyber insurance cost?

It’s best to shop for this type of insurance by coverage as opposed to cost. Your company’s sophistication and ability to avoid an incident and coverage limit are the two biggest factors in determining premium costs, as well as revenue and number of unique PII or PHI records stored or maintained on the insured’s systems. You can read more in our full guides on cyber insurance costs and how much cyber insurance you need.

The good news for those seeking cyber coverage is that the insurance market is a buyers’ market in 2019. There are several dozens of insurers that are competing for your business.