Should You Get Cyber Insurance? [Explained]

Cyber insurance coverage mitigates financial loss in the event that your company's data is stolen or otherwise compromised. It's an important commercial insurance coverage for any company that handles sensitive data or utilizes digitally connected systems.

Not sure if your organization needs it? Keep reading! We’ll help you decide.

Why Seek Out Cyber Insurance Coverage?

As companies go completely digital, hosting sensitive data on cloud servers and doing business with Software as a Service (SaaS) apps, they naturally open themselves up to new potential security weaknesses. Hackers, in turn, are exploiting those weaknesses, hijacking sensitive data and blocking access to apps and hardware. 

Along with the cost of interrupted business, organizations that fall victim to cyber attacks are often also asked to pay steep ransoms for access to their systems and are liable for stolen customer or employee data. Perhaps the best example of this is the recent attack on Change Healthcare.

As of this writing, the fallout from a ransomware attack on Change Healthcare, a major U.S. health insurance billing system, is still rolling, with a massive $14B billing backlog, disruptions to the stability of hospital and prescription services across the US, and a whole host of investigations into the incident. Some evidence implies that Change Healthcare may have additionally paid their hackers a $22 million dollar ransom.

The Change Healthcare attack is a uniquely catastrophic example of what happens when a business loses access to its digital systems, one that underscores the importance of preparedness – and cyber insurance – for organizations that deal in data.

Cybersecurity Insurance: A Quick Breakdown

You can usually get cyber insurance as a standalone package or as an add-on to a larger business owner’s policy. What exactly is covered will depend on the policy, so it’s important to carefully read through the plan’s documentation before committing. That said, you can typically expect coverage for a few specific things based on the type of cyber insurance you’re purchasing.

First-party coverage (data breach insurance) will typically cover expenses associated with…

• Restoration and recovery of lost or damaged data.

• Lost revenue due to interruptions in business.

• Ransoms/extortion costs.

• Threat response and investigative services to assess damages or halt ongoing attacks.

• Risk assessments to prevent incidents.

• Credit monitoring services for customers and clients and notification costs, which cover any expenses accrued in the process of notifying customers of a data breach.

Third-party (liability) coverage will typically cover…

• Legal fees, settlement costs, and court judgments if your organization is sued as a result of a data breach or other cybersecurity incident.

• Legal fees and settlement costs in the event that your organization becomes liable for copyright violations, such as the loss or exposure of intellectual property.

• Fines for non-compliance with laws and regulations regarding data privacy.

What Does Cyber Insurance Not Cover?

Having cybersecurity insurance does not necessarily provide blanket protection for all data breaches and “hacking” incidents. Of course, the exact coverage will depend on the policy, but there are a few things that cyber insurance typically does not cover:

• The cost of preventative measures like employee training and security software.

• Costs of interrupted business, lost data, or damaged hardware that were caused by network failure or other issues, rather than a cyber attack.

• Costs associated with repairing or replacing hardware damaged in a cyber attack, although this may depend on your plan.

• Intellectual property losses and income losses related to them are generally not covered. However, your organization may still be liable if a client or customer’s intellectual property is stolen.

• Social engineering incidents. Phishing scams and other person-to-person attempts on systems or data may not always be covered by a policy.

• Breaches caused either internally, by malicious or negligent employees, or externally, by vendors generally will not be covered by a cyber insurance policy. Instead, a commercial crime policy may be necessary.

• Attacks that target vulnerabilities that the company knew existed and didn’t address.

• State-sponsored attacks – when a foreign nation launches a cyber attack, they are generally not covered.

How Much Does Cyber Insurance Cost?

The cost of insurance will vary based on the policy limits purchased/deductible amount and your current cyber controls. Annual cyber premiums can start as low as $1,000.

Is Cyber Insurance Right for My Business?

Who needs cyber insurance the most? If your organization has an online presence or collects customer data or sensitive information like payment information, contact details, or social security numbers, your organization could be vulnerable to an incident. Should any of the data you’ve collected become compromised, this could pose a serious financial risk to your company.

Still not sure? Here are some business factors that may point to cyber insurance being a good idea:

• Your organization stores sensitive client, customer, patient, or employee data either in cloud storage or in on-site hardware.

• Your organization provides a digital or technology product or service, such as IT or specific software.

• Your business uses cloud storage or cloud computing, SaaS (Software as a Service) apps, or internet-enabled (Internet of Things/IoT) hardware to do business.

• Your organization may have difficulty covering the costs of legal fees or fines in the event of a data breach.

• Your organization accepts credit card payments.

Finding a Cyber Insurance Policy That Fits Your Needs

Finding a good policy starts with an assessment of your own needs. You’ll need to evaluate potential risks—for example, while most companies do need at least some protections, not every company will need comprehensive policies like global coverage—and consequences your organization may not be able to cover on its own. For instance, liability coverage for privacy breaches may well be necessary, but coverage for copyright breaches may not.

Once you understand where you are vulnerable, it’s time to acquire a policy customized to your needs. Good coverage will come with clear language to help you avoid coverage loopholes, offer 24/7 support, and cover a variety of breaches and attacks.