An Introduction to Cyber Insurance for Businesses

Do you own or manage a business? Does your business use computers? Do those computers store data such as social security numbers, credit card numbers, driver’s license numbers, medical records, or other confidential information?

If you answered "yes" to these questions, your business probably needs cyber insurance. And this is true regardless of the size of your business—small businesses are subjected to phishing and other types of online attacks almost as often as large businesses.

What Does Cyber Insurance Cover?

Cyber insurance—sometimes known as cyber risk insurance or cyber liability insurance coverage (CLIC)—typically covers these four items:

Investigation

If your system is hacked, you will want to know how the breach occurred so that you can protect against similar types of attack in the future. While an investigation might be conducted by the FBI or other law enforcement agencies, you should consider hiring a private computer security firm to investigate the attack and advise you on the steps you should take.

Business Losses

Your system could be down as a result of the breach and the subsequent investigation. A good policy will cover you for losses due to downtime, costs associated with lost data recovery, and costs related to repair of reputation.

Notification and Monitoring

In some circumstances, you might be required by law to notify customers and other parties whose data has been stolen. And even if you are not legally required, you might want to do this to maintain the goodwill and loyalty of your customers.

Some states also require credit monitoring for customers whose credit information has been lost.

Lawsuits and Extortion

The attack itself might not be the end of your troubles. You might be sued by customers, be fined by governmental agencies, or be the subject of attempted extortion by the hackers. Your cyber insurance policy should provide some coverage in these events (see Insurance and Lawsuits to find out what happens when you are sued).

If you have suffered identity fraud as the result of a breach, your policy may also provide coverage to allow you to recover your identity and restore your credit history (to learn about separate coverage for identity theft, see Identity Theft Insurance: Is It Worth the Price?). Repairs to computer systems are often also covered, though these might also be covered under your comprehensive general liability (CGL) policy.

What to Look for in Cyber Insurance Policies

Cyber insurance has only been in existence for a little over a decade and is still evolving. Policies, then, can vary significantly across insurance companies. Given all of the variations, shopping around is highly recommended. Here are some of the things you should be asking yourself when evaluating policies:

• Is the cyber policy stand-alone or part of some other type of insurance, such as E&O (errors & omissions) insurance? Stand-alone policies are generally better, since they indicate that the insurer has given more thought to carefully writing the coverage provisions.
• What deductibles apply and how big are they?
• Does the insurance cover the first party only (that’s you) or does it cover first and third parties (the second party is the injured person, such as your customer)? If you (the first party) are sued by a customer (the second party) as a result of a breach, does the insurance provide coverage for third party negligence? Third party coverage can protect you from certain liabilities in the event of a breach. In these situations, the third party might be a computer technician you hired to install your system. If the technician doesn’t have insurance, or is no longer to be found, you could be held liable for their negligence in installing your system. If your policy provides coverage for third-party negligence, you will covered under these circumstances.
• Are both social engineering and network attacks covered? Social engineering attacks often come in the form of phishing, which occurs when someone misrepresents themselves over e-mail or social media in order to elicit confidential information, such as account numbers or login details, from you or one of your employees. Network attacks are direct attacks on the system, including denial of service attacks, browser attacks, and botnet attacks. Read the exclusions carefully so you can be sure that you are covered in either case.

Your CGL Policy Probably Doesn't Cover Cyber Attacks

Note that your CGL policy almost certainly does not cover you in the event of a cyber breach, with the possible exception of damage to your computers. CGLs almost always cover property damage only. Investigation, business losses, notification and monitoring, and lawsuits and extortion are likely to fall outside the scope of your coverage.

Compare Cyber Insurance Policies

As is set out above, cyber policies can vary significantly among insurance companies. Take a look at no less than three or four of them so you can get a good sense of your options. Notice what is covered, what is excluded, what the deductibles are, and what the premiums are. Think carefully about what kind of coverage your business needs, how much you can afford to pay, and, importantly, how much you stand to lose if you aren't adequately covered.