A Business Owner’s Guide to Cyber Insurance

A Business Owner’s Guide to Cyber Insurance

October 30, 2023

The internet has allowed businesses to grow in ways that would have been impossible in the past. Unfortunately, it has also introduced new types of crime. Recent statistics show that over 2,200 cyberattacks happen every day. Small businesses are prime targets because many don’t have strong cybersecurity defenses. And hackers know small companies often provide products or services to large corporations, so infiltrating a small company’s IT system can give them access to a large company’s data.

Even large companies aren’t immune to data breaches. Many multinational corporations have been hacked. Here are some real-life examples:

In 2021, hackers hit Colonial Pipeline, the largest oil pipeline in the U.S. The attack shut down the pipeline for days, leading to fuel shortages and panic-buying throughout the Eastern U.S. The company reportedly paid nearly $5 million to the hackers to restore its operations.

In 2023, a ransomware gang exploited a known flaw in a widely used enterprise file transfer service, MOVEit. They initiated unauthorized file transfers and stole data from over 2,500 MOVEit customers. These included government, public and private organizations worldwide.

According to anti-malware company Emsisofit, the most impacted industries are:

  • Education (41.3%)
  • Health care (19.2%)
  • Finance and professional services (11.7%)

No matter your industry, you need cyber liability insurance if you use the internet for your business. Read on to learn more about cyber risk and how to protect your business.

How are cyberattacks discovered?

You may not realize a hacker has accessed your systems until months later. According to IBM’s Cost of a Data Breach Report 2023, data breaches were identified in the following ways:

  • By a benign third party or outsider (40%)
  • By internal security teams and tools (33%)
  • By an attacker as part of a ransomware attack (27%)

And in 25% of the malicious attacks reported, the victim’s computer systems were inoperable. In any case, repairing the damage after an attack will be difficult, time-consuming and expensive.

How might a cyberattack affect your business?

The consequences of a cyberattack vary depending on the severity of the attack, the time it takes to discover the breach and the data exposed.

If you suffer a ransomware attack, you will have to decide between giving a hacker thousands or millions of dollars and losing all your valuable data. And you can’t guarantee you’ll get your data back even if you pay the ransom.

Then you’ll need to hire a cybersecurity team to identify and remove malware from your system. You may even have to buy new IT equipment. You can expect days of immediate downtime after an attack, directly impacting your sales and services. Morale could suffer as employees struggle to do their jobs while the IT system is being repaired. And the hit to your reputation can last for years.

Legally, you'll have to notify customers, suppliers and business partners if their data was compromised. Many people may decide not to work with you anymore because of the attack. If local journalists publish news of the attack, it could deter potential customers from working with you.

You’ll probably face legal action from affected individuals. And if you’re in the medical industry, you could face fines for Health Insurance Portability and Accountability Act (HIPAA) violations.

It could take years to recover from a cyberattack. Some businesses never do.

What is cyber insurance?

Regular business insurance policies don't cover damage caused by cyberattacks. Enter cyber insurance.

Cyber insurance covers damage caused by criminal hacks and data theft. How much coverage you will get depends on the policy and the deductible you set. Here’s what you can expect from a cyber liability insurance policy.

First-party cyber coverage

First-party cyber insurance protects your business from the fallout of a cyberattack. There are several ways to customize a cyber insurance policy. For example, your policy could cover the following:

  • Investigation of the attack. You need to know how the hacker breached your system. Was it an employee error? Did the attack come from a third-party vendor with poor cybersecurity? Or did an employee working from Starbucks use an open network that allowed cybercriminals to access your system? First-party cyber insurance will enable you to hire a cybersecurity company to investigate the incident. It will also cover the removal of malware from your system and a risk assessment to determine the likelihood of future cyberattacks.
  • Legal assistance. Your legal obligations in the wake of a cyberattack vary depending on your geographic location. For instance, in Illinois, you have to notify the state attorney general if the breach compromised more than 500 records of Illinois citizens. And companies in the health care industry have additional reporting requirements under HIPAA. Given the legal nuances, you might find it difficult to navigate your obligations after a cyberattack. Thankfully, first-party coverage provides the financial resources you need to hire one or more lawyers for the job.
  • Credit monitoring. Massachusetts, California, Connecticut, Delaware and New York require companies that have been breached to provide free credit monitoring or identify theft protection to affected third parties. Even if you aren’t legally required to offer these services to customers, you should as a goodwill gesture. First-party cyber insurance will pay to protect consumers from fraud and loss.
  • Ransom funds. This form of insurance pays for ransoms. However, most policies have a set limit on how much they will pay. If the limit is lower than the hacker's demands, you would need to pay the rest out of pocket.
  • Data recovery. Ransomware, malware, worms and SQL injections (injecting computer applications with malicious code) can cause the loss or corruption of important files. First-person cyber insurance will pay for an IT company to recoup the data.
  • Business interruption or loss of revenue. A cyberattack can disrupt your business. When your company's systems aren’t accessible, workers can't do their jobs and you can't make sales. But you still have to pay salaries and overhead expenses. This type of policy provides the funds you need to keep your business operational while you repair or upgrade your systems. Remember that standard business interruption only kicks in when there’s a physical property loss. Even if you already have standard business interruption coverage, you’ll also need to add business interruption to your cyber policy.
  • Public relations. A data breach can wreak havoc on your reputation. First-person cyber insurance will pay for a public relations campaign to rebuild your brand. You can also use the money to hire a reputation management firm to boost your standing with the public.
  • Government inquiry costs, fines and penalties. You may face a state or federal inquiry into the attack. In such an instance, third-party cyber insurance will cover the costs of responding to the inquiry. It will also cover fines and penalties up to a predetermined limit.

Third-party cyber coverage

Third-party cyber insurance addresses fines and legal action brought by other individuals or organizations. It covers:

  • Additional legal costs. You’ll need to hire a lawyer to defend your company in court, settle a lawsuit brought by a third party, or represent your company when dealing with government officials. Legal help can resolve matters faster and more efficiently, and this type of insurance policy will cover the costs.
  • Third-party monetary losses. Third-party cyber insurance helps if your business can’t deliver on its obligations, products or services because of a cyberattack. Clients might sue you for their monetary loss due to the incident. Talk to your agent about supply chain insurance to broaden your protection.
  • Settlement costs and court-ordered damages. Third-party cyber insurance provides money for settlements and court-ordered damages. If you settle, you can quickly compensate affected third parties. If the case goes to trial and you’re found liable for the attack, it will cover court-ordered damages. Your policy will pay up to the limit of your policy. If the settlement or court-ordered damages exceed the policy’s limit, you’ll end up paying the difference out of pocket.

Technology errors and omissions insurance

Technology errors and omissions (E&O) insurance is sold as a separate policy. This type of policy is for companies offering IT-related products or services, such as software manufacturers, IT technicians and website designers.

A tech E&O policy covers you if you or one of your employees makes a mistake and a client suffers a cyberattack as a result. For example, if a website you designed gets hacked, your client could sue you. It covers legal fees, court costs, settlements and judgments. A tech E&O policy covers mistakes you make while doing your job but doesn’t cover damage caused by cyberattacks. For example, if a hacker steals data from your computer networks and uses it to breach a client’s account, your tech E&O policy wouldn’t respond. You’d look to your cyber liability insurance policy for help.

What doesn’t cyber insurance cover?

Cyber insurance has much to offer. Even so, it won't cover:

  • Social engineering attacks. Cyber insurance doesn't cover damage caused by social engineering attacks, such as baiting, phishing and fraudulent emails. For example, say a hacker poses as a company executive and tricks an employee into wiring funds to a bank account. Cyber insurance wouldn’t cover the lost funds or the cost of checking IT equipment for a breach. Ask your agent about social engineering coverage (for outside attacks) and commercial crime insurance (for insider attacks) and if you can add it. Each insurance company is different and might have coverage limits and exclusions.
  • Property damage. If a breach damages physical property such as computers, routers or machinery controlled by your IT system, you would need to file a claim with your commercial property insurance.
  • Intellectual property. Hackers don't just look for personal and financial information. They also go after intellectual property (IP). A hacker can hold your intellectual property for ransom or sell it on the dark web. Standard cyber insurance doesn’t cover losses from IP theft, but more comprehensive policies might allow you to add coverage.
  • Self-inflicted incidents. Like other commercial insurance policies, cyber insurance won't cover businesses that intentionally commit crimes. However, you can purchase commercial crime insurance to cover your systems if an employee maliciously breaches them.
  • Post-attack strengthening. First-party cyber insurance will cover an assessment of your IT system to determine the likelihood of a future attack and what you can do to prevent it. However, it won't pay for IT cybersecurity upgrades such as new anti-malware software, improved networks or employee cybersecurity training. Ask your agent about cyber betterment coverage for help with computer and network improvements after a covered incident.
  • Projected revenue loss. Cyber insurance covers lost revenue directly tied to the attack. For instance, if your employees can't do their jobs for a week after the attack, insurance may cover their salaries. However, it won't cover projected revenue loss. You’ll need to add business interruption coverage to your cyber policy. Even if you have a business interruption policy, you’ll need a separate one for cyberattacks.
  • All geographic locations. Cyber insurance you purchase in the U.S. may not cover branch offices or attacks outside the U.S. For example, if you access your system while traveling outside the country and your system is breached as a result, cyber insurance may not respond to the incident. The same holds true if you hire contractors who work with your firm but don't live in the U.S. Ask your agent to explain your policy’s international coverage, especially if you travel internationally or work with an international team.

Cyber liability insurance isn’t standardized. Each insurance company has its own version of coverage, exclusions, terminology and definitions. Using a seasoned agent who understands your cyber liability exposure and the coverage variations and gaps is critical to managing risk.

Who needs cyber insurance?

If your business stores or processes customers' personal or financial information, you need cyber insurance. This holds true even if you're self-employed. What matters is the amount of data you have or have access to, not the size of your business or how many people work for you. First-person coverage may be enough, but you should consider third-person coverage if you have the risk of a lawsuit.

If you provide goods or services to other businesses, you need all forms of coverage outlined above. This is because you have access to other businesses' online accounts, and a breach of your system also puts these accounts at risk.

Hackers place no limits on who they will target. Schools, hospitals, universities, self-employed individuals, and businesses of all sizes and industries have been victimized. When Russian hackers successfully hacked multiple U.S. federal agencies in 2020, it was because they first breached the software company SolarWinds. The hackers were able to use the breach of SolarWinds to access its clients.

Without cyber insurance, you're stuck dealing with the aftermath of an attack on your own. Up to 60% of small businesses shut down permanently after a cyberattack, as mounting expenses and dwindling income take their toll.

How much does cyber insurance cost?

Several factors determine how much you'll pay for cyber insurance. They include your:

  • Size and revenue. Large firms with high volumes of personal and financial information are prime targets for hackers. And it costs far more to repair the damage to a large IT system than it does to fix one or two computers at a small business. Thus, big companies generally pay more for cyber insurance than small firms.
  • Industry. Health care companies, financial institutions, educational facilities, government agencies and offices, and energy and utility companies are more vulnerable to attacks than companies in other industries. Thus, they generally pay more for cyber insurance than other companies.
  • Claims history. If your business has been breached in the past, you'll likely pay more for cyber insurance than a company that has never been hacked.
  • Cybersecurity protocols. Taking measures to protect your company from hackers will lessen the likelihood of an attack and lower your insurance costs. Such measures include:
  • Hiring an IT firm to manage your cybersecurity
  • Providing employees with ongoing cybersecurity training
  • Updating your software regularly
  • Limiting access to your database to employees who need it for their jobs
  • Creating company policies governing password selection and storage
  • Creating a written cyber incident response program
  • Regulatory landscape. Regulatory requirements vary by industry and geographic location. The more requirements you have, the more you'll pay for cyber insurance.

How do you pick the right cyber insurance policy for your business?

Have an expert audit your IT systems before you start looking into cyber insurance providers. An audit will show vulnerabilities you need to address and help you see which forms of coverage would benefit your organization. For example, if ransomware attacks are commonplace in your industry, you'll want to choose a policy with a high ransom payment limit.

Once you know what you need, start looking for a company to work with. A good company for your business will have experience meeting the needs of firms in your industry. For example, cyber insurance policies tailored to health care institutions won't always meet the needs of businesses in the financial or B2B market.

You'll also want to take the size of your business into account. Some cyber insurance providers specialize in working with large corporations or small to midsize businesses. Choosing an insurance agency familiar with the laws of your state is wise, especially if your state has many regulatory requirements for cyberattack reporting.

Evaluating cyber coverage and customer service

When you’re considering an insurance company, check its track record to ensure it offers efficient services, 24/7 support and fast compensation for claims. Some insurance companies offer cyber training, network audits and consultations to review your exposure. You can find this information online or ask other businesses for recommendations.

You want to make sure you can get help immediately after a cyberattack. This will help you avoid delays in meeting regulatory requirements, informing customers of the breach and assessing the damage. Generally speaking, it's best to pick a company that has been in business for a long time. Such firms are more stable and reliable than new companies that may not have the financial resources to cover a costly attack.

When you’re considering an insurance policy, check it carefully to see what it does and doesn’t cover. If you don't understand something, ask for information and make sure the answer is in writing. If you're allowed to set a deductible, choose one that ensures your company will have the financial resources it needs to recover from an attack. Remember, your policy isn't just one more expense to cover. It's a financial lifeline that will keep you afloat if your business is breached.

Balancing cost with coverage

You'll also need to take cost into account when selecting a cyber insurance policy. If you find the cost of a good insurance policy is higher than you expected, talk with the insurers about things you can do to lower premiums.

For example, you could raise the deductible and take on a larger out-of-pocket expense. In other cases, you could lower costs by implementing strong cybersecurity guidelines, training employees or outsourcing cybersecurity to an IT company. But it’s best to have these cybersecurity controls in place before you apply for a policy. Be ready to show proof. If you have employee cybersecurity training, keep records and provide them as part of your application. The same goes for written incident response programs. If you run an internet-based company in a state with a lot of regulatory guidelines, consider moving to another state with fewer regulations.

Never compromise your coverage to save a bit of money each month. You don’t want to deal with the aftermath of an attack without the resources you need to recover.

Cyber insurance can save your business

Cyber insurance doesn't replace sound cybersecurity tools or policies. However, it can provide the financial resources you need to deal with the aftermath of an attack. It can help you recover faster than would otherwise be possible. In today's world, cyber insurance is essential for any company that works with, stores or processes third-party personal data.

Don’t know where to start? Call your insurance agent!

Cyberattacks are becoming increasingly common and no business is immune. Adequate coverage can spell the difference between recovering quickly and being forced to shut your doors in the wake of an attack. Call an experienced cyber insurance agent. They can help you prepare your application and match you with an insurance company that fits your business needs.