Skip to main content
Security Scorecard

Understanding the Basics of Cyber Insurance: What You Need to Know

Posted on March 7th, 2022

Data breaches and cybercrime are all too common. And in recent years, ransomware attacks have caused many organizations to face hefty extortion payments, legal fees, and reputational damage – not to mention the major headache that comes with each. Cyber insurance has become a powerful tool in the world of cyberattacks to help protect organizations from the implications of a ransomware attack, but many don’t understand what a cyber insurance policy actually covers.

In this blog, we will identify the basics of cyber insurance and outline everything your organization needs to know surrounding cyber coverage in the event of a cyberattack.

What is cyber insurance?

Cyber insurance covers the liability, costs, and risk of disruption that occur from a cyber attack, as well as nonmalicious mistakes made by a user that lead to a cyber incident (accidentally making a database public, losing a laptop, etc.). In most cases, cyber insurance covers any expenses that result from a data breach or ransomware attack including regulatory fines, investigation processes, or customer notification. Despite a swell in cyber insurance providers, many organizations do not have coverage that exceeds $100 million. And as the cost to reconcile all aspects of a cyber incident is often nearly $300 million, the cyber insurance coverage for many organizations is simply not enough.

Brief history of cyber insurance

Cyber insurance was developed in the 1990s to cover lawsuits from data breaches on an organization's computer system security. In some policies, cyber insurance even covered business interruption loss from a compromised system. While many US companies bought cyber insurance for coverage, most were forced due to the liability risks of data privacy.

Data privacy became a focus in 2003 when California passed a law requiring companies to notify individuals if/when their private information had been breached or compromised — and many states followed suit. Despite the growth across states, there are minimal data privacy laws outside of the US. However, what did resonate was the interest in cyber insurance.

Concerns surrounding cyberattacks and data breaches were top of mind across the globe, especially as cyber threats become more serious and sophisticated. But over the last few years, ransomware attacks have multiplied as WannaCry, Petya, and NotPetya transformed ransomware from a nuisance to an extreme problem. To stay ahead of the threats presented from these attacks, organizations have relied on cyber insurance to provide coverage for their network, and the ever-changing threat landscape of cyberattacks.

What cyber insurance generally covers

A basic cyber insurance policy often covers claims resulting from data security risks and data privacy — but not every business is entitled to the same protection. While every company faces cyber risk, the bigger the company, the more areas of vulnerability — and therefore, the need for additional coverage.

Here are a few distinct insurance agreements that most cyber insurance companies offer.

Network security and privacy liability

Network security and privacy liability are two of the most important coverages to have for an organization. Network security covers direct expenses from a cyber incident and first-party costs including:

  • Legal expenses

  • Restoration of data

  • Ransom negotiation and payment

  • IT forensics

  • Business email compromise

Privacy liability protects your company from a cyber incident or privacy law violation on sensitive data including customer and employee information. This protection is especially important when defending your organization from consumer class action litigation, legal expenses, fines, or other penalties from regulatory investigations by governments and law enforcement.

Network business interruption

If your business is dependent on technology to operate, then it should consider network business interruption coverage. Network business interruption coverage is for companies that are susceptible to operational cyber risk, or rather when a network provider you rely on collapses due to a cyber incident. With this coverage, companies can recover costs from third-party security and system failures that result in:

  • Lost profits

  • Extra costs incurred from a breach

  • Fixed expenses

Media liability

Media liability covers intellectual property infringement that results from the advertising of services your business offers. This often applies to both online and printed advertising. Media liability offers broad protection for businesses to help policyholders manage the costly damages that result from media-related claims.

Errors and omissions

Errors and omissions (E&O) cover claims that result from errors or failure of the performance of your services due to a cyber event. Errors can be anything from the failure to perform technology services (software, consulting, etc.), to the failure to fulfill contractual obligations of professional services (doctors, architects, lawyers, engineers, etc.). Errors and omissions address a breach of contract or allegations of negligence and can include legal defense costs or compensation from a lawsuit or dispute with your customers.

What cyber insurance does not generally cover

Like most insurance policies, cyber insurance does not cover every possible risk and cost of a ransomware attack. Before getting cyber insurance, it’s important to understand exactly what will be covered for your business, and what will not. Here are the most common aspects of coverage that cyber insurance policies generally do not offer.

Potential profits loss

Cyber insurance policies are not responsible for restoring potential profit losses from a ransomware attack. For example, if your company experiences reputational damage due to a recent ransom attack, the insurance company is not responsible for compensating for this loss.

Theft of intellectual property

Theft of intellectual property is when a cybercriminal steals a company’s ideas, inventions, trade secrets, etc. If a cybercriminal steals intellectual property and it results in a devaluation of the company, most cyber insurance companies will not cover this loss.

Costs of software or security upgrades

If your business suffers a severe data breach, you’ll want to consider upgrading your systems or networks to prevent a ransomware attack in the future. However, most cyber insurance policies will not cover the cost of new software or security upgrades, even though it could help mitigate risk.

How SecurityScorecard can help

Cyber insurance policies are not a one-size-fits-all solution. And obtaining insurance isn't as easy as it used to be. The requirements for insurance have become more stringent and companies could face higher premiums, less coverage, or risk of not being offered insurance at all if they don't have a strong security posture. SecurityScorecard allows risk managers and CISO’s to understand their current security posture and define the risk management strategies needed to improve insurability.

With the ability to make better, more educated decisions, streamline insurance workflows, and satisfy your customers, SecurityScorecard makes it easy to make trusted cyber security decisions for the future. Sign up for a free account today!

Return to Blog
Join us in making the world a safer place.