Doing business today inevitably means running digital risk. Cyber Insurance coverage is no longer a niche product but an essential component of responsible business management.
But Cyber isn’t a one-size-fits-all product. What’s more, businesses and their insurance brokers often make mistakes about what is and what is not covered by Cyber Insurance, as well as which Cyber products do and don’t provide adequate protection.
Zane Goldthorp is director of broker development at ProWriters. He’s worked in Cyber Insurance since 2007. Recently, he answered some questions about this critical specialty line.
Watch the video, then read on for more information to help you make informed choices about Cyber Insurance coverage with your business clients.
What Cyber Insurance Covers: First-Party and Third-Party Liability
Cyber Insurance helps businesses manage costs associated with a cyber incident.
Today, policies generally include both first-party and third-party coverage.
First-Party Coverage
First-party coverage is for direct costs incurred as a result of a cyber incident—urgent, out-of-pocket expenses required to respond to and recover. Key components often include:
- Incident Response
Policies cover costs of immediate response, including forensic IT analysis to determine a breach’s cause and scope, and legal counsel for navigating compliance obligations.
- Data Recovery
Policies can cover costs of restoring, recovering, or recreating lost, stolen, or corrupted data.
- Cyber Extortion
After a ransomware attack, policies can cover costs of managing the threat, including consultant fees and, sometimes, ransom payments.
- Customer Notification and Support
The law requires businesses to inform people whose data may have been compromised in a breach. Policies can cover costs of notification, as well as of providing credit monitoring or identity theft protection services.
- Public Relations (PR)
Data breaches can severely damage businesses’ brands. Cyber coverage helps pay for PR and crisis management experts who can mitigate reputational harm.
Third-Party Coverage
While first-party coverage protects a business’s own balance sheet, third-party coverage protects it from liability claims made by clients, partners, vendors, or other external parties. Key components can include:
- Legal Defense Costs
Policies can cover fees associated with defending against lawsuits alleging that a failure to secure a network and systems resulted in harm.
- Settlements and Judgments
Should a business be found liable for damages, the coverage helps pay for court-ordered settlements or judgments.
- Regulatory Fines and Penalties
Government and industry regulators can impose fines for noncompliance with data protection laws (like GDPR or CCPA). Third-party coverage can help cover them.
“If you’re in that stage where your breach leads to a third-party loss,” Goldthorp notes, “you’ve got to buckle up. It’s going to probably be a pretty pricey claim.”
What Is Not Covered by Cyber Insurance
No insurance policy covers everything. Some common Cyber Insurance exclusions are:
- Known Vulnerabilities
If a business knows about a critical flaw in its network security and failed to address it, an insurer may deny a claim related to it.
- Acts of War
Policies often exclude cyber attacks attributed to nation-states or deemed acts of war, though this area is still evolving and debated.
- Future Lost Profits
While business interruption from a cyber event may be covered, cyber insurance typically does not cover potential future profits lost due to reduced market share or a decline in company value.
Goldthorp has also seen recent shifts in Cyber Insurance exclusions.
“A large portion of policies . . . do not offer dependent business interruption coverage,” he says, “and that’s a huge deal.”
To illustrate, he points to two high-profile supply chain cyber attack examples. The United Healthcare ransomware attack affected tens of thousands of medical facilities. The ransomware attack on CDK Global disrupted operations for nearly 15,000 North American car dealerships relying on CDK management software.
“Healthcare [businesses] and auto dealerships who had not had anything happen to them [directly] . . . couldn’t do business, they were so reliant on this third party,” says Goldthorp. Yet many policies don’t offer dependent business interruption coverage.
Similarly, dependent system failure is another frequent exclusion.
Referring to the erroneously named “CrowdStrike attack,” Goldthorp says, “CrowdStrike did not suffer a breach. It was a human error—a patch update that went wrong that shut down the world for a few hours. Had that been several days or even possibly several weeks, it would have been catastrophic. But . . . there [are] not that many policies . . . offering dependent system failure coverage.”
Evaluating the Adequacy of Cyber Security
Although strong Cyber Insurance coverage is essential, Goldthorp argues businesses must also start taking cyber security more seriously.
Businesses should follow some basic, broadly accepted best practices, such as:
- Multifactor Authentication (MFA)
SMS verification, authenticator apps, and hardware tokens are easy to use and add extra security to systems and data.
- Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR)
EDR and MDR services offer outsourced, real-time detection of and response to network vulnerabilities and incoming threats.
- Adequate Backups
Regular and regularly tested backups of critical data, stored in multiple secure locations (including the cloud), can help protect against data loss and extended downtime.
- Email Security Filtering
Recognized email authentication protocols (e.g., SPF, DKIM, DMARC) can prevent email spoofing, and routinely updated security tools help keep spam, phishing attempts, and malware out of inboxes.
- Employee Training
Regular instruction can raise all employees’ awareness of the risks and promote a cyber security-conscious culture.
What Brokers Must Know To Get Clients the Right Coverage
“Agents [and brokers] have to know what they’re looking for,” Goldthorp stresses. “They’ve got to know Cyber inside out to be able to make educated decisions on which policy is best for their clients.”
He says he’s seen too many brokers and agents “learn the hard way” that the product they’ve sold doesn’t match their client’s needs. A Cyber add-on to a Business Owners Policy (BOP), for instance, is unlikely to provide coverage a client can use to deal with a data breach.
Claims handling is also another area of potential trouble. Brokers often don’t realize how important the claims process is until they and their clients try filing one.
“If you don’t have a carrier who has a dedicated Cyber claims team,” says Goldthorp, “it makes the claims process very unfun to go through for your client, and much more costly. The experienced carriers who know how to handle claims are always going to be the ones you want to put your clients with.”
How ProWriters Helps You Place Your Clients’ Cyber Risk
At ProWriters, our registered brokers have access to an extensive network of experienced, industry-leading carriers who offer comprehensive Cyber Insurance coverage at competitive rates for even the most complex risks.
Our proprietary Digital IQ Comparative Rate Platform lets you research and generate multiple quotes from these carriers within minutes, ready for easy, side-by-side comparison.
The results include more appropriate and affordable coverage options for your clients, and higher commissions for you.
Become a registered ProWriters broker today to get started.
