Ransomware attacks, data breaches, and other cyber threats pose significant risks to businesses. Cyber Liability Insurance is key to mitigating these dangers.
But Cyber claim denials sometimes occur. Cyber Insurance claims statistics in 2022, for example, showed 27% of data breach claims with some exclusion written into the policy that meant Cyber Insurance was not paying out.
We at ProWriters help brokers educate business clients about what Cyber Insurance usually does and doesn’t cover. These conversations are important if your clients are to enjoy the protection they need and peace of mind they deserve.
What Does Cyber Insurance Cover?
Cyber Insurance covers financial losses and expenses incurred from cyber incidents. Main coverages under Cyber Insurance include:
- Network security and privacy liability
This coverage provides financial protection against legal claims and damages resulting from alleged negligence in protecting sensitive information, or from failing to prevent unauthorized access to computer systems. - Cyber extortion
This coverage covers the costs of ransom payments, professionals who negotiate with cyber extortionists, and other technological and legal expenses. - Crime and social engineering
This coverage assists when threat actors use stolen credentials to transfer funds out of an account, or use phishing emails or other social engineering to trick people into transferring funds. (Social engineering coverage is sometimes an extension or “add-on” to a base Cyber Insurance policy.) - Data breach response
This coverage helps meet the costs of such post-breach actions as notifying affected individuals, conducting IT forensic investigations, and providing credit monitoring services. - Business interruption
This coverage helps businesses recover income lost during the downtime cyber incidents cause, allowing them to avoid long-term financial setbacks. - Digital asset damage
This coverage pays for rebuilding websites, networks, and intranets, and for recovering or restoring data. - Reputational damage
This coverage helps businesses pay for public relations and crisis management, to mitigate damage to their reputation and restore customer confidence.
What Does Cyber Insurance Not Cover?
While Cyber Insurance covers a wide range of risks, policies generally don’t cover certain events and losses. Businesses must know the exclusions in their Cyber Insurance terms to avoid unpleasant surprises.
Denied Cyber claims examples include:
Physical Damage
If a cyber attack destroys physical infrastructure or equipment, the insurer may not cover the costs of repairing or replacing those assets.
Technological Improvements
Cyber Insurance helps businesses get computer systems back to the place they were before the cyber event—not use the event as an opportunity for upgrades. However beneficial such upgrades might be, they’re part of the cost of doing business. (If upgrades are the only available safe option, a Cyber policy may cover the cost.)
Potential Future Lost Profits
Unlike revenue lost during specific periods of business interruption a cyber event causes, the profits a business may have made but didn’t due to data loss, reduced market share, and theft of intellectual property (among other factors) generally aren’t covered under Cyber policies.
Pre-Existing Conditions
If an incident occurs before the policy’s effective date or a business has suffered a previous data breach, the carrier may issue a Cyber claim denial. Businesses must disclose previous incidents or cyber risks during underwriting to ensure proper coverage.
Cyber Attacks By Nation-States
Acts of war and attacks by nation-states involve highly sophisticated, coordinated efforts. Addressing the aftermath often requires international cooperation and diplomacy. The risks associated with such attacks are too unpredictable and complex for standard Cyber Insurance policies.
Illegal or Fraudulent Activity
If a business knowingly engages in illegal or fraudulent activities that lead to an incident, the insurer may deny the claim. Businesses must maintain a strong ethical culture and adhere to legal and regulatory requirements to ensure their coverage’s validity.
What Are Other Reasons Carriers Deny Cyber Claims?
A carrier may also issue a Cyber claim denial after an incident if a business:
- Failed to take proper precautions
Businesses should prioritize such practices as installing software updates and patches, implementing strong password policies, using multifactor authentication, and training employees in security best practices. If they don’t, they risk invalidating coverage or having claims denied on grounds of negligence. - Made a claim exceeding coverage limits
Coverage limits determine the maximum amount a carrier will pay out. If losses or expenses incurred exceed these limits, the insurance company may deny the claim for the excess amount. - Incurred losses during the waiting period
Cyber Insurance generally stipulates a time deductible. Carriers may deny claims stemming from short-term outages. Businesses should have plans for weathering brief periods of business interruption. - Submitted insufficient evidence
Proper documentation and evidence—incident reports, forensic analysis, financial records—is essential to support a Cyber claim. Without it, the carrier may deny the claim. - Filed the claim in an untimely way
Delays in reporting complicate the process and may result in a Cyber claim denial. Businesses should establish procedures for reporting incidents promptly.
Help Your Business Clients Fill In Cyber Insurance Gaps
Exclusions in Cyber Insurance policies aren’t meant to be obstacles but safeguards. They help make coverage more affordable and tailored to specific risks carriers and your clients face.
Registered ProWriters brokers have access to strong policies from top carriers. They also have access to practical resources for helping clients navigate exclusions, thus reducing the chance of Cyber claim denials.
You can also help clients assess and address the gaps exclusions in their Cyber policies cause, thus ensuring they have comprehensive coverage. For example, you can help them secure property damage insurance to cover the cost of repairing or replacing damaged computers; the social engineering “add-on” mentioned earlier, if the base Cyber policy doesn’t cover such cases; or media liability coverage in addition to Cyber Insurance, specifically designed for such media-related organizations as publishers, broadcasters, and advertising agencies.
Want more information about explaining and selling Cyber Liability Insurance? Download our free eBook, How to Sell Cyber: Big Claims in Ransomware & Social Engineering.