What Does Cyber Insurance Not Cover?

As data breaches and other cyber attacks increasingly make headlines, small and midsize businesses (SMBs) are asking whether they need cyber insurance coverage.

43% of cyber attacks target SMBs. And the costs associated with them can prove too much for SMBs to bear on their own.

Business Woman sits in front of laptop computer and detached keyboard, arms crossed and smiling, confident in her cyber security.

But cyber insurance policies aren’t all-in-one umbrellas protecting businesses against any and all financial fallout from a data breach, malware infestation, or other cyber incidents. Knowing what cyber insurance does not cover is just as important as knowing what it does.

When you’re discussing cyber liability insurance with your SMB clients, you must ensure they understand what their policy will and won’t cover.

Costs Typically Covered and Not Covered by Cyber Insurance

Cyber insurance protects businesses from liabilities and losses related to a cyber event.

In data breaches, these liabilities arise because bad actors have exposed customers’ legally protected information. This information includes:

  • Personally identifiable information (PII) – Examples include names, phone numbers, addresses, social security numbers, bank account numbers.
  • Protected health information (PHI) – PHI is information used to provide healthcare or healthcare coverage to individuals. Examples include demographic data, medical histories, test results, and health insurance information.
  • Payment card information (PCI) – PCI is credit and debit card information. Examples include cardholder names and account numbers.

Cyber insurance can also cover liabilities and losses resulting from incidents of business email compromise (such as phishing or spoofing), ransomware attacks, and consequent business interruption.

A typical cyber insurance policy can cover the costs, among others, of:

  • Forensic IT investigations to determine what data was affected and accessed.
  • Notification efforts to let affected third parties (individuals and companies with whom the policyholder does business) and regulators know about the incident.
  • Credit monitoring programs extended to affected third parties.
  • Crisis management efforts, including public relations campaigns to protect the business’s reputation in the attack’s aftermath.
  • Ransom payments businesses must sometimes, unfortunately, make to liberate their data and systems from cybercriminals’ control.

Businesses carrying cyber liability insurance are better off in the event of a breach or attack than those who don’t. But these policies typically don’t cover all possible costs related to an incident.

Broadly speaking, cyber insurance does not cover costs in these areas:

  • Potential future lost profits

Most policies cover lost income—that is, the net profit a business would have made during a cyber attack. But they won’t cover profits lost after an incident as a direct or indirect result. Devaluation of affected data, a company’s diminished market share, profits lost due to reputation damagemost policies exclude such potential losses.

  • Loss of value through intellectual property (IP) theft

Many businesses don’t even realize they run IP risks. Often, they won’t recognize IP theft until long after an incident (for example, when a competitor takes a new product to market). Nevertheless, devaluation due to IP theft is a loss most cyber policies don’t cover.

  • Technological improvements and upgrades

Replacing computers, changing servers, upgrading software, and strengthening cyber security systems may prove necessary when recovering from an attack. But businesses shouldn’t expect insurance companies to cover the cost. Cyber policies “aren’t meant to get you to a place that’s better,” one expert told Dark Reading, but “to get you back to where you used to be.”

  • Losses incurred during the time deductible

It doesn’t take cyber attacks too much time to inflict damage. But in the same way health and auto insurance coverages specify monetary deductibles, cyber coverage usually specifies a time deductible. This waiting period often lasts between eight and 12 hours, according to the Organisation for Economic Co-operation and Development (OECD (2017), Enhancing the Role of Insurance in Cyber Risk Management, page 71). If a company gets its systems up and running again within that time frame, coverage won’t apply.

Getting Your Clients Covered by Cyber Insurance Can Be Easier

While you’ll be upfront with your business clients about what cyber insurance does not cover, you’ll also want to make clear the financial protection and peace of mind these policies do provide far outweigh the areas they don’t address.

To discover even more about effectively helping your clients manage cyber risk, download ProWriters’ free eBook, How to Sell Cyber: Big Claims in Ransomware & Social Engineering. It’s full of proven strategies for presenting and selling the cyber policies needed in today’s digital economy.