umbrella built out of code

Introduction to Cybersecurity Insurance

What is Cyber Liability Insurance?

Also known as cybersecurity insurance or cyber risk insurance, cyber liability insurance protects businesses against property losses and liability associated with cyber attacks. These include hacks, virus attacks, devices and systems infected with malware, data breaches, and denial of service attacks (DoS). As businesses increase their Internet usage and continue to adopt digital technologies, the risk of a cyber attack is only going to grow, which could cost businesses potentially millions in damage.

In the event of an attack or data breach, cyber liability insurance  can cover your business losses, regardless if they are first-party losses or losses from third-party providers. It is an essential risk management tool for many IT companies, tech companies, and all other companies that deal with a large amount of sensitive information and conduct a lot of business online. 

The cyber insurance industry is rapidly expanding. The structure of the industry is designed for businesses to pool cybersecurity risks together as a way to internalize risks associated with operating over the Internet. There is a wide and diverse risk pool spanning the industry, which makes it difficult for smaller companies looking to break into the industry. Currently, cybersecurity insurance remains a niche product even though virtually every modern business utilizes the Internet. 

The Complete Guide to Cybersecurity Logging and Monitoring

How Cybersecurity Insurance First Emerged

The cybersecurity insurance industry first emerged all the way back in the early 1990s as cybersecurity was becoming an increasingly important factor for many major businesses at the time, even though the Internet was a relatively unknown entity. During this time, the two biggest online threats were copyright infringement and theft of intellectual property. The big players in the computer industry at the time were worried that rivals or cybercriminals would steal their innovations and claim them as their own. 

However, by the turn of the new century, many industry experts began to realize the scope of cybersecurity is much greater than just copyright theft. At this point in time, industry leaders were creating risk management tools to better cope with the emerging threats they faced. It took two major events for all major players in the industry to take notice: Y2K and the 9/11 attacks. These events helped convince governments that small-to-medium sized businesses need cybersecurity insurance for protection. And after the 2008 financial crisis, it is now realized that larger corporations need cybersecurity insurance too. 

One of the first industries to give serious consideration to cybersecurity insurance was banking in the early 2000s, which was a necessary move for an industry that was rapidly digitizing and dealing with an immense amount of sensitive information. Initially, the insurance only covered third-party costs and some in-house business interruptions. However, insurance soon expanded to cover both first and third-party elements, which we will discuss in greater detail later in the article. 

Further Innovations in Cybersecurity Insurance

The increase in the number of cyber attacks and potential losses for businesses both small and large has given way for many consumers and business owners to rethink their insurance needs. It is important to note that the nature of cybersecurity threats is constantly changing and evolving. Therefore, cybersecurity insurers have to constantly adapt, change their policies, and provide different services to keep pace with the emerging threats. Much of this part of the industry is still in the developmental stage, so some level of experimentation can be expected from insurance providers. 

One newly formed option is bundling cybersecurity insurance with IT security services. Companies who specialize in creating  customized Internet security products for clients are also partnering with cybersecurity insurers to address the needs expressed during the consultation process. Not to mention, the government also has a significant stake in the cybersecurity insurance industry due to the amount of losses that could potentially arise without insurance. If an insurance provider can help a business recoup some of its losses, it prevents the government from stepping in and dishing out the necessary amount of money. 

It is imperative to expand the existing pool of both insurance providers and clients. There are compounded risks if there are too few players in the system. For one, without enough insurance providers, it can lead to an oligopoly or even a monopoly, which could create higher than market value insurance premiums, putting greater financial strains on businesses. On the other hand, having too few clients increases the risk of losses for providers because the cybersecurity risks are not efficiently dispersed. Insurance providers also have to minimize "free-riders" who get generalized protection without paying for the coverage. 

What Does Cybersecurity Insurance Cover?

Cybersecurity insurance covers a lot but not all of the losses associated with a data breach. Providers reimburse businesses for the costs they already incurred from the attack.  Here is some of the coverage you are likely to find in an insurance policy:

  • Data Restoration: This covers the cost to restore or replace software, electronic data, and other programs that were damaged or destroyed by a malware attack, hacker attack, denial of service (DoS), or any other form of cyber attack. 
  • Loss of Income and Other Expenses: This covers income lost from an attack as well as other expenses required to restore operations following a shutdown from a virus, hacker attack, etc. Some providers include policies that cover losses to a supplier, distributor, and others that were forced to shut down because of a data breach by a particular company they rely on to maintain operations themselves. 
  • Notification Costs:  This covers the cost of notifying parties who were impacted by the data breach. Coverage here is important because many states have laws that require businesses to notify customers or employees if their personal  information is compromised. Policies could also cover the costs associated with credit monitoring as well as establishing a call center for those impacted. 
  • Cyber Extortion: This covers the ransom paid to a hacker who breached a company's network and threatened to commit more damage to the company, such as releasing sensitive data, infecting the system with a virus, initiating a DoS attack, etc. These policies generally reimburse any extortion payments paid to an attacker as well as any expenses related to the incident, such as hiring a negotiator to try and reason with the attacker. 
  • Crisis Management: A majority of cyber insurance policies cover some crisis management expenses. This could include the cost of hiring a lawyer, cybersecurity expert, forensic accountant, or public relations manager to assess the situation, determine the scope of damages, pinpoint whose data was compromised, and to help mitigate the losses to salvage a company's reputation. 

Many cybersecurity insurance policies also cover some liability claims. These usually pertain to settlements or damages as well as defense costs, which can fall within the original policy limit or outside it. Some liability examples typically covered include:

  • Electronic Media Liability: Electronic media liability insurance reimburses lawsuits against a company for cases like libel, defamation, slander, etc. It also covers copyright infringement, domain name infringement, and invasion of privacy.  These claims are only covered if the policyholder publishes electronic data on the internet. 
  • Privacy Liability: Privacy liability insurance is important for businesses with information risk or privacy risks. Whenever a cyber criminal exposes sensitive customer or employee information, it also exposes businesses to liability. This liability coverage protects businesses from liabilities arising from a cyber attack or privacy law violation. These could cover everything from liabilities in a contractual obligation to regulatory investigations conducted by the government. 
  • Network Security Liability:  This covers claims against a company accused of negligent acts, critical errors, or omissions. Omissions could include failure to provide notification of a data breach, failure to protect sensitive business information, or failure to prevent a DoS attack or the introduction of a virus or malware into the system. 
  • Regulatory Proceedings: This covers penalties, fines, or hearings  pressed upon businesses by regulatory agencies that direct data breach laws. It also helps cover the cost of hiring an attorney to help respond and represent your legal regulatory proceeding. 

What Cyber Insurance Policies Do Not Cover

As is the case with all insurance contracts, cyber policies do not cover everything and exclude certain types of claims. Here are a few typical exclusions policy providers do not cover:

  • Property Damage and Bodily Harm: Cybersecurity insurance does not cover claims of bodily harm or property damage. That is where general liability insurance is essential.
  • War and Terrorism:  Acts of war and terrorism do not fall under the scope of a cybersecurity insurance policy claim. 
  • Utility Failure: Insurance providers are not responsible  for attacks caused by utility failures, such as electrical grid shortages.
  • Intentional Dishonesty by the Insurance Holder: If a business intentially lies or withholds critical information to insurance providers, they are not only liable for damages but could face possible legal action from the insurance provider. 
  • Contractual Liability: Each contract is different. But policy holders generally assume some type of liability in a contractual agreement with insurance providers. 
  • Cyber Attacks Committed Before the Retroactive Date: A cybersecurity insurance policy is only applicable after the policy goes into effect, so all damages that occurred before the implementation date are not covered. 
  • Restoring Computer Systems to a Higher Level of Functionality than Before the Attack: A cyber security insurance policy is not responsible for upgrading a business's operations. It is only responsible for the system they have in place at the time of the attack. 

Who Needs Cybersecurity Insurance?

Cybersecurity insurance is ideal for businesses that store confidential, sensitive, and proprietary information online. If your business stores any of the following information, you should seriously consider adding cybersecurity insurance to better protect your business.:

  • Credit Card Numbers
  • Addresses
  • Social Security Numbers
  • Driver's License Information
  • Phone Numbers/ Email Addresses
  • Medical Records, Health Information, Medical Expenses
  • Patent Applications, Trade Secrets, Copyright Claims

Even if you're a smaller business and do not deal with nearly as much sensitive information as larger businesses, it is still important to invest in cybersecurity insurance. The truth is, you never know when an attack could occur, and you should always be prepared, even if you believe the chances of it occurring are low. 

As you will see in the next section, there are many different ways cybercriminals can attack your business. Fortunately, there are safeguards to mitigate the chances of a significant data breach.  

How Do Cyber Breaches Occur?

There are a multitude of ways a cyber breach can occur. For example, many cybercriminals use social engineering tactics to manipulate users into clicking infected links. Cyber criminals can send phishing emails or texts to unsuspecting employees or customers pretending to be your company. Once they click the email or text link, the cyber criminal can steal their personal information. Or, they can even use a virus to infect company data files. 

The best way to protect your company is through robust internal safeguards. For instance, businesses should limit the number of employees who have access to sensitive business files and information. Likewise, you should have a thorough password policy, with periodic password updates. And employees, under no circumstances, should share their password with anybody. There should also be regular software updates, because outdated software is an immense security risk to a company. 

With proper safeguards in place coupled with cybersecurity insurance, businesses can mitigate the risk of a data breach while also protecting themselves financially in the case of an attack occurring. Both measures ultimately safeguard the business and its reputation for the future. Security should always be a boardroom agenda for any business and cybersecurity insurance adds an extra layer of protection to a company's security policy.  

What Types of Cybersecurity Insurance Do You Need?

There are two types of cybersecurity insurance businesses may need. These include:

  • First-Party Coverage: Covers expenses related to a data breach or stolen data
  • Third-Party Coverage: Provides protection to businesses being sued by customers for failing to prevent a cyber attack

Below we discuss both types of coverage in greater detail as well as why your businesses should consider both to protect your business. 

First-Party Cybersecurity Coverage

First-party coverage is insurance that deals with the costs that directly impact your business in the event of a cyber attack. These include expenses for restoring a breached network or recovering compromised data. It is sometimes referred to as data breach insurance, and you can usually add it to your general liability insurance if the policyholder allows it. 

Additionally, first-party coverage helps offset the costs of notifying clients about an attack and providing credit monitoring services to those impacted by the breach. First-party cybersecurity insurance can usually cover the following:

  • Crisis Management
  • Public Relations
  • Cyber Extortion Payments
  • Hiring Expert Investigators
  • Cost of Hiring Additional Staff
  • Renting Equipment
  • Purchasing Third-Party Services
  • Custom Credit and Fraud Monitoring Services

Third-Party Cybersecurity Coverage

Third-party cybersecurity insurance helps cover lawsuits related to a business's cybersecurity risks. These are the claims made against businesses by third-party providers impacted by a data breach. In essence, it is liability coverage that protects businesses who fail to prevent a cyber attack or data breach at their company. 

Third-party insurance is particularly valuable for IT consultants, tech professionals, and software developers who provide software recommendations to clients. Third-party insurance will help protect those individuals and their employers who recommended software that was later responsible for a cyber attack or data breach. 

This type of cybersecurity insurance generally covers the following:

  • Legal Defenses
  • Legally Binding Judgements of the Case
  • Any Settlements Agreed To (Both In and Out of Court)
  • Any Other Legal Expenses

Businesses can also bundle their third-party cybersecurity insurance with their errors and omissions insurance, which covers lawsuits relating to work that was later, inaccurate, or never delivered. When paired together, these are known as technology errors and omission insurance, and provide companies with robust third-party liability coverage. 

How Much Does Cybersecurity Insurance Cost?

Cybersecurity insurance is not a one-size-fits-all type of coverage. There are many different factors that determine the cost of coverage. Depending on the size of the businesses and the scope of the insurance coverage, cybersecurity insurance can range anywhere from a few hundred dollars a year to well over 50,000. However, if you work with policy providers to tailor coverage that matches your business needs, you should be able to get a rate that fits within your budget.

There are a few key criteria businesses and insurance providers must factor in to deter the cost of your cybersecurity insurance. These include:

  • Coverage Limits:  The more complex a cybersecurity network is, the more expensive coverage will be. For instance, businesses with multiple servers will have higher insurance premiums than those operating with one. 
  • Security Measures: A great way for businesses to lower their insurance premiums is to have robust cybersecurity measures in place. This could include a company-wide cybersecurity policy, employee training, regularly running system maintenance checks, updating software, updating passwords, etc.
  • Industry:  Companies that primarily operate online and deal with large amounts of sensitive/ personal data will have to pay considerably more than a small business with a low traffic website. Industries that generally have higher cybersecurity insurance premiums include healthcare, financial/banking, and tech because they deal with so much sensitive information on a day-to-day basis.
  • Data Access: Businesses can save money by limiting the number of people who have access to sensitive business/ client information. If companies limit access to certain departments or senior officials, the risk of a data breach is reduced significantly. Likewise, hiring an in-house or third-party cybersecurity expert can lower premium rates. 
  • Claims History: If a company has a history of claims, the insurance company will generally charge higher premiums because of the perceived risk of providing cover. That is why it is essential for businesses to mitigate claims reports and protect their business as best as possible. 

When compared to other types of business insurance, cybersecurity insurance generally has higher premiums because of the scope and impact a data breach can cause on not only a business, but also its clients and third-party providers. The costs of a cyber attack can add up very quickly. That is why it is essential to contain the crisis quickly and respond to customers in an honest manner. Likewise, companies need to fix the damaged hardware and immediately update software, have a public relations correspondent to publicly address the situation, and be prepared for any legal proceeding ahead, 

Partner With Cybersecurity Experts to Better Protect Your Business and Lower Your Interest Rates

Cybersecurity insurance is a crucial asset for SMBs all the way up to the Fortune 500 companies. However, one distinct advantage of many larger enterprises is that they generally have the resources to produce an in-house IT and cybersecurity team. Creating a full-time cybersecurity team is an undeniably expensive endeavor, which is why many SMBs are unable to implement one. 

Fortunately, there is a cost-effective alternative many SMBs can use to manage cybersecurity risks that aligns with their budgets.  Instead of building a team in-house, companies can partner with third-party cybersecurity experts that can help businesses navigate through the increasingly complex cybersecurity landscape. 

At BitLyft, we are the cybersecurity risk management experts that you want in your corner. Our team consists of highly trained cybersecurity analysts, developers, and strategists. We can handle the day-to-day tasks of helping you achieve your cybersecurity goals, while you can focus on growing your business. Not to mention, when we're a part of your team, we can help lower your company's cybersecurity insurance premiums.

If you would like to learn more about BitLyft, the cybersecurity services we provide, and how we can help your business, feel free to visit our website and contact us today! 

The Complete Guide to Cybersecurity Logging and Monitoring

Jason Miller

Jason Miller, Founder and CEO of BitLyft Cybersecurity, has dedicated his 20-year IT career, including co-founding SaaS pioneer Reviora, to removing cybersecurity barriers for mid-sized enterprises. Establishing BitLyft in 2016, Jason set out to unburden security teams with innovative, approachable, and affordable solutions, a vision which has made BitLyft a respected managed detection and response provider. Outside his cybersecurity pursuits, Jason is an avid tree farmer and outdoor enthusiast, planting nearly 300 trees on his ten-acre plot and finding joy in hiking, hunting, and driving his white Tesla Model 3. His diverse passions mirror the balanced blend of expertise, dedication, and joy he brings to BitLyft.

More Reading

code on screen with lines going through it
laptop and person pointing at an org chart
What is an Information Security Program?
An information security program is a set of standards, guidelines, procedures, and policies for your business’s cybersecurity plan and protocol. It provides a road map for successful security...
code with two people looking at a monitor
Pros And Cons Of Managed Services
Have you thought about the pros and cons of managed services? Is it right for your company?