Guide to Cyber Insurance

What is cyber insurance?

Cyber insurance provides modern businesses a crucial shield against dynamic cyber threats. Over the past several years, hackers have turned cybercrime into a thriving business. According to the Identity Theft Resource Center, there were 2,116 data compromises as of September 2023 — a 17% increase from the 1,802 in 2022

Cybersecurity insurance policies safeguard organizations against financial losses stemming from cyber incidents, such as data breaches, ransomware attacks, and network outages. That’s why it’s recommended that all businesses purchase cyber insurance. 

Why do organizations need cyber insurance?

Most businesses take steps to ensure their physical operations are protected against damage and resulting general liabilities. However, such traditional insurance policies aren’t designed to cover cyber or technology risks.

General Liability (GL) insurance helps protect business owners from third-party claims of injury, property damage, and negligence related to their business activities. Unfortunately, in the world of GL insurance, property only encompasses tangible property and not digital assets.

What are the benefits of cyber insurance?

Cyber risk insurance varies widely in what's included. Some policies cover only specific types of cyber events and may include sub-limits for certain attacks, like ransomware.

The immediate benefits of cyber insurance include breach response costs, indemnifying businesses for immediate out-of-pocket expenses incurred to investigate and remediate a cyber incident. These costs include legal fees and expertise, forensics investigation, notification, and public relations or extra expenses associated with restoring businesses back to operations.

Learn more about the importance of cyber insurance.

What does a cyber insurance policy cover?

Cybersecurity incidents can damage more than a business’ computer hardware, network security, and mobile devices. The digital transformation of the economy has amplified the impact of cyber risks, which means businesses can suffer irreparable harm to their critical data, finances, and reputation. Cyber liability insurance coverage can offer protection to businesses, but not all policies are alike. The following are some key considerations when evaluating cyber insurance options:

What are the five main areas covered under cyber liability?

Cyber liability insurance can vary between carriers and policies. Businesses should look for the types of coverage that will help their organizations recover after experiencing a cyber event.

1. Direct costs to respond: Responding to a cyber event typically required numerous direct costs, also known as first-party expenses. If an organization experiences a data breach, it may require a prompt response and the need for additional legal counsel, forensic investigation, victim remediation, and notification to comply with regulatory requirements. Simple investigations can cost tens of thousands of dollars, while more complex matters can increase costs exponentially, underscoring the need for first-party coverage.

2. Liability to others: Navigating the patchwork of laws and regulations after a security incident or data breach is especially difficult for any organization, especially those that operate in a highly regulated industry across multiple legal jurisdictions. A ransomware attack or data breach can trigger liability to third parties and cause bodily harm or injury, which is why businesses ought to purchase third-party coverage.

3. Business interruption and reputation damage: A cyber event that impacts essential technology can have a significant impact on an organization's ability to operate, which can be highly visible to customers and other stakeholders. Even short periods of disruption from ransomware,  or cyber extortion can lead to direct loss of revenue and inhibit an organization's ability to support clients, negatively impacting not only customer retention but also the delivery of services.

4. Cybercrime: Beyond ransomware and data breaches, cyber events can result in financial theft for a business or its customers — often without an actual breach. Funds transfer fraud (FTF) can lead to an organization losing tens or hundreds of thousands of dollars almost instantly. Attackers can also gain access to email accounts through social engineering techniques, like phishing or business email compromise (BEC) and send fraudulent invoices or payment instructions to customers, vendors, and other third parties.

5. Recovery and restoration: After a cyber event, resuming operation is no easy task. If malware damages or destroys essential technology, data, or physical equipment, an organization may need to bring in external support or purchase new equipment to re-secure systems. Full remediation, restoration, and recovery can take a significant amount of time, when possible, and may require purchasing new software, systems, and consultants to rebuild the network.

What does cyber insurance not cover?

As with most insurance policies, there are specific exclusions that a cyber insurance policy may not cover. Things that may be exclusions in a cyber insurance policy include: 

• Resulting loss of future revenue (or loss of revenue or income that extends beyond the indemnity period; cyber policies typically provide business interruption and extra expense coverage for 180 days).

• Cyber attacks can result in brand or reputation damage, and while cyber insurance coverage can extend to reputational harm, that doesn't extend to a company's valuation or loss of intellectual property.

• Cyber policies can provide third-party protection for claims arising from a security failure, data breach, or privacy liability, but may not respond to errors and omissions (E&O) claims for a violation of a reasonable standard of care with professional services. Specific industries can purchase Technology E&O to mitigate this risk.

• Cyber insurance does not cover employment, discrimination, and directors & officers-related claims. Businesses need a separate liability policy for management liability insurance. 

Learn more about what cyber insurance covers.

How much cyber insurance is necessary?

As the frequency of cyber incidents and the associated costs continue to climb, businesses need additional ways to minimize their cyber risk. No single security control can prevent every incident, though cyber insurance is a valuable risk mitigation tool. 

What factors determine cyber risk?

There are a number of factors that determine an organization’s risk and how much cyber insurance it may need.

• Company security practices: Threat actors are opportunistic and more likely to target business with old, outdated, or vulnerable technology. 

• Types of information held: Some types of sensitive data, including personally identifiable information (PII), personal health information (PHI), and credit card data can be resold or held for ransom by cyber criminals.

• Availability of credentials: Threat actors may also target a business if they discover breached employee credentials. This is especially likely if the business has not implemented security controls, such as multi-factor authentication (MFA), to help secure accounts. 

• Company clients: Supply chain attacks are becoming more common, wherein threat actors compromise one victim in order to victimize their clients, suppliers, or customers downstream.  

Learn more about how much cyber insurance is necessary.

What does cyber insurance cost?

Most organizations carry some form of business insurance to help mitigate costs and losses associated with business operations, such as property damage, crime, and physical injuries. However, as cyber attacks and data breaches become more expensive and more prevalent, cyber insurance is increasingly becoming a must-have.

Cyber insurance pricing

In today’s dynamic market, the cost of cyber insurance can vary widely. The average U.S. business spends $145 per month on cyber insurance, or about $1,740 per year, according to Insureon. Here are some factors to consider when pricing cyber insurance.

• Types of technology: Many insurance companies use scanning technology in their underwriting models to assess potential vulnerabilities in an organization’s tech stack. Thinking like a threat actor allows insurers to gain better insight into potential risk exposures.

• Business industry: Threat actors might be particularly keen on attacking businesses in a given industry, often because they may get a bigger payout or because of weaknesses in their technology.

• Protected data: The more sensitive information a company stores, the more likely threat actors will be interested in it to steal, resell, or use as leverage in ransom demands.

• Coverage amount: Like other forms of insurance, cyber insurance costs are influenced by how much coverage is purchased. For example, a $1 million policy will be more affordable than a policy that provides up to $15 million in protection.

What else impacts cyber insurance costs?

Cyber insurance costs are influenced by several factors, including:

• Increasing demands in coverage

• Growing sophistication of cyber threats and attack methods

• Increasing costs associated with cyber incident remediation

Additionally, cyber insurance premiums may also become more expensive upon renewal if a business experiences a cyber attack within the previous year — similar to annual car insurance premiums increasing after a claim is made for an automobile accident.

Learn more about the cost of cyber insurance.

Do small businesses need cyber insurance? 

Small businesses (SMBs) face an increasingly and disproportionately challenging cybersecurity environment. The FBI’s Internet Crime Report found the cost of cybercrimes for small businesses reached $2.4 billion in 2021. Cyber insurance can help SMBs prepare for cyber threats or events by helping them transfer the potential costs associated with a cyber event to an insurer.

What are 6 benefits of cyber insurance for small businesses?

From defraying costs following a potential incident to indemnification for legal fees, small business cyber insurance helps ensure protection against events like data breaches of client information and ransomware attacks. 

1. Compensate losses that resulted from business downtime. Cyber insurance may help cover the costs of any revenue lost during downtime caused by a cyber attack, as well as associated expenses. 

2. Ensure regulatory compliance, including customer notification requirements. State and provincial regulations may require businesses to notify clients in the event of a data breach. Cyber insurance can help cover the cost of operations, like providing credit monitoring to impacted clients.

3. Cover the costs of replacing damaged equipment. Cyber attacks can degrade an organization’s equipment, leading to unforeseen additional costs in repairing or replacing damaged hardware.

4. Cover the cost of regulatory fines. Following a data breach, businesses that store sensitive information may be faced with regulatory fines.

5. Recoup costs associated with recovering compromised data. Forensic investigations, data mining, and recovery can be expensive and require specialized technical knowledge.

6. Cover ransom compensation. In the event of a successful ransomware attack, businesses may have to choose between paying the ransom and potentially losing all of their data, especially if data backups are not viable.

What sort of cyber liability coverage do small businesses need?

Cyber insurance coverage can be customized to a business depending on its risk profile. One of the initial factors to consider is determining the overall potential exposure risk. 

To effectively evaluate potential exposure, you should first review your cyber risk assessment. This may identify various exposure factors, such as your business’ online presence, the various types of hardware and software you may use and their associated vulnerabilities. Depending on the types of security measures you have in place, your policy and premiums may change. The areas of potential risk will be the primary factor to determine the exposures your business may need to remediate, as well as the appropriate coverage limits to protect against them.

Learn more about small businesses and cyber insurance.

What are the top 5 objections to cyber insurance?

There are numerous compelling reasons for businesses to take action to insure themselves against cyber threats. But business leaders often need help in understanding the significance of cybercrime, the costs it imposes, and the essential value of coverage. Below are five of the most common objections to purchasing cyber insurance.

1. “I'm too small to be a target.” Many business owners mistakenly assume that small companies or businesses with a low profile aren’t targets for cybercrime. In fact, threat actors increasingly use automated attacks to target small businesses, which often have weaker security controls.

2. “We don't rely on technology.” Cybercrime doesn’t just affect data-rich companies. Every technology, even the most basic, introduces the risk of cyber attack. In fact, tools like email are commonly exploited for phishing and similar attacks.

3. “I'm already protected from cyber threats.” Cybersecurity tools are an important tool in any organization’s cyber risk management strategy, but they’re only a first step. Protections can and do fail. Additionally, many cybercrimes and security breaches are a result of human error.

4. “I have coverage in my existing insurance.” Traditional insurance isn’t designed to cover the broad impacts of cybercrime. Most package policies only cover third-party costs, leaving significant coverage gaps.

5. “Cyber insurance costs too much.” For business leaders just becoming familiar with cyber insurance, the cost of coverage may seem like a financial burden. The reality is, in the current cyber threat environment, businesses can’t afford not to have sufficient insurance. On average, the cost of a small business data breach is between $120,000 and $1.2 million.

Learn more about common objections to cyber insurance.

What do businesses need from cyber insurance brokers?

In addition to coverage, cyber insurance products may include innovative features, such as proactive monitoring services or other security services. Businesses need help to understand the coverage that is offered, what’s not covered, and the additional services that are offered to proactively prevent a claim. Here are some tips for how brokers can best convey key information to businesses that may be considering cyber insurance coverage.

1. Go for clarity. Business owners want to understand the basics: What do I need to do to secure coverage? How could this benefit affect my business? How much will I be required to pay versus what may I be required to pay out of pocket without cyber insurance coverage? 

2. Paint the risks. Businesses need to understand the current cybercrime landscape and how the variety and prevalence of cyber risks poses a greater risk for all businesses, regardless of size.

3. Demonstrate value. Businesses need to understand the typical costs of cyber attacks on businesses without cyber coverage, including stolen funds, lost business income, equipment damage and reputational harm. Businesses that experience a cyber incident without cyber insurance coverage may also have third-party costs, such as technical, legal, and public relations expenses as well as potential regulatory fines or penalties. 

4. Explain the coverages. Cyber liability policies can provide coverage to covered businesses, from network liability to business interruption. Outlining coverage options in clear and simple terms can be quite helpful.

5. Highlight supplemental benefits. Certain cyber insurance products may include tools and services beyond the insurance coverage. For example, certain cyber insurance providers offer policyholders active monitoring and risk assessment to identify risks and decrease the likelihood of claim.

6. Support with statistics. Current data and statistics support the case for businesses to prioritize cyber coverage. For many small businesses, even an average cyber attack can cause significant financial, operational, and reputational costs that can be difficult for these businesses to overcome.

Learn more about how brokers can support businesses purchasing cyber insurance. 

Why get cyber liability insurance from Coalition?

Cyber risk evolves quickly, with new threats constantly emerging. Traditional insurance providers lack the visibility and tools to keep up with these new, fast-paced digital risks.

Coalition uses technology and data-driven processes, underwriting, and tools to assess an organization’s risks in real-time and can provide them the tools to mitigate and address the risks proactively. We call this Active Insurance: the first insurance product designed to prevent risk before it strikes.

• Active Risk Assessment: Our proprietary data platform enables us to quickly evaluate a business’ cyber risk profile, including any security vulnerabilities. Once identified, Coalition works with businesses to actively address those exposures, better-positioning them for coverage at more reasonable rates.

• Active Protection: Continuous scanning and monitoring of a policyholder’s digital assets and other risk factors throughout the policy term reduces the likelihood of a claim. Policyholders also benefit from personalized alerts for critical issues, so they can take prompt action that mitigates the risk.

• Active Response: Support and guidance from Coalition’s in-house team of experts can assist policyholders when a cyber incident occurs by mitigating damages and aiming to get the business back up and running.

Coalition combines comprehensive cyber insurance coverage and security services to help businesses prevent digital risk before it strikes. That’s why Coalition policyholders experience 64% fewer cyber insurance claims than the industry average. 

Learn more about Active Insurance from Coalition.