Decoding Cyber Insurance: What Policies Really Cover (and What They Don't)

For small businesses operating in an increasingly digital landscape, cyber threats are not just theoretical concerns; they are a daily challenge. From phishing scams and ransomware attacks to accidental data breaches, the financial and reputational consequences can be significant. This is why more companies are opting for cyber insurance to manage these risks.

However, not all cyber insurance policies are the same. Many business owners assume they are protected, only to discover—often too late—that their policy has significant gaps. In this blog post, we will detail what is typically covered, what is not, and how to select the right cyber insurance policy for your business.

Why Is Cyber Insurance More Crucial Than Ever?

You don't need to be a large corporation to become a target for hackers. In fact, small businesses are increasingly vulnerable. According to the 2023 IBM Cost of a Data Breach Report, 43% of all cyberattacks now target small to mid-sized businesses. The financial fallout from a breach can be staggering, with the average cost for smaller businesses reaching $2.98 million. That can be a substantial blow for any growing company.

Moreover, today's customers expect businesses to protect their personal data, while regulators are cracking down on data privacy violations. A good cyber insurance policy helps cover the cost of a breach but also ensures compliance with regulations like GDPR, CCPA, or HIPAA, which makes it a critical safety net.

What Cyber Insurance Typically Covers

A comprehensive cyber insurance policy is crucial in protecting your business from the financial fallout of a cyber incident. It offers two main types of coverage: first-party coverage and third-party liability coverage. Both provide different forms of protection based on your business's unique needs and the type of incident you're facing. Below, we break down each type and the specific coverages they typically include.

First-Party Coverage

First-party coverage is designed to protect your business directly when you experience a cyberattack or breach. This type of coverage helps your business recover financially from the immediate costs associated with the attack.

Breach Response Costs

One of the first areas that first-party coverage addresses is the cost of managing a breach. After a cyberattack, you'll likely need to:

• Investigate how the breach happened and what was affected
• Get legal advice to stay compliant with laws and reporting rules
• Inform any customers whose data was exposed
• Offer credit monitoring if personal details were stolen

Business Interruption

Cyberattacks that cause network downtime or disrupt business operations can result in significant revenue loss. Business interruption coverage helps mitigate the financial impact by compensating for lost income during downtime. It allows you to focus on recovery without worrying about day-to-day cash flow.

Cyber Extortion and Ransomware

Ransomware attacks are on the rise, and they can paralyze your business by locking up essential data. Cyber extortion coverage is designed to help businesses navigate these situations by covering:

• The cost of paying a ransom to cyber attackers.
• Hiring of professionals to negotiate with hackers to lower the ransom and recover data.
• The costs to restore access to files that were encrypted in the attack.

Data Restoration

A major cyber incident can result in the loss or damage of critical business data. Data restoration coverage ensures that your business can recover data, whether through backup systems or through a data recovery service. This helps minimize disruption and keeps your business running smoothly.

Reputation Management

In the aftermath of a cyberattack, it's crucial to rebuild the trust of customers, partners, and investors. Many policies now include reputation management as part of their coverage. This often includes:

• Hiring Public Relations (PR firms) to manage crisis communication, create statements, and mitigate any potential damage to your business's reputation.
• Guidance on how to communicate with affected customers and stakeholders to maintain transparency.

Third-Party Liability Coverage

Third-party liability coverage safeguards your business against claims from external entities, such as customers, vendors, or partners, who are impacted by your cyber incident. If a breach or attack affects individuals or organizations outside your company, this coverage provides financial and legal protection.

Privacy Liability

This coverage protects your business if sensitive customer data is lost, stolen, or exposed in a breach. It typically includes:

• Coverage for legal costs if you're sued for mishandling personal data.
• It may also cover costs if a third party suffers losses due to your data breach.

Regulatory Defense

Cyber incidents often come under the scrutiny of regulatory bodies, such as the Federal Trade Commission (FTC) or other industry-specific regulators. If your business is investigated or fined for violating data protection laws, regulatory defense coverage can help with:

• Coverage may help pay for fines or penalties imposed by a regulator for non-compliance.
• Mitigating the costs of defending your business against regulatory actions, which can be considerable.

Media Liability

If your business experiences a cyberattack leading to online defamation, copyright violations, or the disclosure of sensitive information (like trade secrets), media liability coverage offers protection. It includes:

• Defamation Claims - If a data breach leads to defamatory statements or online reputational damage, this policy helps cover the legal costs of defending the claims.
• Infringement Cases - If a cyberattack leads to intellectual property violations, media liability coverage provides the financial resources to address infringement claims.

Defense and Settlement Costs

If your company is sued following a data breach or cyberattack, third-party liability coverage can help cover legal defense costs. This can include:

• Paying for attorney fees in a data breach lawsuit.
• Covering settlement or judgment costs if your company is found liable.

Optional Riders and Custom Coverage

Cyber insurance policies often allow businesses to add extra coverage based on their specific needs or threats. These optional riders can offer more tailored protection for unique risks your business might face.

Social Engineering Fraud

One of the most common types of cyber fraud today is social engineering fraud, which involves phishing attacks or other deceptive tactics designed to trick employees into revealing sensitive information, transferring funds, or giving access to internal systems. Social engineering fraud coverage helps protect against:

• Financial losses if an employee is tricked by a phishing scam.
• Financial losses through fraudulent transfers by attackers.

Hardware "Bricking"

Some cyberattacks cause physical damage to business devices, rendering them useless, a scenario known as "bricking." This rider covers the costs associated with replacing or repairing devices that have been permanently damaged by a cyberattack.

Technology Errors and Omissions (E&O)

This type of coverage is especially important for technology service providers, such as IT firms or software developers. Technology E&O protects businesses against claims resulting from errors or failures in the technology they provide.

What Cyber Insurance Often Doesn't Cover

Grasping what a cyber insurance policy doesn't cover is as crucial as knowing what it does. Below are typical oversights that small business owners frequently overlook, which can leave them vulnerable to specific risks.

Negligence and Poor Cyber Hygiene

Many insurance policies have strict clauses regarding the state of your business's cybersecurity. If your company fails to implement basic cybersecurity practices, such as using firewalls, Multi-Factor Authentication (MFA), or keeping software up-to-date, your claim could be denied.

Pro Tip: Insurers increasingly require proof of good cyber hygiene before issuing a policy. Be prepared to show that you've conducted employee training, vulnerability testing, and other proactive security measures.

Known or Ongoing Incidents

Cyber insurance does not provide coverage for cyber incidents that were ongoing before your policy took effect. For instance, if a data breach or attack commenced prior to the start of your coverage, the insurer will not cover damages associated with those events. Similarly, if you were aware of a vulnerability and did not address it, your insurer might reject the claim.

Pro Tip: Always ensure your systems are secure before purchasing insurance, and immediately address any known vulnerabilities.

Acts of War or State-Sponsored Attacks

In the wake of high-profile cyberattacks like the NotPetya ransomware incident, many insurers now include a "war exclusion" clause. This means that if a cyberattack is attributed to a nation-state or government-backed actors, your policy might not cover the damage. Such attacks are often considered acts of war, outside the scope of commercial cyber insurance.

Pro Tip: Stay informed about such clauses and be sure to check your policy's terms.

Insider Threats

Cyber insurance typically doesn't cover malicious actions taken by your own employees or contractors unless your policy specifically includes "insider threat" protection. This can be a significant blind spot, as internal actors often cause severe damage.

Pro Tip: If you're concerned about potential insider threats, discuss specific coverage options with your broker to ensure your policy includes protections against intentional damage from insiders.

Reputational Harm or Future Lost Business

Although numerous cyber insurance policies might include PR crisis management services, they typically do not cover the enduring reputational harm or future business losses that may arise from a cyberattack. The repercussions of a breach, like losing customers or experiencing a drop in sales due to trust issues, frequently lie beyond the scope of coverage.

Pro Tip: If your business is especially concerned about brand reputation, consider investing in additional coverage or crisis management services. Reputational harm can have far-reaching consequences that extend well beyond the immediate financial losses of an attack.

How to Choose the Right Cyber Insurance Policy

Assess Your Business Risk

Start by evaluating your exposure:

• What types of data do you store? Customer, financial, and health data, all require different levels of protection.
• How reliant are you on digital tools or cloud platforms? If your business is heavily dependent on technology, you may need more extensive coverage for system failures or data breaches.
• Do third-party vendors have access to your systems? Vendors can be a potential weak point. Ensure they're covered under your policy as well.

Your answers will highlight the areas that need the most protection.

Ask the Right Questions

Before signing a policy, ask:

• Does this cover ransomware and social engineering fraud? These are growing threats that many businesses face, so it's crucial to have specific coverage for these attacks.
• Are legal fees and regulatory penalties included? If your business faces a legal battle or must pay fines for a breach, you'll want coverage for these costly expenses.
• What's excluded and when? Understand the fine print to avoid surprises if you file a claim.

Get a Second Opinion

Don't tackle this alone. Collaborate with a cybersecurity expert or broker who is well-versed in both the technical and legal dimensions of cyber risk. They can guide you through the intricate policy language and pinpoint any coverage gaps. Having a professional by your side ensures you're well-protected and aids in making the best choices for your business.

Consider the Coverage Limits and Deductibles

Cyber insurance policies have defined coverage limits and deductibles. It's crucial to ensure that the coverage limit matches the potential risks your business might face. For instance, if a data breach could result in millions in losses, your policy limit should adequately cover that amount. Additionally, review the deductible amounts, which are the expenses you'll need to cover out of pocket before the insurance takes effect. Select a deductible that your business can comfortably manage in the event of an incident.

Review Policy Renewal Terms and Adjustments

Cyber risks are continually changing. A policy that protects you today might not address new threats tomorrow. Review the terms for policy renewal and modifications. Does your insurer provide regular reviews to keep your coverage up-to-date? Make sure you can adjust your coverage limits and terms as your business expands and as cyber threats change. It's crucial that your policy adapts to your business needs.

Cyber insurance is a wise choice for any small business, but only if you fully understand what you're purchasing. Knowing what is covered and what isn't can be the difference between a seamless recovery and a complete shutdown.

Take the time to evaluate your risks, scrutinize the details, and ask the right questions. Pair insurance coverage with robust cybersecurity measures, and you'll be well-prepared to tackle whatever challenges the digital world presents.

Do you want help decoding your policy or implementing best practices like MFA and risk assessments? Get in touch with us today and take the first step toward a more secure future.

About Newport Solutions

Newport Solutions has been helping small businesses in Orange County, CA for almost 20 years. Our dedicated team provides comprehensive IT services, ensuring your business operates smoothly and efficiently. From IT support to cybersecurity, we've got you covered. Discover how we can become your business's IT department today.

We proudly serve the following areas: Newport Beach, Irvine, Costa Mesa, and the greater Orange County region.

Contact Us to learn more.