What Is Cyber Liability Insurance, and Do You Need It?

According to the Identity Theft Resource Center, businesses experienced 571 breaches in 2018, exposing over 415 million employee and customer records.^[] Business breaches accounted for almost half—46%—of all breaches. Although we most often hear about big corporations falling victim to cyberattacks, small businesses are the most vulnerable.

Without big technology departments and IT staff, small businesses are most likely to need cyber liability insurance. This type of small business insurance will help you respond effectively to a cyber breach, cover your costs, and quickly move on. In this article, you’ll learn more about what cyber liability insurance covers, what it costs, and where to purchase it.

Cyber liability insurance, sometimes short for cybersecurity, privacy, and media liability insurance, helps your company respond in the event of a cyberattack or data breach. If your network or computer systems are hacked into or corrupted by a virus, for example, cyber liability insurance can be essential.

Often, a general liability insurance policy or professional liability policy will contain basic cyber liability coverage. However, businesses that store personally identifiable information (PII) for employees or customers should have stand-alone or enhanced cyber liability insurance. PII includes any data that can be used to identify a particular individual, such as name, data of birth, email address, social security number, credit card number, or bank account number.

There are numerous ways that a cyber breach can occur. For example, hackers can send phishing emails to customers in which they masquerade as your company. If a customer clicks on a link in the email, the hackers can steal PII. Or a hacker might use a virus or ransomware to corrupt your data files.

The main way to protect yourself against cyberattacks is with strong internal safeguards. For example, small business owners should limit access to PII to a limited number of people in the organization. You should have strong passwords on electronic devices and to access different software tools. And you should regularly update your passwords and software.

According to Brian Gill, cofounder of Gillware Data Recovery, “Security should be the number one boardroom agenda of any business. Technical and physical safeguards should be in place. Insurance coverage is an added layer of protection which enables the business to call upon the insurer in their moment of need.”

Cyber liability coverage can vary widely based on which insurer you’re purchasing the insurance from.  The reason is that there’s no such thing as standard cyber liability insurance. Insurers have started offering cyber coverage only within the last couple of decades.

Judy Selby, a cyber law expert and principal at Judy Selby Consulting LLC, says, “Unlike many other more traditional lines of insurance, there is no standard policy form for cyber insurance. Each cyber insurer has its own policy form, utilizing its own, unique policy language. This creates challenges for companies trying to compare one cyber insurance policy with another.”

Despite the variations, Selby says most insurers offer two types of coverage within a cyber liability policy:

This coverage pays for immediate expenses that a company incurs after a cyber breach. This includes:

• Cost of notifying employees and the public
• Repairing any damaged software or hardware
• Protecting the company’s reputation with a marketing and public relations response
• Business interruption costs and missed income while business operations are suspended
• Extortion money (used to appease a hacker who threatens your data or systems unless you pay them a ransom)
• Other ancillary costs, such as paying for credit monitoring for customers

This coverage helps the company defend against lawsuits and legal claims. This includes:

• Privacy lawsuits claiming that you breached the privacy of customers or employees
• Fines from regulatory bodies
• Media liability claims, such as copyright infringement, libel, or slander.
• Breach of contract or negligence claims

On top of first- and third-party coverage, some insurance companies also provide risk mitigation services to help you identify and avoid cyber threats before they happen. After a breach has occurred, some insurers will set up a hotline that customers and members of the public can call to get more information.

It’s important to carefully read through your cyber liability insurance policy and understand any exclusions.

Cyber liability insurance commonly excludes all of the following:

• Bodily injury or property damage claims: Cyber liability insurance won’t protect claims of bodily injury or property damage. That’s where a general liability policy comes in.
• Loss of property: Losing a piece of property, like a phone or computer, is generally covered by commercial property insurance, not a cyber policy.
• Criminal activity: Typically, a cyber liability policy won’t insure against fraud, robbery, employee theft, or other crimes. Commercial crime insurance can offer this coverage separately.
• Social engineering: One way in which cyber criminals target their victims is through social engineering—tricking people into transferring company funds. Not all cyber liability policies cover social engineering. This may come with a smaller coverage limit, or it might be an optional add-on.

When you purchase a cyber liability policy, you agree to maintain appropriate security measures in order to prevent a cyber incident from happening in the first place. If you fail to maintain these security measures, then coverage might be denied. For example, let’s say that an employee accidentally clicks on a link in an email, which causes malware to corrupt the company’s computer systems. If it’s later found that the company didn’t install any anti-malware software, the insurance company could deny coverage for failure to use preventative measures.

As this example shows, it’s important to know what you’re agreeing to and to have proper security procedures in place. You can put these protocols in place on your own. Alternatively, there are external security firms that can help you get up to speed.

Cyber liability insurance can cost anywhere from as little as $500 per year to as much as $50,000 or more per year. By tailoring coverage to your business’s needs, you should be able to find a cyber liability policy that fits your budget.

Here are the factors that affect the cost of cyber liability insurance:

• Coverage limits: The higher and more complex your coverage needs, the more expensive your policy will be. For example, if your company uses multiple servers or if you store a lot of customer data, your insurance will be more expensive.
• Data access: Limiting access to sensitive data can help you save money. For instance, if you grant data access only to senior employees, that could help. Having an in-house security expert can lower costs as well.
• Security measures: Effective security measures, such as installing antivirus software and network firewalls and regularly updating your passwords, can lower your premiums.
• Industry: A business that operates primarily online will face more cyber threats, and pay correspondingly more, than a brick and mortar business with a low-traffic website. Similarly, businesses in certain industries—like healthcare and accounting—that store the most sensitive types of data will also pay a higher premium.
• Claims history: If you have a history of multiple claims, the insurance company might charge you a higher premium.

Compared to other types of business insurance, the cost of cyber liability insurance is higher because the fallout can often be much greater. When you add up all the costs involved with a cyber incident, it can be very expensive. A small business needs to contain the crisis, respond to customers, deal with public relations damage, fix damaged hardware or software, recover lost profits, and cover the cost of any legal claims.

It can be challenging to figure out how much cyber liability coverage you need. Essentially, you need to work backward from a hypothetical cyber incident and figure out how much coverage it would take to recover from the breach.

According to a study by IBM Security and the Ponemon Institute, the average cost of a data breach was $148 per affected record in 2018.^[2] The same study found that the average time required to identify and contain a breach was 197 days and 69 days, respectively.

We suggest using those numbers as jumping-off points for your own business. Consider how many sensitive records you store, what type of records, and where they are stored. If your business experienced a breach, what measures would you need to take to inform your customers and protect their interests? How long would this take? On what channels do you store sensitive data (e.g. website, remote services, mobile devices, etc.)?

How much would it cost to replace any affected hardware or software? Do you have an in-house security team that can help you mitigate the damage, or would you need to bring in a consultant from outside the organization? Do you have an in-house public relations professional to answer questions from the public about the breach?

Answering these questions can help you figure out how much coverage you need to protect your business. Business owners who don’t have the technical interest or knowledge can hire an IT security firm to audit the business and determine risk levels. After an audit, an insurance broker should be able to help you double-down on your coverage limits.

When in doubt, says Shari Claire Lewis, a partner in Rivkin Radler’s Privacy, Data & Cyber Law practice group, consider going up in coverage. “Surprisingly, the cost of insurance coverage does not generally go up in direct proportion to the amount of coverage. Because the vast quantities of claims will occur in the lowest level of insurance, additional coverage is often quite affordable. We recommend that any business… purchase the amount of coverage that it can afford.”

Photo credit: Aig.com

A good place to start when shopping for cyber liability coverage is an insurance company that you already know well. If you have a general liability or professional liability policy, then check if your policy already contains some cyber liability coverage. For most businesses, this won’t be sufficient, but it’s a good starting place. From there, you can find out if your insurer offers separate cyber liability insurance, or check out the insurers listed below.

We highly recommend working with an insurance company that is rated A or higher by A.M. Best. A.M. Best is an internationally recognized credit firm that rates the financial solvency of insurance companies. An A rating or higher means that the insurer has enough funds to pay out all valid claims.

These are the best insurance providers for cyber liability insurance:

Hiscox is an A rated insurance company that’s highly experienced in cyber liability insurance. They’ve been underwriting cyber liability coverage for more than 20 years and handle over 1,000 cyber insurance claims each year. Their primary cyber liability product, designed for small businesses that make $1 billion or less in annual revenue, offers up to $10 million in limits.

Cyber liability insurance from Hiscox includes both first and third party coverage. For third party coverage, you’ll be compensated whether the legal claim alleges statutory violations, regulatory violations, negligence, or breach of contract. If you have to fully or partially stop your business while you respond to the breach, Hiscox provides a minimum hourly compensation for lost business income. There’s also full coverage for any identity or credit restoration that you have to provide to your customers or employees as a result of a judgment or settlement.

Even better, you can enjoy complimentary pre-loss breach prevention and post-loss breach response services. This includes one hour with a data breach coach to assist you in responding to a breach.

AIG is one of the best, A rated insurers for purchasing cyber liability insurance. They currently own the largest share—22%—of the cyber liability market.^[3] Recently, AIG won the 2018 award for Cyber Risk Innovation of the Year.

Cyber insurance from AIG is extremely customizable, with limits available of up to $100 million. AIG is ahead of other insurance companies that only sell standalone cyber liability policies. AIG sells stand-alone coverage, but you can also integrate cyber coverage into your property or general liability policy. You can even choose whether you want first- and third-party coverage, or just first-party coverage.

AIG tries to help their clients prevent cyberattacks. For example, every cyber insurance applicant (even if you don’t buy a policy) gets a “CyberMatics” threat score pinpointing your security vulnerabilities and suggesting action items for improvement. You’ll also get benchmarking reports to compare the coverage purchased by other firms of your size and in your industry.

Chubb is a prominent, A++ rated insurance company that sells many types of business insurance, including cyber insurance. This insurer has the second biggest market share for cyber insurance, occupying 12% of the market. Chubb’s cyber coverage integrates cyber, network, privacy, and media liability coverage and contains first and third party insurance.

Although Chubb has a few different cyber liability policies, their most popular option is the Cyber Enterprise Risk Management policy (Cyber ERM). This policy is available for online quote and purchase and permits $10 million to $100 million in coverage limits. Chubb’s coverage territory is worldwide, so it doesn’t matter where a data breach originates. They have a broad definition of PII to include biometrics data, photos and videos, and internet browsing history. Social engineering, funds transfer fraud, and computer fraud can optionally be included in a Chubb policy.

Liberty Mutual, an A rated insurance company, adapts cyber liability insurance for the needs of small business. AIG and Chubb tend to attract midsize and large corporate customers, whereas Liberty Mutual is aiming to make cyber insurance accessible to smaller companies.

You can purchase cyber liability insurance as part of a Liberty Mutual general liability policy or business owner’s policy (BOP). This is called a Data Security endorsement, and it has four optional parts:

1. Data Compromise Response Expense: First-party coverage for expenses resulting from a data breach.
2. Attack and Extortion: First-party coverage for expenses associated with repairing or restoring data and systems after a breach.
3. Data Compromise Defense and Liability: Third-party coverage for legal claims brought as a result of a data breach.
4. Network Security Liability: Third-party coverage for losses resulting from a breach of confidential business data owned by a third party.

With each of these four coverage options, you can get aggregate limits up to $1 million and deductibles varying between $2,500 and $10,000 per incident.

CoverWallet is a good option for business owners who want to shop around for cyber liability insurance and aren’t sure where to start. CoverWallet is an insurance marketplace that lets you compare quotes and insurance offerings from multiple insurers. Answer a few questions about your business, and you’ll have cyber liability quotes ready to go from multiple A rated insurers.

You’ll be able to compare the different coverage options and see which one makes the most sense for your business. Complete your purchase online or by speaking to a CoverWallet rep over the phone in cases where the system can’t generate an online quote. There’s no additional premium that you’ll pay for the convenience of using a marketplace since insurers pay CoverWallet a small amount for each policy sold through the platform. Once you have your policy, you can access policy documents, get proof of insurance, and make payments from your CoverWallet online account. For claims filing, you’ll need to go directly to the insurance company.

Cyber liability coverage is still very much an evolving area of insurance. Since insurance companies are still relatively new to this space, there isn’t always a lot of clarity around what cyber liability insurance covers and doesn’t. That makes it ultra important to read through your entire policy before committing, preferably with the help of a broker or insurance professional. With the right cyber liability policy, you can avoid the costs and harm to your brand that can otherwise result from a cyber breach.