For business owners of all sizes, cyber threats are a real concern. Data breaches, malware, ransomware, and other cybercrimes are all too common. In fact, according to Internet Crime Report released by the FBI, the number of cybercrime complaints rose by 7% in 2021 with total money lost increasing by a whopping 64%.
Cybercriminals stole nearly $2.4 billion by hacking email accounts at businesses mostly due to the increase in remote work over the last two years. Unfortunately, for many organizations, especially small businesses, coming back after a financial loss can be challenging if not impossible.
In the event of cybercrime, some businesses may benefit from cybersecurity insurance. Cybersecurity insurance generally covers a business’s liability for a data breach or other cyber incident. Essentially, it helps reduce the financial loss incurred when a fraudster infiltrates an organization.
Not all cybersecurity insurance is the same, and it doesn’t cover every financial risk associated with a cybercrime. Let’s take a look at the different types of coverages available, what is excluded, and the types of businesses that may benefit from cybersecurity insurance.
Types of Cybersecurity Insurance
When a business is the victim of a malicious cyber event, there are many different assets at risk. Their personal information, privacy, and operations can be affected, and sensitive customer data such as social security numbers, bank routing numbers, and more can fall into the wrong hands. Depending on the type of attack, different types of cybersecurity insurance can minimize the damage.
First Party Coverage
First party coverage protects a company’s data including both customer data and employee data. If a company has first party coverage, the policy will generally cover the cost of legal counsel, recovery and replacement of data including customer information, customer notification and call center services, lost income caused by business interruption, public relations, and more.
Third Party Coverage
Third party coverage, unlike first party coverage, protects an organization from liability if another party brings a claim against the company. Coverage includes payments to consumers affected by the incident, claims, and settlements related to lawsuits, losses related to trademark infringement or defamation, costs for litigation, and accounting costs.
Privacy Liability Coverage
One of the most common repercussions of a cyber attack is the loss of personal customer data. With privacy liability coverage, a business will be financially protected in the event their customer data falls into the hands of a cyber thief. The policy typically covers financial losses associated with attorney and court fees for legal proceedings, settlements, and court judgments, and regulatory fines.
Network Security Coverage
Network security coverage includes claims arising out of a breach of a company’s network and data storage. Some policies cover both online and offline information, denial of service attacks, and the failure to prevent a virus or malware from infecting the network. Coverage may include costs associated with notifying customers of a breach, credit monitoring, data restoration, call center fees, IT forensics, and legal fees.
Technology Errors and Omissions
Errors and omissions coverage (also called E&O coverage) protects an organization for cyber risks that prevent delivering services to clients or fulfilling contractual obligations. E&O coverage is similar to product liability coverage for companies that sell physical or digital products. Like other forms of cybersecurity insurance, E&O coverage will help minimize costs related to court fees, informing customers, and other first party claims. E&O does not extend to third party claims against a company.
Network Business Interruption Coverage
When a cybercrime affects an organization, one of the biggest casualties is the interruption of business. Network business interruption coverage helps businesses who rely on technology to keep operations going. This coverage can be used to deflect the costs of fixed expenses, lost profits, and extra costs when a company is “offline” due to a cyber attack.
Cybersecurity Insurance Exclusions
Cybersecurity insurance policies are fairly new within the last five years, and insurance companies are constantly adjusting what is covered – and what is not covered – with a policy. Nearly all types of cybersecurity policies have exclusions that business owners should be aware of.
Generally, a policy doesn’t cover:
- Property Damage: Cybersecurity insurance usually only covers financial damages and excludes property damage losses. If a computer network is fried, for example, and needs to be replaced, the cost would not be covered by the insurance policy.
- Intellectual Property: Intellectual property losses are not included in cybersecurity insurance coverage. In order for intellectual property to be covered, a business would need intellectual property insurance.
- Self-Inflicted Crimes or Cyber Incidents: This may seem obvious, but absolutely no cybersecurity insurance carrier will issue a policy that protects a company that is involved in a crime related to a cyber attack.
- Potential Future Profit Loss: Unfortunately, cybersecurity insurance doesn’t cover future profit losses. This is why it’s important to recover quickly from a cyber attack and resume business operations as soon as possible.
- Cost of Technology Improvements: After a cyber incident, companies may want to invest in updating information technology security systems as part of their risk management process. Cybersecurity insurance does not cover this investment.
Who Needs Cybersecurity Insurance?
If you own a business, you may wonder if cybersecurity insurance is a good investment. The answer is “maybe,” depending on the type of business, what data you store about your team, customers, and operations, and whether or not you are poised to recover quickly after a cyber attack.
While there is no clear line about who should get insurance and who can opt-out, the types of businesses that may benefit from cybersecurity insurance include:
Businesses That Store Important Data
If your company stores sensitive business data such as phone numbers, social security numbers, credit card numbers, and bank account information, you are likely a target for cybercrime. Cyber thieves specifically target organizations who store large amounts of personal data and will go to extremes to get it.
If your business is storing your own financial data and personal customer data, first party coverage may be a good option. A real world example is if your company is the victim of ransomware, where a cybercriminal is holding your data hostage for a financial payout, the policy would likely pay out the ransom so you can recover the data. With all types of insurance, though, each policy is different and may have exclusions.
Businesses with a Large Amount of Customers
Have a business with a large customer base? Cybersecurity insurance may be a good investment. One of the necessary steps after a data breach is to inform your customer base. In fact, notifying customers is often required by law. Costs associated with this process – call centers, direct mail, etc. – can easily skyrocket. First party coverage can help deflect those costs.
High Revenue Businesses
Businesses with high revenue and valuable assets may be good candidates for cybersecurity insurance, particularly if the insurance premiums are lower than the combined value of the business. A cybersecurity insurance policy can greatly reduce the financial risk for this type of business.
For a small business with a low annual revenue, the cost of a policy may not be justified. It all depends on the projected cost to recover from a cyber attack versus the cost of the annual premiums.
Unsure if a cybersecurity insurance policy makes sense for your business? We understand – it’s a fairly new type of business insurance and can seem confusing. Before signing up for a policy, or walking away from one, consult with a cybersecurity team like Everound.
Cybersecurity Services for Central PA Businesses
Everound is a full-service managed IT services provider that helps businesses with their IT operational needs. Our team of experts can help you determine if cybersecurity insurance is a good fit for your business, and even help you procure a policy.
We can provide a free cybersecurity assessment to determine your risk for a cyber attack. Our assessment looks at your email security, network security, and endpoint security and offers cybersecurity improvement measures to reduce your risk.
Interested in learning more with a no-obligation consultation? Contact us today to get the conversation started.