Kosh gets asked all the time about cybersecurity and what cyber insurance actually covers and whether or not a business even needs cyber insurance (see our article: Is cyber insurance necessary for my business?). We asked a couple of insurance brokers from New Mexico and Orange County to break down what they have seen covered and not covered by cyber insurance.
Nickie Tran, President of IQ Risk Insurance Services in Orange County, says the biggest risks cyber insurance is protecting you from are:
Indemnification for legal fees and expenses
Customer notifications in the event of a breach
Option to monitor the information of anyone impacted for a specified period
Costs incurred in the recovery of compromised data
Costs of repairing damaged computer systems
In general, cyber insurance covers man-made risks. This typically means covering a combination of first-party (the policyholder) and third-party costs. The two main areas of coverage are ransomware and data breaches.
Use the calculator below to get a rough idea of the cost of a breach.
Typically covered by cyber insurance
Cleaning of your technology system to get rid of the ransomware, unlocking your technology, and a forensics investigation to find how the ransomware entered your system. This work would need to be performed by a cyber security IT professional.
Payment of the ransom to recover access to systems and data. Ransom is typically negotiated by a third-party and payment is usually in the form of cryptocurrency.
Lost income during the time your network is down.
Data leaks can be a costly security breach, especially in the healthcare and financial industries. Insurance usually covers:
getting your systems back to “normal” operation
forensic investigations to determine where the leak occurred, and
remediation to fix the leak
notification expenses to alert customers that their information was compromised
claims from third parties that they have been damaged due to your leak (maybe they are claiming reputational damages)
regulatory fines from state or federal agencies
Things that are not covered by cyber insurance
War exclusion - The war exclusion clause in an insurance policy says you will not be covered if the attack is an act of war. For example, if Russia is launching cyber-attacks against the United States and the US government determines these are acts of war, then insurance may not cover these damages.
Intellectual property – loss of value due to the theft of your intellectual property through cybercrime.
Technology improvements – the cost of improving or upgrading your systems or security after a data breach.
Technology errors and omissions
Lastly, it’s good to understand that many cyber liability policies DO NOT cover errors and omissions. Technology Errors and Omissions insurance protects a company that makes a mistake or forgets to perform a critical task that damages a client financially. Examples of this are recommending inappropriate technology or missing project deadlines. If your client ends up suing to recover losses, Technology Errors and Omissions will usually pay for:
Legal judgments (what you are ordered to pay)
Money paid to settle the lawsuit
Related legal costs (i.e., expert witness fees)
Technology errors and omissions can usually be added to your cyber liability insurance. It's best to work with your broker to determine if your business is exposed to these risks and needs this kind of coverage.
Quick Cyber Insurance FAQ:
Does cyber insurance cover data loss?
Typically, cyber insurance covers data loss. This includes attempts to recover or rebuild data.
Do you have a Cyber Insurance Coverage Checklist?
Kosh has developed a checklist that will cover most questions an insurance carrier will ask. Enter your info below and we will email this useful checklist to you!
What are cyber insurance benefits?
The number one benefit of having cyber insurance is risk mitigation.
Are there cyber insurance coverage limits?
For small to medium-sized businesses, finding an insurance policy up to $100 million is not difficult. For mega-enterprise insurance solutions, companies wanting up to $2 billion in coverage, would have to have a specialty product made for them.
The information contained in this communication is intended for limited use for informational purposes only. It is not considered professional advice, and instead, is general information that may or may not apply to specific situations. Each case is unique and should be evaluated on its own by a professional qualified to provide advice specifically intended to protect your individual situation. Kosh is not liable for improper use of this information.