The Murky World of Cyber Insurance [Updated for 2021]

Surprising Facts about Cyber Insurance

[This article is meant to be used as general information and guidance. Anderson Technologies is not a legal advisor or cyber insurance provider, and we recommend businesses use those resources when making insurance decisions.]  

Worried about the damage and downtime a ransomware attack could have on your business? You and many other business owners are not alone. After incidents such as the Colonial Pipeline ransomware attack in May 2021, all verticals are reevaluating how their own companies would fare and if their insurance policies cover all the expenses such an attack would incur.

A recent story illustrates the importance of cyber insurance and knowing its requirements. Like many other workplaces, the city of Mobile, Alabama requires all city employees to complete a mandatory cybersecurity training in order to comply with a provision in the city’s insurance policy. When a city councilman refused the training on the grounds of personal freedom, authorities blocked his email account according to the city’s policies. This inaction violated the city’s insurance policy.

This situation highlights the policy pitfalls that could gum up the reimbursement process after a major attack. Even the most diligent business can fall prey to determined cyber criminals.

Small business owners need to add a cyber insurance plan to their existing insurance coverage, or they may find themselves in a dire financial situation.

Why Is Cyber Insurance Necessary?

Back when cybercrime was just becoming a major financial problem, insurance policies often didn’t explicitly include or exclude cyberattacks and associated damages. If the insured party claimed that the damages from a cyberattack fit the definitions of the policy’s terms and the insurer paid out, that was considered “silent cyber” coverage. Insurance companies have been taken to court for failing to pay this “silent cyber” coverage, and some policyholders have successfully won, but this is not always the case.

Insurance companies can refuse to pay for damages from cyberattacks, and many now explicitly exclude cyber damages from general business insurance policies in favor of separate cyber insurance policies. That lack of guaranteed coverage should concern small business owners who do not have a dedicated cyber insurance policy.

What Types of Cyber Insurance Are Available?

When choosing cyber insurance policies, there are two main types of insurance coverage available: first-party coverage and third-party coverage. Buyers need to know the differences between these two types of coverage and carefully examine the necessity of both for their own company.

For a quick overview on what cyber insurance policies should include, the Federal Trade Commission provides a helpful checklist for small businesses.

First-Party Coverage

First-party coverage involves the costs incurred directly by the insured company as a result of a cyberattack. The types of expenses or damages first-party cyber insurance can cover include:

  • the cost to restore or replace data and software destroyed or stolen in a breach
  • the cost of investigating a data breach or cyberattack
  • income lost during downtime
  • the cost to restore the business to working order
  • the cost of a ransom demand, if paid
  • the cost of notifying all necessary parties, including customers, if personally identifiable information (PII) or electronic protected health information (ePHI) is compromised
  • the cost of crisis management to deal with the media/public fallout from a security breach

Third-Party Coverage

Third-party coverage involves the cost of any legal action taken against you as a result of a breach. This could be by customers or business partners whose data is compromised. Third-party cyber insurance can cover:

  • claims of negligence that resulted in the cyberattack and breached data
  • claims for failure to fulfill a contract due to system downtime or lost data
  • claims of defamation, invasion of privacy, or copyright infringement as a result of exposed data
  • settlements or damages owed to injured parties
  • fines imposed by regulatory or state agencies

For businesses at risk of breaching client or customer data, both types of cyber insurance may be necessary to cover all possible expenses. Avoid simply bolting a cyber insurance agreement onto existing policies without carefully reviewing the language and associated coverage. A thorough risk assessment of the business can help determine the best course of action.

Denial of Coverage

Just because a business has purchased cyber insurance doesn’t mean the insurance company will pay a claim in the event of a breach.

Many policies have exclusions for specific situations or require businesses to maintain a certain level of cybersecurity infrastructure for a claim to be paid out.

This can include the inherent obligation of a business to protect its data, even if another entity holds that data, such as a cloud storage provider. The language in cyber insurance policies can be broad, depending on the insurer or terms, so small business owners should thoroughly discuss what is expected and how the insurer defines the terms of all requirements and exclusions.

Some insurance companies provide a risk self-assessment to businesses before agreeing to sell the policy. If the business doesn’t maintain the standards laid out in the risk self-assessment, or if the answers provided are false or misleading—even by accident—then the insurance company can void the policy.

An exclusions clause in P. F. Chang’s cyber insurance policy cost the popular Chinese restaurant chain $1.9 million after its breach of customer data, which included credit card numbers. The policy excluded any “contractual obligations” that P. F. Chang entered into with third parties. In this case the court agreed that P. F. Chang’s contract with Mastercard to pay fines in the event of a breach fell under this exclusion.

Another business, a custom printing company in Maryland, suffered a ransomware attack and decided to pay the ransom for the return of their data. However, the company later discovered the cyberattack had left lasting damage on their computer infrastructure and filed a claim to replace it. Their insurer initially fought the claim, insisting that damage that wasn’t physical was not covered by the policy. Had it not been for one specific inclusion in their policy, the printing company would have been left with their fried software and slow systems.

In order to ensure cyber insurance policies provide the financial support they’re supposed to, businesses should:

  • carefully read all requirements and exclusions listed in the policy, and make sure all vocabulary is clearly defined to avoid ambiguity
  • answer all risk self-assessments accurately and thoroughly, avoiding or explaining absolute questions (yes or no) whenever possible
  • invest in the level of cybersecurity required by the insurance company or better
  • make sure the policy covers all the types of cyberattacks the business is at risk for
  • have both first- and third-party coverage, if applicable
  • include lawyers, company decision makers, and your IT partner in cyber insurance conversations

The last thing a business needs after a cyberattack or data breach is to find out their insurance won’t help pay for the damages.

The Growing Need for Cyber Insurance

The necessity of explicit cyber insurance coverage will only become more prevalent. A robust business continuity and disaster recovery plan can get you back in business without as much downtime, but the cost of the intrusion may continue to rise if PII or ePHI is exposed in the breach.

Fines issued by the Department of Health and Human Services for HIPAA Privacy and Security violations range from the tens of thousands to millions. At the same time, state and international privacy laws, like the California Consumer Privacy Act and the EU’s General Data Protection Regulation (GDPR), are stricter and impose increased fines that raise the total cost of a data breach.

No matter how secure your IT infrastructure or how diligent your IT support team, it only takes one employee clicking on the wrong link or visiting an infected webpage for cybercriminals to invade your systems. When that happens, small businesses need the financial support cyber insurance provides to investigate the breach, recover the business, and manage the public damage. Without aid, the cost of a breach may prove too expensive for small businesses.

Are you looking for an ally to help you implement the requirements of your cyber insurance policy? Don’t let your insurance company leave you high and dry in a crisis. Contact Anderson Technologies today to shore up your cybersecurity infrastructure.