What is Cybersecurity Insurance?
Cybersecurity insurance, also referred to as cyber liability insurance or cyber insurance, is a contract that an entity purchases to protect themselves against losses resulting from a cyberattack. This contract helps to reduce the financial risks associated with doing business online, as the insurance policy transfers some of the risk to the insurer. As cybersecurity insurance is an emerging industry, coverage and policies differ dramatically and are changing rapidly. Consider the following aspects when determining what policy features would be beneficial for your organization.
Covered incidents. Some of the types of cyber threats or breaches that cybersecurity insurance policies may protect include1:
- Data breaches of sensitive customer information such as credit card numbers, account numbers, social security information, driver’s license numbers, and health records
- Cyberattacks on organizational data held by vendors and other third parties
- Cyberattacks, such as breaches of the network
- Cyberattacks that occur anywhere in the world
- Acts of terrorism
First-party coverage. First-party coverage protects employee and customer data and may include business expenditures relating to:
- Legal counsel employed to determine your notification and regulatory obligations
- Recovery and replacement of data
- Customer notification and call center services
- Income lost to business disruption
- Crisis management
- Public relations
- Cyberextortion and fraud, such as ransomware extortion demands
- Investigation and forensic services
- Fees, fines, and penalties related to the cyberattack
- Identity restoration for those whose PII was compromised
- Repairing or replacing damaged or compromised computer systems
Third-party coverage. Third-party coverage protects you from liability if a third party brings a claim against you and the coverage may include:
- Payments to those affected by the breach
- Claims and settlement expenses relating to disputes or lawsuits
- Losses relating to defamation and copyright or trademark infringement
- Costs for litigation and responding to regulatory inquiries
- Settlements, damages, and judgements
- Accounting expenses
Exclusions. Some examples of what cybersecurity insurance policies may not cover include:
- Preexisting or prior breaches that occurred before the policy was purchased
- Failure to correct a known vulnerability
- Infrastructure failures that are not caused by a cyberattack
- Incidents experienced by subsidiaries outside of your control
- Business interruption from third-party computer system failures
- Criminal proceedings including criminal action, criminal investigation, or grand jury proceedings
- Intentional acts such as fraud, criminal conduct, or malicious acts done by you or your employees
- Costs to improve technology systems, including those designed to harden system security or application security
1 FTC, 2022, “Cyber Insurance”