Can You Buy Insurance Against Cyberattacks? Yes — Here’s How

Cybersecurity - image for article - 398938498398

Cyberattacks are more common than ever. 

Security magazine reports that instances of cyberattacks increased 17% in the U.S. from Q4 2020 to Q1 2021. Over the longer term, growth in data breach activity has been linear, rising steadily as individuals and businesses do ever more in the digital world.

When we look back, 2021 could turn out to be a watershed moment for the cybersecurity industry. Two high-profile attacks during the first half of the year —  JBS and Colonial Pipeline — broke through and dominated the news cycle for days. They demonstrated to people who might not have been paying attention that, yes, digital security is deadly serious.

Or things could go back more or less to the way they were. It’s too early to tell.

What we do know is that individuals and businesses can take measures right now to reduce their exposure to malicious cyber activity and speed recovery from data breaches.

We won’t review all of them here. Let’s, instead, zoom in on one lesser-known measure that enterprises in particular should explore: cybersecurity insurance, also known as data breach insurance (and by some other names as well).

What Is Cybersecurity Insurance?

Cybersecurity insurance is “designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage,” according to CISA, the U.S. government’s dedicated digital security agency. It can reduce the financial risk of doing business in the digital realm.

It’s important for prospective policyholders to understand that cybersecurity insurance is not preventive, says Maryland attorney Alex Brown, who specializes in insurance law and digital security issues. “Cybersecurity insurance coverage does not eliminate your exposure to cyber threats,” says Brown. “But it can reduce the costs associated with cyberattacks and data breaches, including recovery costs.”

Those back-end costs, adds Brown, can be ruinous for badly affected businesses.

Cybersecurity policies generally provide first-party and third-party coverage. First-party coverage addresses losses sustained by the policyholder itself due to covered digital events, such as hacks and data breaches. Third-party coverage addresses losses sustained by third parties due to events affecting the policyholder, such as the policyholder’s customers or vendors. Both types of prevention are important for mitigating the cost of a cyberattack.

What Does Cybersecurity Insurance Cover? Benefits and Exclusions

Cybersecurity insurance is a relatively new type of liability coverage, one that continues to iterate as the digital threat landscape evolves. While we can’t confidently predict what cybersecurity coverage will look like 10 years from now, we do know what it offers for covered businesses in the shorter term.

Simply put, cybersecurity insurance provides financial and liability protection against a wide range of digital risks. The typical policy covers costs associated with events such as:

  • Paying off ransomware attackers
  • Repairing or replacing computer systems and equipment damaged or rendered unusable by cyberattacks, including ransomware attacks
  • Recovering data lost or stolen in the course of a cyberattack
  • Notifying customers and other stakeholders of an attack
  • Providing financial compensation to customers and other third parties affected by an attack, including legal fees
  • Hiring digital forensics specialists to recover lost data or investigate the attack
  • Covering the cost of identity restoration for affected third parties

Traditional business liability insurance policies (CGL insurance) do not cover the costs associated with cyberattacks. Your CGL policy may specifically exclude coverage for cyberattacks.

That’s not to say that cybersecurity insurance covers every cost or eventuality that could come about after a cyberattack or data breach. Keeping in mind that cyber-insurance is a fast-changing field and that it’s always best to consult with a commercial insurance expert before purchasing coverage, you should not expect your policy to cover costs related to:

  • Insider attacks (a breach that can be traced back to an individual on your payroll or with access to your internal network)
  • Infrastructure damaged or corrupted by natural events or accidents, such as fiber optic line cut during construction or storm damage to a data center
  • Cyberattacks that occurred before the policy went into effect
  • Cyberattacks that exploited known vulnerabilities not corrected by the policyholder
  • Proactive measures meant to reduce the risk or fallout from a cyberattack, such as investing in better encryption

When Cybersecurity Insurance Coverage Makes Sense and How to Buy It

Despite its limitations, cybersecurity insurance can be a cost-effective addition to a commercial insurance portfolio. 

Buying it is simply a matter of speaking with an insurance agent or insurer representative and reviewing your options. Most insurance companies that offer commercial insurance now offer cybersecurity coverage as a standalone policy or as part of a more comprehensive policy bundle. As always, understand what your policy does and does not cover before you commit to the contract.

Does your business need cybersecurity insurance? If your enterprise relies on digital infrastructure to generate revenue or support critical business operations, probably so. Cybersecurity insurance is a boon for businesses that:

  • Store or manage information that can personally identify individuals, like names and addresses
  • Store or manage sensitive information, like credit card and Social Security numbers
  • Lose revenue or sales when their computer systems go down or lose access to the Internet
  • Manage inventory, payroll, or other critical business processes in the cloud

Take a Closer Look at Cybersecurity Insurance

This is only a bare overview of cybersecurity insurance. There’s a lot more to learn on the subject. Again, your insurance agent or trusted insurance law expert is the best resource for your business as you work toward a decision.

One last thing. Cybersecurity insurance is still quite new as a standalone product, and the market for it is not fully developed. The state of play is all but certain to change in the coming years.

Business owners and operators could be the beneficiaries if they’re willing to put in the work. According to CISA, a more robust cyber-insurance market is likely to incentivize policyholders to take more proactive measures to prevent cyberattacks, perhaps by reducing premiums for policyholders that adopt preventive best practices. We’ve seen something similar in other insurance markets; why not cybersecurity? 

You may be interested in: The importance of cybersecurity in 2021