What are the Top Considerations When Purchasing a Cyber Insurance Policy?

We asked a panel of 16 cybersecurity pros, insurance experts, and business owners who've purchased insurance what the top considerations businesses should make when buying their cyber insurance policies.

More and more businesses are beginning to understand the importance of having cyber insurance coverage to protect their company’s interests in the event of a data breach. With the threat landscape constantly evolving and new threats to watch out for emerging all the time, even businesses with a robust security posture can be at risk for a cyber attack.

According to Verizon’s 2019 Data Breach Investigations Report, small businesses comprise nearly half of all victims of reported data breaches. What’s more, the cost of recovering from a breach is steep; in fact, 60% of small businesses close their doors for good within six months of suffering a data breach. In many cases, these businesses are forced to close permanently because they can’t afford the high cost of data recovery and reputation damage, let alone the fines and penalties that now apply under GDPR and other data protection laws and regulations, such as the California Consumer Privacy Act.

Cyber insurance is a layer of protection that can help your company cover the costs of investigating a breach, meeting compliance requirements such as consumer data breach notifications and credit monitoring, business interruption, and third-party lawsuits. In other words, cyber insurance can provide your business with coverage that can make the difference between recovering from a data breach or being forced to close your business for good. But what should you look for when evaluating and purchasing a cyber insurance policy? To learn more about the most important considerations companies should weigh when choosing a cyber insurance policy, we reached out to a panel of cybersecurity pros, insurance experts, and business owners who've purchased insurance and asked them to answer this question:

"What are the top considerations when choosing a cyber insurance policy?"

Meet Our Panel:

Read on to learn what they had to say about the top considerations to weigh when purchasing a cyber insurance policy.


Walt CapellWalt Capell

@WaltCapell

Walt Capell is the President/Owner of Workers Compensation Shop.

"Most insurance carriers sell a pair of cyber insurance policies in tandem."

One deals with first-party damages to your business, and the other deals with third-party liability your business may face to outside third parties. If your business needs one, you most definitely need the other.

For a business owner, there are a few things to consider when purchasing cyber insurance. The most important considerations are what types of risks your business faces, what type of insurance your business needs, and what triggers a claim.

What type of risks does your business face?

First and foremost, a business owner should decide if they need cyber insurance at all. Most businesses do need this type of insurance coverage, and most need a lot higher limit than they might imagine. The best way to understand your risks is to have a long and honest conversation with your insurance agent, and trust the guidance they provide. An insurance agent should be able to help you find risks you may not realize your business faces and how serious that risk might be.

What type of insurance does your business need?

There are two types of policies related to cyber insurance. Each carrier has a different term for the two policies, but they each deal with first-party and third-party damages. First-party damages are the damages to you and your business, while third-party damages are the damages people or businesses face as a result of your business.

There is also a policy called Technology Errors and Omissions. This type of policy protects businesses that sell or offer services for all types of technology products. Companies that might need this type of coverage are data storage companies, web designers, or software designers.

What triggers a claim?

It is important for a business owner to understand the triggers associated with their policy. Some policies are triggered on the date the loss occurs, and others are triggered on the date the claim is made against an insured. Most cyber threats go undetected for months, if not years, at a time. If you switch carriers during this time, there could be an issue with which policy is responsible for the claim. In a worst case scenario, it may cause a gap in coverage where no coverage is provided. For this reason, it is important to understand this language before securing any coverage.


Chris MichaelsChris Michaels

Chris Michaels blogs for FrugalReality.com from the suburbs of Chicago. He offers advice to readers on how to save and smartly spend money including career, health, travel, home, and life advice. His family has owned an insurance agency for over 30 years with specialized niches including fiduciary and liability insurance.

"Without cyber insurance, your potential costs and continuation issues are huge."

Here are the top considerations when purchasing cyber insurance:

  • Cost of Compromise: Currently, the average cost per compromised record is about $148 per record and can go well over $200.
  • Coverage Expenses: It typically includes expenses for First Party and Third Party claims due to the breach of the technology. Third-party claims would include problems from service providers.
  • Typically Covered: Most policies will include:
    • Breach notification
    • Credit card monitoring
    • Costs to retain public relations
    • Forensic consultant to determine how the breach happened
    • Settlement costs
    • Malware

Like all insurance, your premium can be offset by the size of your deductible.


Necole GibbsNecole Gibbs

@ATLINSURANCCHIC

Necole Gibbs is a Licensed Independent Broker based out of Atlanta, GA. As a Financial Education Consultant, she champions the cause of insurance, providing seminars, webinars, and information to individuals who need assistance in understanding the importance of risk management..

"Insurance speaks to preventing, deterring, and managing risk."

Although cyber risk is extremely difficult to assess and is fairly new to this market, possible insureds must consider this type of insurance if they have access to customers’ highly sensitive information. Additionally, security as a whole and how an attacker may gain access to it is also a strong consideration that should be factored in when choosing the right cyber insurance policy.

First, before purchasing, always conduct extensive research on the company that you are purchasing the policy with:

  • What is the company’s financial score?
  • Do they pay claims?
  • Do they specialize in this type of insurance?
  • How do they compare in correlation to companies who specifically specialize in this field?
  • Do they offer professional liability endorsement in the event of an internal employee breaching clients' information?
  • Do they have endorsements that will cover you if there is a vendor error?

The company and the policy should answer these questions. P&C or Property and Casualty agents or agencies offer this coverage.

Next, your rate should be determined by an advanced penetration test. Also known as a pen test, this is an authorized ethical hack into your system to determine the security of your system. Once evaluated, your rate should reflect the level of risk you are exposed to or could expose your business to.

Lastly, ask for back-dated or retroactive coverage. Based on cyber stats, it takes about 265 days to identify a cyber attack. Some companies will not cover this if a company has already been compromised.


Dennis E. SawanDennis E. Sawan

@sawanandsawan

Dennis E. Sawan is the managing partner of Sawan & Sawan, an Ohio-based civil litigation and insurance law firm. In his practice, he regularly deals with issues regarding insurance coverage, policy terms, and insurance law.

"Cyber insurance is a relatively new industry, but it’s increasingly vital in our connected age."

While there is no “one size fits all'' approach to purchasing cyber insurance, here are some useful things to consider when looking for a policy:

Is Coverage Retroactive?

Many organizations will not identify a cyber attack for months or years, making it all the more important to ensure that your policy is retroactive – or backwards-looking – to cover you for attacks that may have occurred but have not yet been realized. Some insurers will provide this coverage, though it often comes with an additional cost.

Know Who is Covered

It is increasingly important to thoroughly review your digital ecosystem to identify all of the risks of cyber attacks, including how you interface with outside vendors. Many companies will use third-party vendors to handle certain sensitive data, or may themselves handle sensitive information for others. It’s vital to ensure your policy protects against these types of third party arrangements.

Understand How Your Insurer Handles Data Loss

Not all cyber insurance policies cover loss of data, and many will handle the loss of data and valuation of that loss differently. It’s critical to understand how data loss will be handled before you have a claim. Also, you will want to consider if the policy covers errors or omissions of internal staff, as sometimes the threat of cyber attacks can be created internally.


David KruseDavid Kruse

@TetraDef

David’s experience in cyber insurance began in 2015 as a founder of his independent agency’s Cyber Insurance Practice, which tracked the rapidly evolving cyber risk landscape and insurance marketplace. At Tetra Defense, his goal is to connect businesses with information security experts who can improve an organization’s security posture and ability to respond to the latest cyber threats.

"The most important thing to verify is that your cyber policy is a standalone policy, and not a rider/endorsement to another policy."

Despite many differences in coverage between standalone policies, the category of ‘standalone cyber’ is almost always better coverage/more cost efficient than the category of ‘rider/endorsement’ cyber.

On a standalone cyber policy, I’d recommend ensuring that you understand how ransomware events are handled from both a coverage and a claims-handling standpoint; I’d also recommend ensuring that you understand how social engineering/phishing fraud is handled. There are a variety of ways that carriers handle this, and it’s critical you understand how yours does. Ransomware and social engineering fraud are two of the most common claims, and you need to know how your policy is going to respond.


Kelly SpeersKelly Speers

@yourITresults

Kelly Speers is the owner of Your IT Results Inc., a cybersecurity-focused and customer service driven IT (information technology) solutions provider in Calgary, Alberta. With over 20 years of experience in technology and cybersecurity, Kelly continues to keep abreast of the latest threats facing small to medium businesses and organizations.

"When we looked at our requirements for cybersecurity insurance, it was to..."

Protect us in the event of a breach and to help us protect our clients, knowing that we are a target because of our clients. We needed to be sure that the remediation and crisis management expense was high enough that it would cover the majority of the costs involved in reporting and managing the breach or hack. In the event of a breach, we would need to use third-party services for transparency. Critical for us and the majority of our clients is to have the insurance cover:

  1. The cost of a Cyber Breach Coach to get us through the event
  2. The cost of a Third-Party Computer Security Expert to determine the cause
  3. The attorney fees to determine the actions necessary to comply with the privacy breach laws
  4. Credit monitoring services
  5. Public relations to help with reputational damage

Those were the most important to us and our clients. For our clients, we recommend adding on social engineering coverage if available.


Syed Irfan AjmalSyed Irfan Ajmal

@SyedIrfanAjmal

Syed Irfan Ajmal is the Founder and MD at SIA Enterprises. He is also an international speaker, syndicated columnist, and podcast host. His bylines & citations include Forbes, the World Bank, SEMrush, Reader’s Digest, Entrepreneur, and several others. He is widely respected for his insights on Content Marketing, Organic Search, and Publicity.

"Cybersecurity and being insured has been the go-to subject for many businesses lately…"

Because of the increasing risk of being hacked or your data being breached by a third party. It’s estimated that companies will suffer $6 trillion in damages by 2021, and illegal activities involving Bitcoin account for $76 billion.

Following are the most important considerations when purchasing cyber insurance:

  1. Assess your cyber risks: This is a mandatory first step that you or your business should take because it can reveal the value of purchasing a cyber insurance policy. If you know the risks and the potential benefits cyber insurance can offer, then it becomes easy for you to get buy-in from other stakeholders.
  2. Read the cyber insurance policy thoroughly: After identifying the risks your business faces, read the details required by the provider. This way you know the cyber insurer’s policies and what coverage is available to you.
  3. Understand your responsibilities: When you purchase cyber insurance, ensure that you fully understand your responsibilities. Doing so will help you act promptly and provide the necessary information to get your claim covered in the event of a cybersecurity incident and ensure that you get the maximum benefits from your policy.

Rich SpinelliRich Spinelli

@techinfoguy

Core Technologies Core Technologies has been providing Information Technology (IT) consulting services to organizations of all sizes in the Greater Boston area for 15 years. Headed by principal engineer Richard Spinelli with over 25 years of industry experience, Core is a nimble, fast-acting service provider for your business.

"Generally when it comes to finding a good insurance fit for our clients we look at these key areas…"

  1. Cost-effective insurance. What's the cost related to protecting them in a data breach? And what specifically is covered? Are costs to notify customers covered? What dollar amounts are covered? When does coverage begin?
  2. How long has the agent been in business? What references can we contact?
  3. Who underwrites the cyber policy? How long have they been in business?

Kimberly EggertKimberly Eggert

@KMLawFirm

Kimberly is a formally trained multimedia designer and developer with a BA in Visual Communications from The Richard Stockton College of New Jersey with 13 years of professional multi-industry experience and growth. She has an unprecedented commitment to quality of workmanship, a knack for thinking out of the box, dedication to projects and their deadlines, and ability to lead as well as collaborate.

"When determining whether you need to purchase a cyber insurance policy, there are a few things to consider…"

Does your company handle sensitive information? Sensitive information can include stored contact details, health information, financial information, and personal preferences. This information is often very useful to hackers, should they get their hands on it.

Do you host a website that stores customers’ login data? This is not exclusive to online retailers, but also encompasses blogs that capture their visitors' email addresses.

Do you utilize a third-party vendor to manage a database, provide eCommerce services, or supply your retail goods? In this case, you may never know the level of security that a third-party vendor supplies its clients.

Does your staff utilize their own devices? Any device that is lost or stolen has the potential to contain valuable information, such as company intellectual property and core information. Since employees are utilizing their own hardware, they may or may not be protecting that secure information as well as their own.

Do you have assets set aside to cover losses in the event you’ve become the victim of a cyber attack? It is estimated by the U.S. Securities and Exchange Commission that half of small businesses that suffer from a cyber attack go out of business within 6 months.

Does your business rely on confidentiality? For instance, do you provide dating services or run a mental health practice? Does the potential loss of information gathered stand to result in the invasion of privacy? Could you be a target for ransomware or extortion?

If you can answer yes to any of the above, you should invest in cyber insurance. It is important to remember that the standard business liability insurance policy does not cover cyber liability. Although insurance is an extremely regulated industry, there are no real standards for cyber insurance. It is important to know what to look for when shopping for a policy. Some of the basic guidelines to follow are:

Determine your cyber attack risk level. Like other forms of insurance, the lower your risk the less expensive your policy will be.

What type of policy is best for your business?

  1. Package policies are general, all-purpose liability policies, and you can mix and match parts to suit your own needs. These are well-suited to low-risk businesses.
  2. Standalone policies provide specific coverage and have their own terms and conditions. Standalone policies are better for organizations that want to tailor their cyber insurance.

Who should be covered?

  1. First-party coverage applies only to the policyholder.
  2. Third-party coverage applies to anyone else who has been affected; including your customers and third-parties.

What kind of coverage would you need?

  1. Network security coverage includes the cost of data breaches to third-parties, theft of intellectual property and sensitive data, ransom demands, and network failures.
  2. Privacy liability coverage includes the costs related to notifying affected parties of a breach, regulatory fines, crisis management costs, and forensic investigation.
  3. Media liability coverage includes things like copyright and trademark infringements, malicious defacement of a website, and libel.

How much coverage would you need? Although there is no specific formula to calculate the exact amount of cyber insurance coverage you need, the best way to get an approximate figure is to calculate the cost according to how many records with sensitive data your business stores. The estimated cost per compromised record is estimated between $150 and $200.

Once you’ve defined your need for cyber insurance, you are ready to shop for a policy. There are quite a few important questions to arm yourself with when speaking with any potential cyber insurance provider, including:

  • What types of incidents are covered?
  • What are the deductibles?
  • How do the coverage limits apply to both first and third-parties (e.g., are vendors, suppliers, clients, and unintentional victims covered)?
  • Does the policy cover all attacks on the company, or only those which are targeted directly at the business?
  • Are there any time limitations on coverage? eg. what happens if a data breach is exposed years down the line?
  • What, if any, exclusions are there from the policy’s coverage?
  • Is there international coverage, if the data theft occurs outside the national borders?
  • What is the response time in the event of a data breach?
  • Does the price of the policy increase when there are claims? What is the increase schedule?
  • What are the policyholder's responsibilities (e.g., audits and/or compliance obligations)?

R.J. WeissR.J. Weiss

@TheWaysToWealth

R.J. Weiss is a CFP® and founder of the personal finance site The Ways to Wealth. He has spent over ten years as a licensed property and casualty agent in Illinois.

"The important thing to understand when purchasing cyber liability insurance is that policies often differ drastically from carrier to carrier."

Most insurance coverages, such as general liability or property coverage, are on what's called a standard form. Standard form insurance policies offer the same coverages, with maybe a few additional enhancements pending the carrier.

There is no standard form policy when it comes to cyber liability insurance. As such, most carriers start and build their policies from scratch, and therefore, the differences are wide.

When you purchase a policy, first identify what coverage you're looking for. Then, work backwards to find a carrier that offers that coverage.


Brett DownesBrett Downes

@HaroHelpers

Brett is the Founder of HaroHelpers. He is an entrepreneur and SEO geek who, after working in-house and for agencies the last 5 years, has decided to build his own business under his own culture and ethos.

"Any company worth considering should have the option for retrospective coverage."

This covers you from attacks that may have hit your site previously. Even if they charge extra for this, it is worth the cost. If they offer advanced penetration tests, too – this a big tick in the box.

Companies that lower their initial premiums/cost if the penetration test has been carried out are winners. Similar to no claims insurance for cars, some companies will give you a more tailored price once they have identified your risk and implemented security procedures.

Last, but not least, Google them for reviews and past customer comments. Unlike other businesses where bad service may have been a cold burger, late delivery of products, etc., a negative action by a cyber insurance company can cost you a fortune in lost data, money, and other nefarious actions.

Take a look at the bad reviews so you know what company you may be getting yourself into bed with. If in doubt, leave them out – of your potential insurers.


Sophie SummersSophie Summers

@weareproprivacy

Sophie Summers is a HR Manager at Proprivacy.

"There are a few things to consider when purchasing a cyber insurance policy."

Inside the house threats coverage

Companies are not only at risk from external threats. Employees are often the cause of data exposure or loss. Make sure you are covered for both externally and internally caused incidents.

System replacing costs

Insurance companies try to avoid terms and conditions related to system recovery costs. A business should make sure that the insurance company provides the coverage needed to restore the system to the state it was in before the data breach.

The systems that are affected because of a data breach must be maintained or replaced according to the requirements. Otherwise, a company has to bear the machinery replacement cost to restore their business to normal operations.

Data loss from personal computers

Many employees are working from home during the COVID-19 pandemic, and many were working remotely even before the crisis. Home Wi-Fi is typically connected to smart devices used in employees' homes. These devices have poor security standards, and hackers can easily start controlling them. So, home Wi-Fi could become an entry point for hackers to reach your company's sensitive data.

A company should buy an insurance policy that covers data loss that occurs as a result of employees working on their personal computers.


Richard LauRichard Lau

@heylogo

Named 2004 “Domainer of the Year,” Richard founded the leading conference NamesCon in 2012, and it is now part of the GoDaddy family. Another recent exit (to Indeed.com), Resume.com aids job seekers to build their resumes online. His newest project is Logo.com – an AI-powered logo maker which has created over 10 million logos.

"An aspect often overlooked is to think about situations that others in your industry have faced and…"

Discuss with your broker if your policy would cover such a scenario. Of course, this assumes that you are dealing with a broker who has filed claims for clients. Be sure you are dealing with an experienced broker, not just someone who is reading the policy wording alongside you. Your broker is your advisor – and you want the best advice, so choose the best broker.


David WalterDavid Walter

David is the CEO of Electrician Mentor. He is a Master Electrician with over 20 years of experience working in the mining & metals industry. He’s skilled in process design, power distribution, and people management.

"The biggest thing to consider before purchasing a cyber insurance policy is the risk of a breach of data."

Basically, how safe is your website and business in general? To make that determination, a risk assessment will be in order. That's not to say that you shouldn't get a policy if you feel you're up to standard, but it could help in what type of policy you choose.

Next, do you have the budget for an insurance policy? You need to take two things into consideration when tackling this subject. You need to have enough money to get one, but should you get one even if it means cutting back in other areas considering the huge financial hit your business could take should a breach occur?

Finally, you need to research the type of policy you need. They come in all different shapes and sizes, with varying costs, too. Be sure that the one you choose gets you the specific coverage you need. It's also recommended that you get quotes from at least three different companies to ensure you're making the best choice both from a financial standpoint as well as what the policy covers.


Shagun ChauhanShagun Chauhan

@consultifour

Shagun Chauhan is a Business Consultant at iFour Technolab Pvt Ltd, a customized software development company. He is an organized marketing professional with a demonstrated history of working in the information technology, services, and the product industry. He is passionate about developing new business ideas and implementing them successfully in the market.

Cyber insurance protects you against cyber attacks like phishing, email spoofing, malware, data breaching, etc. So, every company has to consider a few tips before buying Cyber Insurance.

1. Study your business needs.

First, you need to understand your business needs and why you are buying cyber insurance, so that you can choose the best fit cyber insurance policy.

2. Understand your current cyber insurance coverage.

Take a look at your existing insurance policies and see what types of cyber risks may be covered. Some general policies may provide coverage of things such as privacy and data breaches. However, these general policies will probably not be as comprehensive in their cyber coverage as a standalone policy.

3. Compare different cyber insurance policies and their terms.

Understanding the policy’s coverage, limits, and exclusions is a must. A cyber insurance policy should cover costs that are related to investigation, fines and penalties, and remediation of the costs associated with the data breach. A business should always consider every possibility of harm it might face and understand if the cyber insurance policy covers it or not.

There are certain considerations businesses should make while purchasing cyber insurance policies. There is no one product out there that matches the requirements of all. Finding the right policy to meet a company’s requirements requires a good team approach and diligence.


Marty PuranikMarty Puranik

@AtlanticNet

Marty Puranik is the President and CEO of Atlantic.Net, an Orlando-based web hosting solution that offers HIPAA-Compliant, Cloud, Dedicated, and Managed hosting services.

"More and more businesses are turning to cyber insurance, which is a…"

Protection policy that will underwrite organizations to protect them from, for example, cyber crime, data theft, or ransomware attacks.

The 3 top reasons to purchase cyber insurance are:

  • Maintain business reputation – Data breaches can be very costly to an organization's reputation, particularly if sensitive data is stolen. Insurers often provide 3rd-party security experts to mitigate the damage.
  • Financial protection – This could be for lost or stolen assets (laptops, phones, etc.). Coverage can include reimbursement for ransomware attacks, compensation of loss of income or earnings due to costly cyber breaches. Some offer coverage for fines if any compliance penalties are enforced (such as PCI DSS).
  • Crisis Containment – Most insurers offer an expert communication channel to customers and stakeholders, as well as a 24/7 press office that will manage the developing situation with timely external communications. This could be vital for damage limitation and may provide additional comfort for affected customers.

Most insurers recommend that any organization that holds customer data such as banking information, names and addresses and those that rely on IT systems to conduct day-to-day business operations should be covered. Typically, this may include the retail sector, law, transport, accountants – this list is extensive, and insurers will argue that every business needs cyber insurance.

The most prominent example I have witnessed is a fashion retail client who, at the time, had not invested in an adequate disaster recovery solution. They are a 100% pure-play online retailer. If their site went offline, then the business would stop functioning. At the time, this client undertook large cyber insurance coverage for guaranteed income protection. Thankfully, this client has now fully embraced disaster recovery as a service.

Zeguro is a cyber safety solution and insurance provider for small to mid-sized businesses (SMBs), offering a comprehensive suite of tools for risk mitigation and compliance, as well as insurance premiums that are tailored to the size, sector and profile of a company.
Learn more →

Start My Free Quote
Ellen Zhang
Written by

Ellen Zhang

Digital Marketing Manager

Enthusiastic and passionate cybersecurity marketer. Short-story writer. Lover of karaoke.

Sign up for the latest news

Oops! Please make sure your email is valid and try again.