Cybersecurity insurance, also called cyber liability insurance or cyber insurance, is a contract that an entity can purchase to help reduce the financial risks associated with doing business online. In exchange for a monthly or quarterly fee, the insurance policy transfers some of the risk to the insurer.
Cybersecurity insurance is a new and emerging industry. Companies that purchase cybersecurity insurance today are considered early adopters. Cybersecurity policies can change from one month to the next, given the dynamic and fluctuating nature of the associated cyber-risks. Unlike well-established insurance plans, underwriters of cybersecurity insurance policies have limited data to formulate risk models to determine insurance policy coverages, rates and premiums.
Cyber insurance has its origins in errors and omissions (E&O) insurance, a separate form of insurance that protects against faults and defects in the services a company provides. E&O insurance is analogous to product liability policies for companies that sell physical or digital products.
While some cyber insurance policies contain specific provisions for E&O, most providers sell these as separate and distinct policies. E&O insurance does not cover the loss of third-party data, such as customer credit card numbers; customers needing such protection can purchase a cyber insurance policy that covers it.
Why cyber insurance is important
The loss, compromise or theft of electronic data can have a negative impact on a business, including the loss of customers and revenue. Businesses may be liable for damages stemming from the theft of third-party data. Cyber liability coverage is important to protect businesses against the risk of cyber events, including those associated with terrorism. Cyber-risk coverage can assist in the timely remediation of cyberattacks and incidents.
In 2011, Sony's PlayStation Network was breached by hackers, exposing personally identifiable information (PII) of 77 million PlayStation user accounts. The breach prevented users of PlayStation consoles from accessing the service, an outage that lasted for 23 days. Sony incurred over $171 million in costs related to the breach. Portions of this cost could have been covered by a cyber insurance policy, but Sony did not have one in place. A court case ruled that Sony's insurance policy covered damage to physical property only, leaving Sony to incur the full amount of costs related to cyber damages.
How cyber insurance works
Cyber insurance policies are sold by many of the same suppliers that provide related business insurance, such as E&O insurance, business liability insurance and commercial property insurance. Most policies include first-party coverage, which applies to losses that directly impact a company, and third-party coverage, which applies to losses suffered by others from a cyber event or incident, based on their business relationship with that company.
Cyber insurance policies help cover the financial losses that result from cyber events and incidents. In addition, cyber-risk coverage helps with the costs associated with remediation, including payment for the legal assistance, investigators, crisis communicators, and customer credits or refunds.
Who needs cyber insurance?
Businesses that create, store and manage electronic data online, such as customer contacts, customer sales, PII and credit card numbers, can benefit from cyber insurance. In addition, e-commerce businesses can benefit from cyber insurance, since downtime related to cyber incidents can cause a loss in sales and customers. Similarly, any business that stores customer information on a website can benefit from the liability coverage that cyber insurance policies provide.
What is covered and not covered by cyber insurance?
In the United States, most major insurance companies offer customers cybersecurity insurance policy options. Depending on the price and type of policy, the customer can expect to be covered for extra expenditures resulting from the physical destruction or theft of information technology (IT) assets. Such expenditures typically include costs associated with the following:
- meeting extortion demands from a ransomware attack;
- notifying customers when a security breach has occurred;
- paying legal fees levied as a result of privacy violations;
- hiring computer forensics experts to recover compromised data;
- restoring identities of customers whose PII was compromised;
- recovering data that has been altered or stolen; and
- repairing or replacing damaged or compromised computer systems.
Traditional insurance policies typically exclude cyber-risks, and this has led to the growth of cybersecurity insurance as a separate, stand-alone type of coverage. Potential customers include any company that accepts digital payments or stores PII about customers, including medical and financial information.
Some cyber insurance policies cover the cost of providing credit monitoring services for customers affected by a data breach. In September 2017, Equifax, a consumer credit reporting agency, suffered a data breach that exposed the personal information of 147 million people. In 2019, Equifax reached a settlement with the U.S. Federal Trade Commission (FTC). As part of the settlement, Equifax agreed to spend $425 million to provide free credit reporting, cash payments -- e.g., for those already enrolled with a credit monitoring service -- reimbursement for time or money spent on recovering from identity theft and free identity restoration services. A cyber insurance policy could have paid for part of the $425 million cost of Equifax's settlement, assuming the circumstances of its data breach were covered by such a policy.
Many entry-level cybersecurity insurance policies only cover first-party losses, but some insurers are beginning to offer policies that cover third-party liability losses as well.
Many cybersecurity policies exclude preventable security issues caused by humans, such as poor configuration management or the careless mishandling of digital assets. Other issues excluded by cybersecurity policies include the following:
- preexisting or prior breaches or cyber events, such as incidents that occurred before the policy was purchased;
- cyber events initiated and caused by employees or insiders;
- infrastructure failures not caused by a purposeful cyberattack;
- failure to correct a known vulnerability, such as a company that knows that a vulnerability exists, fails to address it and is then compromised from that vulnerability; and
- the cost to improve technology systems, including security hardening in systems or applications.
How to choose a policy
Typically, cyber insurance pricing is based on the insured entity's annual revenue and industry. To qualify for coverage, the individual or entity typically must submit to a security audit by the insurance company or provide documentation with the assistance of an approved assessment tool, such as that offered by the Federal Financial Institutions Examination Council (FFIEC). The results from a security audit or the documentation from approved assessment tools will factor into the types of coverage provided by the cyber insurance provider, as well as the cost of the premiums.
As of 2019, the cybersecurity market is still young, and many companies are choosing to forgo this type of insurance because of its uncertain return on investment (ROI). In the United States, the Cybersecurity and Infrastructure Security Agency (CISA), which operates under the Department of Homeland Security (DHS), is encouraging businesses to improve their cybersecurity in return for more coverage at more affordable rates.
Because cybersecurity insurance is new, policies will vary widely from one provider to the next. To choose a policy, companies should closely review policy details to ensure it contains the necessary protections and provisions. In addition, companies should evaluate whether policies provide protection against known and emerging cyber incidents and threat profiles.