We are frequently asked about insurance policies that cover internet-based risks like those involving network security like data breaches and ransomware, as well as data privacy related risks like class action lawsuits for privacy violations and costs related to the increasingly complex landscape of privacy rules.
Several of our other articles have discussed ways to mitigate these risks through preparedness and prevention measures. However, many privacy and security risks arise from simple human error, which can never be eliminated entirely. Therefore, companies have increasingly mitigated these risks with cyber liability insurance (“cyber insurance”) in the past several years. In particular, cyber insurance often mitigates the costs and consequences of a data security incident or data breach and the potential liability that may result from it.
What does cyber insurance cover?
Cyber insurance coverage will differ from product to product. It is important to review and understand what your cyber insurance policy covers. Cyber insurance typically covers losses that result from data privacy and security incidents, which may include the following:
- Incident response services and cost reimbursement, including the cost to investigate the incident, legal expenses, public relations and crisis management, ransomware payments, breach notification, and the cost to provide credit monitoring services to affected individuals.
- Lost revenue resulting from business interruption, which may include third party claims, and the costs to remediate the interruption.
- The costs to respond to third party claims related to privacy or personal injury.
- The costs relating to government investigations and fines related to the incident.
However, not all policies are the same, and cyber insurance policies often uniformly exclude several risks, so it is important to closely review the policy’s scope. For example, a policy may not cover significant fines imposed by regulators for violating data privacy rules like the EU’s General Data Protection Regulation or the privacy rules enforced by the Federal Trade Commission. Similarly, risks arising from war and terrorism are typically excluded, and there is a question as to whether cyber insurance will uniformly cover large, coordinated cyberattacks launched by nation-states that are arguably acts of war or terrorism.
What is the typical cost for cyber insurance?
The cost of cyber insurance can vary greatly and will depend on your business, the risks that it faces, and the amount of coverage. The average premium costs range from a few hundred dollars per year to several thousand dollars per year. Employers that take proactive steps such as implementing an incident response plan, training employees on cyber risks, and implementing technology protections such as firewalls and strong passwords policies may be able to obtain a lower rate on cyber insurance. In some cases, insurers are actively helping businesses to review their cyber liability posture, and take steps to improve it.
A business may be curious about how much coverage it should purchase to cover potential risks. While this is a difficult question to answer, several factors should be considered to understand the business’s risk profile. Does the business store customers’ personal data? Is the business in an industry that is susceptible to cyber-attacks or heavily regulated? For example, healthcare institutions covered by HIPAA and financial institutions are more likely to see significant benefits to cyber insurance compared to businesses in unregulated industries.
Incident response considerations
Cyber insurance policies typically require that the insured notify the insurance provider upon the occurrence of an incident that may result in a claim. The timing on this requirement may vary. We recommend understanding the policy’s notification requirements, and aligning them with the business’s incident response plan.
A cyber insurance carrier may require the insured business to use the insurance carrier’s recommended attorney if a data security incident arises. However, insurance companies often permit the insured business to use their selected attorneys instead, but may require prior planning and approval.