Guide to Cyber Insurance

What is cyber insurance?

Cyber insurance provides modern businesses with a crucial shield against the cost of dynamic cyber threats. Over the past decade, hackers have turned cybercrime into a thriving industry.¹

Cybersecurity insurance policies can safeguard organisations against financial losses stemming from cyber incidents; such as data breaches, ransomware attacks, and network outages. That’s why all businesses should consider buying cyber insurance. 

Why do organisations need cyber insurance?

Most businesses take steps to ensure their physical operations are protected against damage and resulting general liabilities. However, such traditional insurance policies aren’t designed to cover cyber or technology risks.

Traditional commercial insurance products such as Property, Public Liability (PL), Employer's Liability and Professional Indemnity help protect businesses from third-party claims of injury, property damage, and negligence related to their business activities. Unfortunately, these products rarely cover digital risks that can result in financial loss and damage to digital assets.

What are the benefits of cyber insurance?

Cyber insurance can vary widely in what's included. Some policies cover only specific types of cyber events and may include sub-limits for certain attacks, like ransomware.

The immediate benefits of cyber insurance include breach response costs, indemnifying businesses for immediate out-of-pocket expenses incurred to investigate and remediate a cyber incident. These costs include legal fees and expertise, forensics investigation, notification, and public relations or extra expenses associated with restoring businesses back to operations.

Learn more about the importance of cyber insurance.

What does a cyber insurance policy cover?

Cyber attacks can damage more than a business’ computer hardware, network security, and mobile devices. The digital transformation of the economy has amplified the impact of cyber risks, which means businesses can suffer irreparable harm to their critical data, finances, and reputation. Cyber liability insurance coverage can offer protection to businesses, but not all policies are alike.

The following are some key considerations when evaluating cyber insurance options.

What are the five main areas covered under cyber liability?

Cyber insurance can vary between insurers and policies. Businesses should look for the types of coverage that will help their organisations recover after experiencing a cyber event.

1. Direct costs to respond: Responding to a cyber event typically required numerous direct costs, also known as first-party expenses. If an organisation experiences a data breach, it may require a prompt response and the need for additional legal counsel, forensic investigation, victim remediation, and notification to comply with regulatory requirements. Simple investigations can cost tens of thousands of pounds, while more complex matters can increase costs exponentially, underscoring the need for first-party coverage.

2. Liability to others: Navigating the patchwork of laws and regulations after a security incident or data breach is especially difficult for any organisation, but especially those that operate in a highly regulated industry. A ransomware attack or data breach can trigger liability to third parties and cause bodily harm or injury, which is why businesses should consider purchasing third-party coverage.

3. Business interruption and reputation damage: A cyber event that impacts essential technology can have a significant impact on an organisation's ability to operate, which can be highly visible to customers and other stakeholders. Even short periods of disruption from ransomware or cyber extortion can lead to direct loss of revenue and inhibit an organisation's ability to support clients, negatively impacting not only customer retention but also the delivery of services.

4. Cybercrime: Beyond ransomware and data breaches, cyber events can result in financial theft for a business or its customers — often without an actual breach. Funds transfer fraud (FTF) can lead to an organisation losing tens or hundreds of thousands of pounds almost instantly. Attackers can also gain access to email accounts through social engineering techniques like phishing or business email compromise (BEC), and send fraudulent invoices or payment instructions to customers, vendors, and other third parties.

5. Recovery and restoration: After a cyber event, resuming operations can be no easy task. If malware damages or destroys essential technology, data, or physical equipment, an organisation may need to bring in external support or purchase new equipment to re-secure systems. Full remediation, restoration, and recovery (when possible) can take a significant amount of time, and may require purchasing new software, systems, and consultants to rebuild the network.

What does cyber insurance not cover?

As with most insurance policies, there may be specific exclusions, which are losses that a cyber insurance policy will not cover. Losses that may be exclusions in a cyber insurance policy include: 

• Resulting loss of future revenue (or loss of revenue or income that extends beyond the indemnity period; cyber policies typically provide business interruption and extra expense coverage for 180 days).

• Cyber attacks can result in brand or reputation damage, and while cyber insurance coverage can extend to reputational harm, that doesn't extend to a company's valuation or loss of intellectual property.

• Cyber policies can provide third-party protection for claims arising from a security failure, data breach, or privacy liability, but may not respond to professional indemnity (PI) / errors and omissions (E&O) claims for a violation of a reasonable standard of care with professional services. Specific industries can purchase Technology E&O to mitigate this risk.

• Cyber insurance does not cover employment, discrimination, and directors & officers-related claims. Businesses need a separate liability policy for management liability insurance. 

Learn more about what cyber insurance covers.

How much cyber insurance is necessary?

As the frequency of cyber incidents and the associated costs continue to climb, businesses should consider additional ways to minimise their cyber risk. No single security control can prevent every incident, though cyber insurance is a valuable risk mitigation tool. 

What factors determine cyber risk?

There are a number of factors that determine an organisation’s risk and how much cyber insurance it may need.

• Company security practices: Threat actors are opportunistic and more likely to target business with old, outdated, or vulnerable technology. 

• Types of information held: Some types of sensitive data, including personally identifiable information (PII), personal health information (PHI), and credit card data can be resold or held for ransom by cyber criminals.

• Availability of credentials: Threat actors may also target a business if they discover breached employee credentials. This is especially likely if the business has not implemented security controls, such as multi-factor authentication (MFA), to help secure accounts. 

• Clients and supply: Supply chain attacks are becoming more common, wherein threat actors compromise one oraganisation in order to victimise its clients, suppliers, or customers downstream.  

Learn more about how much cyber insurance is necessary.

How much does cyber insurance cost?

Most organisations carry some form of business insurance to help mitigate costs and losses associated with business operations, such as property damage, crime, and physical injuries. However, as cyber attacks and data breaches become more expensive and more prevalent, cyber insurance is increasingly becoming a must-have.

Cyber insurance pricing

In today’s dynamic market, the cost of cyber insurance can vary widely depending on the size revenue, and exposure of an organization. These factors are considered by insurance companies when pricing cyber insurance.

• Types of technology: Many insurance companies use scanning technology in their underwriting models to assess potential vulnerabilities in an organisation’s tech stack. Thinking like a threat actor allows insurers to gain better insight into potential risk exposures.

• Business industry: Threat actors might be particularly keen on attacking businesses in a given industry, often because they may get a bigger payout or because of weaknesses in their technology.

• Protected data: The more sensitive information a company stores, the more likely threat actors will be interested in it to steal, resell, or use as leverage in ransom demands.

• Coverage amount: Like other forms of insurance, cyber insurance costs are influenced by how much coverage is purchased. For example, a £1 million policy will typically be more affordable than a policy that provides up to £15 million in protection.

What else impacts cyber insurance costs?

Cyber insurance costs can be influenced by several factors, including:

• Increasing demands in coverage

• Growing sophistication of cyber threats and attack methods

• Increasing costs associated with cyber incident remediation

Additionally, cyber insurance premiums may also become more expensive upon renewal if a business experiences a cyber attack within the previous year, especially if the policyholder hasn't taken steps to improve their security controls — similar to annual car insurance premiums increasing after a claim is made for an accident.

Learn more about the cost of cyber insurance.

Do small businesses need cyber insurance? 

Small businesses face an increasingly and disproportionately challenging cybersecurity environment. Cyber insurance can help small businesses mitigate the impact of cyber threats or events by transferring the potential costs associated with a cyber event to an insurer.

What are 6 benefits of cyber insurance for small businesses?

From picking up costs following a potential incident to indemnification for legal fees, small business cyber insurance can help by providing coverage against events like data breaches of client information and ransomware attacks. 

1. Compensate losses that resulted from business downtime. Cyber insurance may help cover the costs of any revenue lost during downtime caused by a cyber attack, as well as associated expenses. 

2. Ensure regulatory compliance, including customer notification requirements. Businesses are usually required to notify clients and employees in the event of a data breach. Cyber insurance can help cover the cost of operations, like providing credit monitoring to impacted clients.

3. Cover the costs of replacing damaged equipment. Cyber attacks can degrade an organisation’s equipment, leading to unforeseen additional costs in repairing or replacing damaged hardware.

4. Cover the cost of regulatory fines, where legal and appropriate. Following a data breach, businesses that store sensitive information may be faced with regulatory fines.

5. Recoup costs associated with recovering compromised data. Forensic investigations, data mining, and recovery can be expensive and require specialised technical knowledge.

6. Cover ransom compensation. In the event of a successful ransomware attack, businesses may have to choose between paying the ransom and potentially losing all of their data, especially if data backups are not viable.

What sort of cyber insurance coverage do small businesses need?

Cyber insurance coverage can be customised to a business depending on its risk profile. One of the initial factors to consider is determining the overall potential exposure risk. 

To effectively evaluate potential exposure, a cyber risk assessment can help. This may identify various exposure factors, such as your business’ online presence, the various types of hardware and software you may use and their associated vulnerabilities. Depending on the types of security measures you have in place, your policy and premiums may change. The areas of potential risk will be the primary factor to determine the exposures your business may need to remediate, as well as the appropriate coverage limits to protect against them.

Learn more about small businesses and cyber insurance.

What are the top 5 objections to cyber insurance?

There are numerous compelling reasons for businesses to take action to insure themselves against cyber threats. But business leaders often need help in understanding the significance of cybercrime, the costs it imposes, and the essential value of coverage. Below are five of the most common objections to purchasing cyber insurance.

1. “I'm too small to be a target.” Many business owners mistakenly assume that small companies or businesses with a low profile aren’t targets for cybercrime. In fact, threat actors increasingly use automated attacks to target small businesses, which often have weaker security controls.

2. “We don't rely on technology.” Cybercrime doesn’t just affect data-rich companies. Every technology, even the most basic, introduces the risk of cyber attack. In fact, tools like email are commonly exploited for phishing and similar attacks.

3. “I'm already protected from cyber threats.” Cybersecurity tools and services are an important aspect of any organisation’s cyber risk management strategy, but they’re only a first step. Protections can and do fail. Additionally, many cybercrimes and security breaches are a result of human error.

4. “I have coverage in my existing insurance.” Traditional insurance isn’t designed to cover the broad impacts of cybercrime. Most package policies only cover third-party costs, leaving significant coverage gaps.

5. “Cyber insurance costs too much.” For business leaders just becoming familiar with cyber insurance, the cost of coverage may seem like a financial burden. The reality is, in the current cyber threat environment, businesses can’t afford not to have sufficient insurance.

Learn more about common objections to cyber insurance.

What do businesses need from cyber insurance brokers?

Most cyber insurance policies are different, and have varying exclusions and conditions. In addition, cyber insurance products may include innovative features, such as proactive monitoring services or other security services. Businesses need help to understand the coverage that is offered, what’s not covered, and the additional services that are offered to proactively prevent a claim. Here are some tips for how brokers can best convey key information to businesses that may be considering cyber insurance coverage.

1. Go for clarity. Business owners want to understand the basics: What do I need to do to secure coverage? How could this benefit affect my business? How much will I be required to pay versus what could I be required to pay out of pocket without cyber insurance coverage? 

2. Paint the risks. Businesses need to understand the current cybercrime landscape and how the variety and prevalence of cyber risks poses a greater risk for all businesses, regardless of size.

3. Demonstrate value. Businesses need to understand the typical costs of cyber attacks on businesses without cyber coverage, including stolen funds, lost business income, equipment damage and reputational harm. Businesses that experience a cyber incident without cyber insurance coverage may also have third-party costs, such as technical, legal, and public relations expenses as well as potential regulatory fines or penalties. 

4. Explain the coverages. Cyber liability policies can provide a number of different coverage options, from network liability to business interruption. Outlining coverage options in clear and simple terms can be helpful.

5. Highlight supplemental benefits. Certain cyber insurance products may include tools and services beyond the insurance coverage. For example, certain cyber insurance providers offer policyholders active monitoring and risk assessment to identify risks and decrease the likelihood of claim.

6. Support with statistics. Current data and statistics support the case for businesses to prioritise cyber coverage. For many small businesses, even an average cyber attack can cause significant financial, operational, and reputational costs that can be difficult for these businesses to overcome.

Learn more about how brokers can support businesses purchasing cyber insurance. 

Why get cyber insurance from Coalition?

Cyber risk evolves quickly, with new threats constantly emerging. Traditional insurance providers typically lack the visibility and tools to keep up with these new, fast-paced digital risks.

Coalition uses technology and data to assess each organisation’s unique risk profile, in order to determine the price of the policy. We will also help identify security improvements a business can make in order to improve its insurability. Our coverage options are flexible so the broker can tailor each policy to meet the needs of the organisation. We also have security, incident response and claims services available 24/7/365 with real people at the end of a telephone to help policyholders.

We call this Active Insurance: a cyber insurance product designed to help prevent risk before it strikes.

• Active Risk Assessment: Our proprietary data platform* enables us to quickly evaluate a business’ cyber risk profile, including any security vulnerabilities. Once identified, Coalition works with businesses to actively address those exposures, better-positioning them for coverage at more reasonable rates.

• Active Protection: Continuous scanning and monitoring* of a policyholder’s digital assets and other risk factors throughout the policy term can reduce the likelihood of a claim. Policyholders also benefit from personalised alerts for critical issues, so they can take prompt action that mitigates the risk.

• Active Response: Support and guidance from Coalition’s team of experts* can assist policyholders when a cyber incident occurs by mitigating damages and helping to get the business back up and running.

Coalition combines comprehensive cyber insurance coverage and security services to help businesses prevent digital risk before it strikes.

Learn more about Active Insurance from Coalition.