Cyber Insurance protects against losses from hacking, data breaches, or cyberattacks.
If your business stores sensitive data such as Social Security numbers, credit card numbers, health records, or other confidential information about your customers, partners, or vendors, you may be at risk for a hack or data breach. Cyber Liability Insurance can provide coverage for this risk.
Get a quote on Cyber Liability Insurance
What is Cyber Liability Insurance?
Cyber Liability Insurance covers your business against liability and property losses caused by cyberattacks such as hacks, data breaches, denial of service attacks, and viruses.
With the increasing adoption of digital technologies in business, there are a number of new risks for businesses as they could be the victim of data theft, unauthorized access, or cyberextortion. Commercial general liability and commercial property policies generally exclude coverage for cyber liability and electronic data, so you may not have coverage for data breaches without a Cyber Liability Insurance policy in place.
Cyber Liability Insurance can cover losses your business experiences due to cyberattacks, whether they are first-party losses or losses from third-party legal claims. Cyber Liability Insurance can provide coverage in a number of scenarios:
- Your business is hacked and your customers’ personal data is stolen. Your customers file suit against your business for the violation of their privacy.
- Your business is hacked and credit card information is stolen. Government regulators and your credit card network issue fines and penalties against your company.
- In the wake of a data breach, your business must hire consultants to recover your data. You also run advertisements to notify your customers of the breach.
- Your data center is hacked and your systems are held hostage. The cybercriminals demand that your business pay a ransom in order to regain access.
Who needs Cyber Liability Insurance?
Business owners who store sensitive, confidential, or proprietary information can benefit from Cyber Liability Insurance. If your business stores any of the following information, you should consider the protections provided by Cyber Liability Insurance:
- Credit card numbers or other payment information
- Personally identifiable information (PII) including names, email addresses, phone numbers, addresses, Social Security numbers, driver’s license numbers, and more
- Protected health information, including medical records and patient payment history
- Trade secrets or patent applications
Do small businesses need Cyber Liability Insurance?
Small businesses can benefit from Cyber Liability Insurance and protection from data breaches just as much as large businesses. While much of the news you hear about cyberattacks and data breaches likely involves security lapses at large corporations, like Equifax or Target, the reality is small businesses are just as at risk.
In fact, small businesses may be even more vulnerable, as many smaller companies lack the time, expertise, and resources to establish advanced security protocols, train employees, and implement strong digital protections. Additionally, the financial costs necessary to remediate a data breach may be out of reach for smaller businesses.
Cyber Liability Insurance can provide small businesses with the financial support they may need in the event of a cyberattack.
What does Cyber Liability Insurance cover?
Cyber Liability Insurance covers financial losses from data breaches, hacking, viruses, denial of service attacks, and other similar cyber events.
Cyber Liability Insurance has two major components: third-party liability coverage and first-party coverage. Third-party coverage provides protection when a customer, vendor, partner, or other party sues you for allowing a data breach to happen. First-party coverage protects your company when you incur expenses from a data breach or when your company is hacked. You may choose to purchase either or both types of coverage.
Third-Party Liability Coverage
The third-party liability coverage provided by Cyber Liability Insurance provides protection against lawsuits filed by clients or others against your business as a result of a breach of their security or privacy. These lawsuits can accuse your business of failing to adequately protect data you possess that belongs to customers, employees, vendors, or others.
Some of the claims and costs that third-party liability may cover include:
- Legal expenses. If your business is sued, Cyber Liability Insurance can cover attorney’s fees, court costs, and any resulting judgments or settlements.
- Network security claims. If your company suffers a network security failure, you could be sued. Covered events include data breaches, viruses and malware, denial of service attacks, or unauthorized access by a hacker or rogue employee. It can also cover your business if you have trade secrets or patent applications for clients that are exposed in a hack or data breach.
- Privacy claims. Your business could be sued for negligence in failing to protect sensitive data of others stored on your company’s network and systems. In addition to hacks and viruses, privacy breaches can include a breach of a physical record, such as files tossed into a dumpster. It can also include human error such as a lost laptop or sending a file full of customer account data to the wrong email address. Privacy claims can also include the wrongful collection of personal information.
- Employee privacy liability. If sensitive data about your employees is stolen from your company systems, including PII, your business could be sued.
- Regulatory fines. Government regulators may impose fines, penalties, and other costs on your business in response to a data breach.
Third-party liability insurance is generally written on a claims-made basis, which means coverage is only available if the claim is submitted while the insurance policy is active. Most general liability policies are written on an occurrence basis, which covers claims submitted after the policy ends if the event causing the claim occurred while the insurance was active.
First-party coverage provides protection against the financial losses your business incurs due to a data breach, hack, or other cyber event.
First-party coverage can provide for the costs of responding to and recovering from a data breach. These costs can include:
- Notifying your customers or employees affected by the breach. Many states require businesses to notify affected customers or employees if personally identifiable information is involved in a data breach.
- Providing credit monitoring services to those affected by the data breach. Although most states do not require providing credit monitoring services after a data breach, it can be a helpful tool to aid your public relations efforts.
- Hiring technical consultants or lawyers to find out whether a breach happened, the extent of the breach, and any regulatory compliance necessary.
- Advertising and public relations costs to educate customers or other affected parties about the breach and help to fix your company’s reputation.
If your company’s electronic data is lost, damaged, or corrupted due to a hack, virus, or denial of service attack, you can be covered under first-party coverage. This coverage also extends to data belonging to others stored on your systems.
First-party coverage will reimburse your company for the costs to restore or recover the lost or damaged data, as well as the costs to hire consultants to help you restore or repair your data.
Data recovery coverage usually does not cover data loss due to mistakes made by your business or your employees. For example, if your employee accidentally deletes your critical business data, it would not be covered.
Because commercial property coverage usually excludes coverage for electronic data, having data recovery coverage can be valuable if your company experiences a hack or cyberattack.
Business income insurance, also known as business interruption insurance, is also available on many Cyber Liability Insurance policies. A typical business income insurance policy that is attached to a commercial property policy only covers perils that cause physical damage. Usually, commercial property coverages do not provide coverage for electronic data.
If the loss or destruction of data leads to a disruption in your ability to do business, this coverage can pay for the loss of business income your business experiences.
- Your business is hacked, and data critical for your sales team to sell on a daily basis is destroyed. Your business income insurance under your commercial property policy will not provide any coverage, even though you will experience lost sales and profits. Cyber liability coverage can reimburse you for the lost sales and profits when data is lost due to a cyberattack.
Note, however, that this coverage only applies to lost profits that are directly caused by the cyberattack. If your sales decline due to a hit to your reputation from the data breach or cyberattack, these declines will not be covered, as they are not directly caused by the breach or attack.
First-party coverage can also cover cyberextortion. If your business is threatened with damage to your computer systems or networks unless you pay a ransom, this insurance can provide coverage.
- A hacker gains access to your computer network and threatens to delete all of your customer data unless you pay them money. The data includes financial records, contact information, and usernames and passwords. Cyber Liability Insurance would cover the cost of the ransom.
First-party coverage can also provide coverage for the money you spend to respond to the extortion demand, in addition to any ransom you pay. The insurer’s consent is usually required before you pay these expenses.
What does Cyber Liability Insurance exclude?
Cyber Liability Insurance is primarily designed to protect your business from cyberattacks. However, there are some exclusions to the coverage from this insurance. These include:
- Damage to your business reputation as a result of a data breach.
- Costs to fortify and improve your internal technology systems.
- Lost future sales because customers avoid your business after a breach.
- Loss of intellectual property owned by your business.
- Damage to your business caused by your own or your employee’s actions. For example, you install new software that causes your network to go down for several days.
It’s also important to note that many policies have a waiting period, during which losses will not be covered. For example, a policy with an 12-hour waiting period will not pay for any losses incurred during the first 12 hours of a network outage.
How much does Cyber Liability Insurance cost?
The average cost of Cyber Liability Insurance in the U.S. was $1,485 per year in 2020, and our mid-year update in 2021 found that average premiums had risen 7% to $1,589 per year. The costs of insuring your business against data breaches and hacking attacks varies based upon the nature and size of your business, as well as the state in which your business is located. Below, we list the average cost of Cyber Insurance in each state, along with the difference between the state average and the national average.
|State||Average Cost of Cyber Insurance||Difference from National Average|
|District of Columbia||$1,539.25||3.66%|
Besides the location of your business, a number of other factors can greatly affect the premiums that you pay for Cyber Liability Insurance. Insurance companies will take into account the nature of your business, the number of sensitive employee and customer records you store, whether your business stores credit card and banking information on your customers, and the types of security defenses your company has undertaken. Additionally, if your company has a history of cyber insurance claims, or if it has been attacked or hacked in the past, your premiums may be higher.
Compare Cyber Insurance Quotes
There are a variety of insurers and brokers in the market, and it may be difficult sorting through all of the options. AdvisorSmith analyzed a variety of cyber policies and determined the best cyber insurance companies for small businesses. To determine the best cyber insurers, AdvisorSmith considered a number of factors, including financial strength ratings from AM Best and Standard & Poor’s, customer satisfaction data from several J.D. Power studies, complaint ratings from the National Association of Insurance Commissioners, available features and options, and availability of information and ease of use of the insurers’ websites.
|1||Chubb||5.0 / 5.0|
|2||The Hartford||4.9 / 5.0|
|3||AIG||4.7 / 5.0|
|4||CNA||4.7 / 5.0|
|5||Hiscox||4.6 / 5.0|
|6||Arch||4.5 / 5.0|
|7||Hanover||4.5 / 5.0|
|8||Intact||4.4 / 5.0|
|9||Beazley||4.3 / 5.0|
|10||Axis||4.3 / 5.0|
What is data breach insurance?
Data breach insurance is a type of cyber insurance that provides for a more limited set of protections than a broad Cyber Liability Insurance policy. Also commonly known as first-party Cyber Liability Insurance, data breach insurance deals only with first-party losses that your business directly incurs, rather than third-party losses where your company’s data breach causes a customer or employee to suffer a financial loss.
Deductibles and Sublimits
Many Cyber Liability Insurance policies have sublimits for first-party coverage. A sublimit is part of the limits of insurance, but it places a maximum on the amount of coverage for that type of loss. For example, if you have a Cyber Liability Insurance policy of $1 million with a 50% sublimit on first-party coverage, the most the policy will pay for first-party losses is $500,000, and the most it will pay for all kinds of losses including first-party losses is $1 million.
Many Cyber Liability Insurance policies also have a deductible, which means that your business retains part of the risk of the loss, up to the amount of the deductible.
Reducing the Risks of Cyber Liability Claims
Cyber Liability Insurance should be your last line of defense against hacking, viruses, and data breaches. It is best to be proactive and take precautionary steps to reduce your exposure to cyber liability.
After a data breach, customers or clients may be less interested in doing business with you in the future.
Some ideas for reducing your cyber liability exposure include:
- Install all the latest software and security updates.
- Hiring an IT security consultant to audit your systems and create a security plan.
- Backing up your company data on a regular basis and storing it in the cloud or offsite.
- Limiting access to sensitive information by employees using passwords for electronic data and physical locks for physical files.
- Using network security software and firewalls, including the use of virtual private network (VPN) software.
- Training employees on the importance of keeping customer and partner data confidential.
As the economy relies more and more on digital systems, software, and the internet, businesses will increasingly be more exposed to cyber risk. From retailers that operate online e-commerce stores to restaurants that take online orders, businesses of all types need take steps to safeguard their data and protect their businesses from the financial consequences of a data breach or hack. Cyber Liability Insurance can provide coverage for both first-party and third-party liability losses if your business is the victim of a cyberattack.
AdvisorSmith spoke with the following experts to provide critical insight on cyber insurance for business owners.
- Associate Professor
- Department of Finance, Insurance and Law
- Illinois State University
- Davey Chair of Risk Management and Insurance
- Butler University
- Managing Director, Brantley Risk & Insurance Center
- Appalachian State University
Q. Where do you see the cyber insurance market trending, and what are the main insurability challenges?
Yayuan: Due to the growing demand for cyber insurance, the cyber insurance market is expanding rapidly worldwide. According to AM Best, the average annual growth rate in premium has been 20% in the past four years. Despite the relatively fast growth of the cyber insurance market, only a small portion of cyber loss is covered by insurance. In 2020, global losses from cybercrime are estimated at $945 billion according to McAfee, and global cyber insurance premiums are around $7.8 billion. This means insurance only covered less than 1% of cyber losses in 2020.
An important factor that determines the development of the future cyber insurance market is the insurability of cyber risk. First, cyber risk is increasingly sophisticated and hard to predict. Without sufficient data and good analysis of data, it is hard for insurers to quantify the likelihood of a cyber event and the costs generated from the event. Second, the potential loss from a cyberattack could be extremely high. The recent hack on Colonial Pipeline in the U.S. resulted in a massive gasoline shut-off and a ransom of $4.4 million. An event like this has a terrorism- and war-like character. We know that systemic or catastrophic risk is generally not insurable for private insurers. Third, as of now, there is also a lack of effective tools for insurers to prevent, detect, and evaluate cyber threats, which makes cyber risk hard to manage.
Without a full understanding of cyber risk yet, many insurers set low limits and various exclusions to cap their liability for cyber risk. For example, many insurers do not cover intellectual property theft or damage to physical assets from a cyber incident. In sum, cyber is a challenging risk for insurers and many are still in the stage of defining their own risk appetite.
Victor: Cyber distortion, ransomware, viruses, malicious breaches, stolen data, fraudulent use and access to accounts, phishing attempts, unintentional as well as unauthorized disclosure of data, attack of industrial controls, and the internet of things (IOT) and cloud computing are all growing cyber exposures—just to name a few. The increasing number of first-party and third-party cyber losses has significantly impacted today’s cyber insurance market.
The insurance industry is making two market adjustments to the increasing cyber claims. The availability of coverage—higher limits—is shrinking, and the pricing of coverage is increasing. This is the classic example of a hardening or hard market depending on how you look at the relatively short-term history of the cyber insurance marketplace. The main insurability challenge is the lack of access to coverage and higher insurance premiums on renewals.
David: Cyber insurance is rapidly becoming more expensive and restrictive due to the high-profile cyberattacks and ransomware demands over the last year. Cyber insurance typically covers two things: data and the network. Data is arguably the most valuable asset for an organization and subject to privacy laws. The network computer system is at risk of being breached, damaged, and held for ransom. What started several years ago as kids in the basement extorting a few hundred dollars has evolved into organized crime and state-sponsored cyberattacks requiring payment of millions in bitcoins. The increasingly sophisticated attacks have led to dramatic increases in loss frequency and severity which causes higher premiums.
Cyber insurance is still relatively new, and insurers are still learning how to model the risk and provide effective loss control. It is the fastest-growing line of insurance, and insurers are struggling to keep up with the evolving threats.
Q. Should small businesses be concerned about cyber risk?
Yayuan: Cyberattacks on small businesses can be the same as large businesses, but small companies do not have the same resources to build a strong cybersecurity system as large corporates and are less likely to survive a severe cyberattack.
Especially after large corporates implement a hard-to-break security system, small firms will be more likely to be the target of cybercrime. In this sense, small businesses should be more concerned about cyber risk.
Victor: Cyber insurance is now necessary coverage for any business, regardless of size, that handles data either on a local network or in the cloud. And, without this coverage, most small businesses can’t handle the devastating financial consequences caused by a cyberattack. These costs include legal fees, recovering and restoring data, and the cost of compliance in notifying customers of a data breach.
David: Absolutely, in fact, they should be more concerned. Large businesses have deeper pockets and the ability to pay significant amounts to rebuild a network, recover data, and pay ransom. Smaller businesses have fewer resources and are therefore less likely to recover from a cyberattack or ransomware. Given that small businesses have less security and experience, they are also an easier target.
Q. How can a business effectively organize and manage cyber risk?
Yayuan: As mentioned earlier, the current premium volume from cyber insurance only covers a small portion of the actual cyber loss. Therefore, much of the risk is retained by companies themselves. So cyber risk management should focus on prevention and loss control.
First, a company can try to make its systems are as secure as possible. For example, design a secure system and constantly update systems to protect against malware and hack.
Second, a company should have a cyber incident response plan in place to minimize financial and reputational damage when a cyber attack occurs.
Third, a company should purchase cyber insurance even though coverage is limited. Companies should actively work with insurers on preventative measures and crisis management support. The smaller the company, the more important such support services are.
Fourth, companies in the same business may work together to develop a cybersecurity strategy and protect each other from cyberattacks.
Lastly, for large-scale cyber events, the government should step in and unify corporations, insurers, and reinsurers to work out a long-term risk-sharing solution. As has been seen in terrorism risk and earthquake risk, government-backed risk management solutions are necessary when a systemic risk might surpass the capability of the private insurance industry.
David: Update passwords regularly and make them harder to guess. No pet names, birthdays, or mascots. Setting up dual authentication and biometrics will also help. If a business purchases cyber insurance, the insurer will provide loss control services and guidance on how to manage the risk.