CYBER INSURANCE:
Frequently Asked
Questions

What is Cyber Exposure?

Cyber exposure is the potential magnitude of a cyber loss.

Cyber insurance buyers need to understand their cyber exposure in order to understand their cyber insurance needs.  This is often put into the context of business interruption (BI):

Loss of Revenue

  • After a cyberattack, your systems could be disrupted or completely shut down.
  • Costs of a shutdown can be higher than the actual cost to repair the problem.
  • Can you afford to lose this revenue while your business cannot operate?

Loss of Customers

  • What is the cost of disappointing your customers?
  • Can you afford to lose customers?

Information at Risk

  • Businesses of all sized have valuable information.
  • Payment Card Information (PCI) -- an industry standard designed to make it safer to use credit cards online by ensuring secure collection and storage of credit card data.
  • Personally, Identifiable Information (PII) -- any data that could be used to identify a person (e.g., name, address, social security number, driver's license number, passport number, bank account number, or email address).
  • Protected Health Information (PHI) -- information in a medical record used to diagnose or treat a patient that can be used to identify the individual (as defined by HIPAA (Health Insurance Portability and Accountability Act).

Ultimately, a robust, comprehensive stand-alone cyber insurance policy with appropriate business interruption (BI) limits is an important cyber risk management tool.

What is cyber risk?

Cyber risk is the probability of financial loss from a cyberattack.

The adage is: It is not IF you will be the victim of a cyberattack but WHEN.

That means a business, organization, university or governmental body may encounter a cyberattack at any time regardless of their size or level of security.

The ideal, is to get the coverage you need for your particular cyber risk -- because it will be used at some point.

Unlike the probability of a fire when you acquire fire insurance, there is a greater probability that you will in fact use your cyber coverage, in particular, the first party coverages which are an added value discussed here in the FAQs.

Reports indicate that:

  • 76% of US SMBs have experienced a cyberattack.
  • 69% of US companies experienced a data breach (Ponemon SMB 2019 Survey).

What is Cyber Liability?

Cyber liability refers to the financial responsibility of a company to pay for damages with regard to exposure of private information and / or other damages caused by computer systems and networks, whether by malice or by accident.

What is cyber insurance and is it worthwhile?

Cyber insurance is a financial risk transfer product that helps protect organizations from cyber risks by transferring those risks away from the insured.

Cyber insurance is unique in that it offers multiple coverages such as network security and privacy liability and media liability in a non-standardized policy.

In essence, businesses transfer their cyber risk via a stand-alone cyber insurance policy. That means:

  • You are not adding cyber onto your existing policies (that do not grant affirmative cyber coverage); and
  • You are acquiring a new policy specifically for your cyber exposure and risk.

This type of insurance requires a high level of knowledge on the part of your insurance partners. We provide that knowledge via our team and our insurance carrier partners.

Network Security & Privacy Liability:

Covers first-party claims against your business in the event of network security failure; which can include a data breach, malware infection, cyber extortion demand, ransomware, or business email compromise.

First Party Coverage under a cyber policy offers you important services to help your business respond in accordance with legal requirements and to assure that your financial situation and reputation remain as close to pre-attack levels as possible.

First Party coverage applies to the policyholder's direct costs when a security failure or data breach occurs.  

For example:

  • Forensic investigation of the breach;
  • Legal advice to determine your notification and regulatory obligations;
  • Cost of breach notification to victims;
  • Offering credit monitoring to customers;
  • Public relations expenses;
  • Loss of profits and extra expense during network down time;
  • ID theft insurance to victims;
  • Cyber extortion payment in ransomware attacks.

In addition to the benefits of First Party Coverage, cyber insurance provides Third Party Coverage as an added value.

Third Party Coverage applies if you need to pay damages to injured parties, including lawsuits or regulatory action.

For example:

  • Damages incurred from a data breach;
  • Legal defense costs;
  • Regulatory fines and penalties levied by regulators (e.g., by the FTC, SEC, CA Attorney General for CCPA violations, ICO fines for GDPR violation, Payment Card Industry fines).
Media Liability:

Media liability refers to the potential damages that may arise from the publishing and dissemination of content. This includes exposures such as copyright infringement, trademark infringement, libel, & slander. Cyber policies include coverage for these media perils as it relates to their websites and online content, including social media and networking sites. The most common example of a media peril covered under a cyber policy includes posting copyrighted photos to a website without the appropriate permission or release from the owner. 

Can our GL, PL, Crime or D&O Policy Cover Cyber Losses?

No. These insurance policies, referred to as non-affirmative cyber policies, were not intended to cover cyber losses.

In recent years, we've seen coverage disputes decided in a court of law. Some but not all courts have granted cyber coverage under non-cyber insurance policies. This is referred to as Silent Cyber. That means, even though the policy did not specifically grant or deny cyber coverage, and thus was silent, a court found coverage for the insured.

This is a risky and costly road to take in order to find cyber coverage.

The best road to choose is to have a cyber insurance specialty agent help you find the stand-alone cyber insurance policy appropriate for your cyber exposure and cyber risk.

Can I get a discount for my investment in cybersecurity practices and procedures?

Better security can be presented to and considered by the insurance carrier.

The key is to qualify for the most robust, comprehensive coverage offered.

Over time, the more a business can demonstrate good cyber hygiene, the more likely they will be assessed as a lower cyber risk be underwriters.

On the other hand, poor cyber hygiene could negatively impact your premium.

What factors are considered in the insurance carriers' coverage analysis?

Overall security hygiene as well as cyber exposure and risk (as noted above).

For example:

  • Employee Security Training and Testing;
  • Incident Response Plan;
  • Information Security Policy;
  • Business Continuity Plan;
  • Disaster Recovery Plan;

What is Social Engineering?

Social engineering is when cyber criminals deceive or trick email or phone call recipients during their work functions or tasks, such as handling the company's accounts payable and receivable. It differs from human error because an individual is induced to follow a fraudulent procedure.

For example:

Business email compromise or spoof emails:  After weeks or months of studying an organization's systems or employee's social networking sites, imposters email an employee pretending to be a fellow employee or law enforcement authority or auditor.

Inducing fraudulent wire transfers: When spoof emails are used to trick an employee into changing a bank account (from a valid account to a fake account), allowing cyber criminals to obtain the wired funds.

Phishing: Social engineers use information from social media sites to gather information that can be used in an attack via an email link.

Spear-Phishing: Becoming the preferred choice by cyber criminals in targeting a company for a ransomware attack via an email link.

What is GDPR?

Europe is now covered by the world's strongest data protection rules. The European Union (EU) General Data Protection Regulation (GDPR), which came into force on May 25, 2018, is designed to modernize laws that protect the personal information of individuals in the EU.

The GDPR includes:

  • mandates on the consent given by data subjects in the EU before their data is processed by an entity,
  • time limits on retaining data,
  • the appointment of data protection officers,
  • the designation of an EU representative, and
  • a list of regulations on the collection, processing and storing of personal data.

The stakes are high as businesses seek to avoid fines and penalties for non-compliance as well as costly litigation following data breaches.

The passage of GDPR was a watershed event and has inspired new regulation in other jurisdictions.

Mostly notably, businesses in the US are now contemplating their compliance requirements under state privacy laws, some effective in 2020 and others anticipated later. 

What is CCPA?

The California Consumer Privacy Act (CCPA) is a state statute that grants  California consumers the right to know about and control the personal information that businesses collect about them. 

Since compliance with the GDPR does not ensure compliance with the CCPA, businesses are relying upon the advice of counsel to navigate toward compliance.

As under the GDPR, the stakes are high here as well. Businesses are seeking to comply in order to avoid fines and penalties for non-compliance as well as costly litigation following data breaches.

This article is made available for informational purposes and is not intended to be a substitute for professional or legal advice. No attorney client relationship is formed or implied between you and the authors(s) or Cyber Armada Insurance.
Application

Apply for Cyber Insurance Online

Answer a few questions online and Cyber Armada will design a cyber insurance policy tailored to your particular needs.

Apply Online
Apply for Cyber Insurance
Schedule an appointment with Cyber Armada
Appointment

Can we talk?

We're ready to talk when you are. You can schedule an appointment to speak with a representative from Cyber Armada when it is most convenient for you. Whenever possible we use online meetings to increase productivity and increase the amount of time we can spend with you. We use Zoom Meetings as our preferred video conferencing platform.

Schedule Appointment
Newsletter

Stay up to date

Sign up to stay current with all the developments concerning cyber security, cyber insurance, and the cyber threats facing your organization.

Your privacy is important to us. Cyber Armada will not share your information with any third parties.