Many small businesses use computers to send, receive, or store electronic data. Important data may be contained in sales projections, tax records, contingency plans, and other company documents. If such information is lost, damaged, or stolen due to a security breach, it may be difficult and costly to restore.
A data breach can also trigger third-party claims or lawsuits if it involves personally identifiable information such as social security numbers, health records, and credit card numbers. Businesses can protect themselves against the costs associated with data breaches by purchasing a cyber liability policy. Examples of cyber policies are The Hartford's CyberChoice, Travelers' CyberRisk. and Philadelphia's Cyber Security product.
What Is Cyber Liability Insurance?
Cyber liability insurance covers financial losses that result from data breaches and other cyber events. Policies vary widely because most insurers that offer cyber coverage use forms they've developed themselves. Many policies include both first-party and third-party coverages.
First-party coverages pay out-of-pocket expenses that a firm directly incurs as a result of a breach. Third-party coverages apply to damages or settlements a business is obligated to pay as a result of claims or suits for injuries that result from the company's actions or failure to act. For instance, a client sues his therapist for negligence after a hacker breaches the therapist's computer system, steals the client's treatment records, and releases them online.
Many cyber policies provide a range of coverages, some of which are automatically included and others that are optional. A separate limit may apply to each coverage. Some coverages may apply only after the insured business has paid a deductible or a retention.
Cyber liability policies contain many defined terms. The meanings of these terms are important because they determine the scope of coverage provided.
Coverage for Costs of a Breach
Here are some first-party coverages you are likely to find in a cyber liability policy. These reimburse the business for costs it's already incurred.
- Data restoration: Covers the cost to replace or restore electronic data, programs, or software damaged or destroyed by a hacker attack, a virus, denial of service (DoS) attack, or other covered peril.
- Loss of income and extra expenses: Covers income losses sustained by a business and extra expenses it incurs to restore its operations following a shutdown caused by a computer virus, hacker attack, or other covered peril. Some policies cover income a business loses because a supplier, distributor, or other company that it depends on has been forced to shut down due to a data breach.
- Cyber extortion: Covers a ransom paid to a hacker who's breached a company's computer system and threatened to commit a nefarious act like damaging data, introducing a virus, initiating a DoS attack, or releasing confidential data unless the ransom is paid. Policies generally cover any extortion payment made with the insurer's consent plus related expenses, such as the cost of hiring an expert to negotiate with the extortionist.
- Notification costs: Covers the cost of notifying parties whose data has been affected by a data breach. This coverage is important because most states have laws requiring businesses to inform individuals when their personal information has been compromised. Policies may also cover the cost of providing credit monitoring services and establishing a call center.
- Crisis management: Most cyber policies afford some coverage for crisis management expenses. Depending on the policy, coverage may include the cost of hiring an attorney, forensic accountant, computer expert, or public relations expert to assess the scope of the damage, determine whose data was compromised, help mitigate the loss, and protect the company’s reputation.
Most small businesses pay an annual premium of $2,000 or less for a cyber liability policy.
Coverage for Claims and Lawsuits
Many cyber policies include liability coverages like those outlined below. These coverages are usually claims-made. They typically cover damages or settlements plus defense costs, which may be covered within the limit or in addition to the limit.
- Network security and privacy liability: Covers claims against the business arising from negligent acts, errors, or omissions such as the failure to protect sensitive data, the failure to provide notification of a data breach, or the failure to prevent a security breach that results in a DoS attack or the introduction of a virus.
- Electronic media liability: Electronic media liability insurance covers lawsuits against the business for acts like libel, slander, defamation, copyright infringement, invasion of privacy, or domain name infringement. Generally, these acts are covered only if they result from the policyholder's publication of electronic data on the Internet.
- Regulatory proceedings - Covers fines or penalties imposed on the business by regulatory agencies that oversee data breach laws. Also covers the cost of hiring an attorney to help respond to a regulatory proceeding.
What Cyber Policies Don't Cover
Like all insurance contracts, cyber policies exclude certain types of claims. Here are some typical exclusions:
- Bodily injury and property damage.
- Intentional dishonest acts committed by the insured.
- War and terrorism.
- Contractual liability.
- Utility failure.
- Cost of restoring computer systems to a higher level of functionality than they were previously.
- Acts committed before the retroactive date (if the policy has one).