A Primer on Cyber Insurance: What Business Owners Should Know

George A. Berman, Partner, Peabody & Arnold LLP, and Mark Van Divner, Chief Information Security Officer, First Republic Bank
August 21, 2019

For the vast majority of business owners, securing insurance to protect physical property against traditional hazards — such as fire, flood and theft — is second nature. However, far fewer seek out “cyber insurance” to safeguard digital assets from the risk of electronic crimes. This relatively new type of insurance has emerged primarily because of the 21st-century rise in cybercrime, such as malware infections and phishing scams, which have led to headline-making data breaches and social engineering attacks resulting in the unauthorized transfer of funds.

Cyber insurance is entirely new terrain for entrepreneurs to navigate. Following are some considerations for business owners as they decide whether cyber insurance is right for them.

Why would a business need cyber insurance?

Many companies don’t fully appreciate the value of their data in the eyes of cyber criminals. Digital threats evolve at such a rapid pace that it can be difficult to get a clear grasp on particular vulnerabilities — and the potential peril those vulnerabilities represent to both the company and its customers — until it’s too late.

Any company that collects “personally identifiable information” from customers, such as credit card numbers, social security numbers, date and place of birth, mother’s maiden name and biometric records is at risk, whether it’s a retail shop nestled in a downtown city block, a dental office in a suburban mall or a small online side-business.

Most states have data breach notification laws which require companies to alert customers if their personal information has been compromised. While this seems like a sensible precaution, it’s an incredibly involved and expensive process for a business to carry out in practice. When you send out the notification, many people will call, tying up your phone lines. You might have to research and then follow different requirements from different states that your customers live in. Often, a business that suffers a data breach will ultimately need to hire a notification service because the details of notification are so complex. Likewise, if your website goes down because of a cyberattack or if you or your staff fall victim to a social engineering attack (such as a Business Email Compromise scam) that results in the loss of funds, those incidents can represent a significant cost to your business. In July 2018, the FBI reported that between October 2013 to May 2018, businesses and individuals around the world lost $12.5 billion to the Business Email Compromise scam.

Such scenarios are hardly rare occurrences: 67 percent of the roughly 1,000 small- and medium-sized businesses surveyed by the Ponemon Institute in a 2018 study said they suffered a cyberattack in the past year, and 58 percent said they experienced a data breach involving customer and employee information over the same time period.

How should you evaluate a policy?

This is where things can get tricky. If you purchase fire insurance, the policy will likely have a slight variation of wording that’s been used for a century. Volumes of case law make the terms of the coverage clear. In contrast, the scope of what will and will not be covered by cyber insurance is less clear. Best practices and industry leaders have yet to emerge, there is no uniformity of language, and the policies have not yet been tested in court.

The bottom line: You’ll need to pay attention to the exact wording and analyze the coverage in comparison to your operational business risk.

Tip: Watch out for policy exclusions

Innocent-sounding exclusions in cyber insurance policies — the most common of which is an exclusion of cyberattack by rogue employees — can end up being quite costly. For example, a disgruntled clerical employee could download multiple customer files to a thumb drive upon exiting the company, leaving the firm on the hook for hefty notification costs.

Having a cyber insurance policy that excludes careless employee actions is like having a fire insurance policy that excludes fires caused by a faulty toaster — that’s when you need the policy most. Many cyber insurance policies require perfectly good controls, such as encrypting and changing your passwords frequently. The problem is that companies don’t always follow these practices — and a rogue employee who is willing to breach your data likely won’t, either.

What does cyber insurance cost?

More than 60 carriers offer stand-alone cyber insurance policies, according to a 2015 white paper from the Insurance Information Institute. That said, cyber insurance is typically a rider to your general business insurance, which means the cost of the rider will vary depending on your overall insurance package. Doing your due diligence and reading the fine print is mandatory when shopping for a cyber insurance policy that can give you the level of protection you need.

What are policy limits?

Many policies provide $25,000 in the case of a data breach. This may sound like a lot, but in reality, you can eat up $25,000 in 25 minutes responding to a cyberattack. According to the 2018 Ponemon Institute study cited above, reported attacks cost the surveyed companies an average of nearly $1.43 million in damage to or theft of IT assets and an average of $1.56 million due to the disruption of operations. Unauthorized fraudulent transactions resulting in the loss of company or client funds is often a direct hit to bottom line profits when cyber insurance isn’t in place to cover or offset these loses. What’s more, litigation could substantially increase costs should there be no cyber insurance coverage or in the event that there is a disagreement over who is liable.

While these numbers may seem high, keep in mind that it can be difficult to determine all the downstream costs of a cyber mishap. For example, you might expose a customer’s data, which can subject you to a lawsuit. A cyber thief might infiltrate your systems to get data they use to infiltrate one of your large customers, which can result in a massive cost that might eventually come back to you.

How do you make a claim?

This is another area of cyber insurance that is still developing. If the physical property of a business is damaged by traditional hazards, the business owner can turn to a claims operation at their insurance company. That often isn’t the case with cyber insurance, in which you may find yourself working with your insurance carrier to figure out who will handle your claim and how.

Safeguarding your business with cyber insurance

Such hurdles, though perhaps frustrating, shouldn’t put you off from cyber insurance. In a world where data is the currency of business and financial transactions are required to run your business, ensuring your data and customers are protected amidst an ever-shifting digital landscape is critical. Staying informed on the developing field of cyber insurance can help you make the best decision to safeguard your business.


This article was originally published April 17, 2017, and has been updated with new statistics as of August 21, 2019.

The strategies mentioned in this article may have tax and legal consequences; therefore, you should consult your own attorneys and/or tax advisors to understand the tax and legal consequences of any strategies mentioned in this document. This information is governed by our Terms and Conditions of Use.