Why is Cyber Insurance Essential in Today's Digital Landscape?

Cyberattacks are increasing, with ransomware attacks alone rising by 13% year-over-year and the average ransom demands exceeding $4 million. Unfortunately, small to medium-sized businesses (SMBs) are particularly vulnerable to such attacks. In 2023, 43% of cyberattacks targeted SMBs, costing an average of $3.31 million, resulting in 60% of SMBs shutting down within six months of a major attack.

General liability or property insurance typically doesn't cover most cyber incidents, as it primarily focuses on risks of a physical nature. This is why it's crucial for organizations to obtain cyber insurance coverage. Cyber insurance covers various types of cyberthreats and a range of expenses, including legal fees, IT support, regulatory fines, and more.

As cyberattacks become more costly, the demand for cyber insurance will skyrocket. 

What Does Cyber Insurance Cover? 

There are two primary coverages that cyber insurance provides: first-party coverage and third-party liability coverage. In her RSAC^TM 2024 webcast, Mia Clift, Principal Cybersecurity Risk Engineer at Liberty Mutual, breaks down what is covered in these two types of parties:

First-party Coverage

Event Management Costs, including investigation costs for breach coaches, incident responders, and forensic accountants. According to Clift, this also includes the costs to investigate the cause, source, and scope of a cyber event, mitigate further damage, and notify affected individuals, as well as provide post-breach services such as mailing out notifications.

Business Interruption/Extra Expense covers net profit or loss, the cost of continuing normal operations, and any extra expenses incurred following a cyber event.

Data Restoration covers the costs incurred to restore, recreate, or replace data that has been lost or destroyed in an incident.

Cyber Extortion covers costs incurred to investigate, mitigate, or end a cyber extortion event, including the payment of ransom. Cyber insurance also offers options for a ransomware negotiator to assist with ransomware demands.

Third-Party Liability Coverage

Network Security Liability, this coverage provides for defenses and damages for claims arising out of any failure, breach, compromise, or violation of the security of insured computer systems.

Privacy Liability offers defense and damages for claims arising out of any suspected, actual, or alleged unauthorized disclosure.

Regulatory Liability covers fines (e.g., GDPR, CCPA violations) and penalties arising out of a civil investigative demand or a civil proceeding brought by or on behalf of a governmental entity or data protection authority.

Media Liability provides defense and indemnity for claims of personal injury harms, such as libel, slander, defamation, and copyright infringement.

In an RSAC TM 2024 Conference presentation, Christopher Seusing, Partner & Chair of the Privacy & Cybersecurity practice at Wood Smith Henning & Berman LLP, warned that these types of claims are "Not universally included in all insurance coverages. You must check with your provider and be aware of what can be available." 

In addition to organizations checking and confirming what is actually covered under their cyber insurance policy, they also need to understand what is not covered in their policies.

As a panelist alongside Seusing, Monique Ferraro, Cyber Counsel at HSB, quickly touched on common exclusions in cyber insurance.

Criminal Activity: Any criminal activity on an organization's part will not be covered. This means actively engaging in criminal behavior whether intentional or not. For example, Ferraro stated, "If it's wiretapping in a jurisdiction where that is brought, it's not going to be covered by your insurer because if it employed real-time acquisition of a wire communication, which is arguably what web tracking software is, and if you didn't provide notice that was voluntarily and knowingly acknowledged and consented to by the end user, then that's a good argument for criminal activity."

War-Related Damages: Cyber insurance typically excludes damages related to war. 

Failure to Patch/Ignoring Critical Vulnerabilities: If an organization fails to patch vulnerabilities within a specified period, the insurance provider may deny claims.

Biometric Privacy Law Violations: Violations of biometric privacy laws are increasingly being excluded from cyber policies.

Unsavory Data: Cyber insurance policies generally do not cover losses or liabilities arising from data that is illegally obtained, stored, or used, or data that is associated with illicit activities.

 Cyber insurance policies are evolving to include new coverages like auto, personal cyber, and cryptocurrency. As Ferraro stated, "Everybody is still working on AI," so we can expect cyber insurance policies to continue modifying, adopting, and changing as technology advances and new risks emerge.

How Does an Organization Choose the Right Cyber Insurance Policy?

When looking to get cyber insurance, organizations should consider several factors. Sarah Anderson, Founder and Attorney at SWA Law LLC d/b/a LegallyCyber.com, highlighted a few factors to consider in her RSACTM 2025 Conference presentation:

Software and Hardware Age

Evaluate the age of current software and hardware to understand the overall vintage of systems, the data stored within them, and what might require cleanup or updates.

Infrastructure Type

Determine if the organization operates with cloud-based, on-premises, or hybrid servers. Additionally, identify the types of software licenses currently in use.

Third-Party Network Privileges

Identify all third parties who interact with the organization's network, understanding the nature of their access and the access they provide to the organization.

User Base and Data Sensitivity

Assess the number of users and the types of data handled. Specifically, determine if the organization manages any regulated data (e.g., healthcare/biometrics), as these require adherence to specific compliance rules.

Deductible Payment Capacity

Evaluate the organization's ability to cover potential deductibles associated with a cyber incident, and understand the deductible options offered by cyber insurance providers.

Frequency of Wire Transfers

If the organization frequently engages in wiring funds, ensure its policy covers this activity. As previously mentioned, wiring funds without prior notification to the appropriate party can be considered criminal activity.

Cost of Downtime

Factor in the potential financial impact of business interruption and downtime following a cyber incident.

Need for Additional Insured(s)

Determine if partners or vendors need to be included as additional insureds under the organization's policy.

Instead of simply choosing the first cyber insurance policy that meets their immediate needs, organizations should proactively shop around for multiple quotes from reputable insurers with proven experience in cyber risk. This process also involves a careful review of policy language, paying close attention to definitions and exclusions.

Given the ever-evolving nature of cyberthreats and the significant financial and reputational risks they pose, cyber insurance is no longer a luxury but a fundamental necessity for organizations of all sizes in the digital age.

Interested in learning more about cyber insurance? We invite you to visit our library, which has a wide variety of content available for you to explore.