BizTech Law Blog Banner

BizTech Law Blog

Cyber Insurance: Is it right for you?
Posted by: and

Block on KeyboardWe are frequently asked about insurance policies that cover internet-based risks like those involving network security like data breaches and ransomware, as well as data privacy related risks like class action lawsuits for privacy violations and costs related to the increasingly complex landscape of privacy rules.

Several of our other articles have discussed ways to mitigate these risks through preparedness and prevention measures. However, many privacy and security risks arise from simple human error, which can never be eliminated entirely. Therefore, companies have increasingly mitigated these risks with cyber liability insurance (“cyber insurance”) in the past several years. In particular, cyber insurance often mitigates the costs and consequences of a data security incident or data breach and the potential liability that may result from it.

What does cyber insurance cover?

Cyber insurance coverage will differ from product to product. It is important to review and understand what your cyber insurance policy covers. Cyber insurance typically covers losses that result from data privacy and security incidents, which may include the following:

  1. Incident response services and cost reimbursement, including the cost to investigate the incident, legal expenses, public relations and crisis management, ransomware payments, breach notification, and the cost to provide credit monitoring services to affected individuals.
  2. Lost revenue resulting from business interruption, which may include third party claims, and the costs to remediate the interruption.
  3. The costs to respond to third party claims related to privacy or personal injury.
  4. The costs relating to government investigations and fines related to the incident.

However, not all policies are the same, and cyber insurance policies often uniformly exclude several risks, so it is important to closely review the policy’s scope. For example, a policy may not cover significant fines imposed by regulators for violating data privacy rules like the EU’s General Data Protection Regulation or the privacy rules enforced by the Federal Trade Commission. Similarly, risks arising from war and terrorism are typically excluded, and there is a question as to whether cyber insurance will uniformly cover large, coordinated cyberattacks launched by nation-states that are arguably acts of war or terrorism.

What is the typical cost for cyber insurance?

The cost of cyber insurance can vary greatly and will depend on your business, the risks that it faces, and the amount of coverage. The average premium costs range from a few hundred dollars per year to several thousand dollars per year. Employers that take proactive steps such as implementing an incident response plan, training employees on cyber risks, and implementing technology protections such as firewalls and strong passwords policies may be able to obtain a lower rate on cyber insurance. In some cases, insurers are actively helping businesses to review their cyber liability posture, and take steps to improve it.

A business may be curious about how much coverage it should purchase to cover potential risks. While this is a difficult question to answer, several factors should be considered to understand the business’s risk profile. Does the business store customers’ personal data?  Is the business in an industry that is susceptible to cyber-attacks or heavily regulated? For example, healthcare institutions covered by HIPAA and financial institutions are more likely to see significant benefits to cyber insurance compared to businesses in unregulated industries.  

Incident response considerations

Cyber insurance policies typically require that the insured notify the insurance provider upon the occurrence of an incident that may result in a claim. The timing on this requirement may vary. We recommend understanding the policy’s notification requirements, and aligning them with the business’s incident response plan.

A cyber insurance carrier may require the insured business to use the insurance carrier’s recommended attorney if a data security incident arises. However, insurance companies often permit the insured business to use their selected attorneys instead, but may require prior planning and approval.  

If you would like to discuss cyber insurance, what your current policy covers, and what responsibilities your business has in the event of an incident or breach, our Foster Swift cyber security attorneys are happy to discuss these issues with you and review your current insurance coverage. Additionally, if you are faced with an incident or breach, please contact us on our 24 hour hotline at 517-FS1-TASK (517-371-8275).

Authors

Categories

Recent Posts

Jump to Page

Foster Swift Collins & Smith PC Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek