Cyber insurance: a key part of a robust business strategy

What is cyber insurance, and why is it important?

Cyber insurance is a policy that covers expenses and responsibilities arising from cyberattacks or computer incidents. As this coverage can help with financial and legal costs that stem from cyber incidents, maintaining it can be a savvy strategy to protect business assets and brand reputation.

Some insurance companies provide coverage for specific cybersecurity events in their standard business liability products, such as in a Business Owners Policy (BOP), or offer it as an additional option. However, these policies typically cover a limited range of cyber threats. Accordingly, businesses aiming to manage risks often decide on a separate cyber insurance policy tailored to their unique risks.

What are the top cybersecurity threats for businesses?

Cyber threats include malware, ransomware, bot attacks, data theft, and unauthorized use of an organization's network, data, or devices. Attackers primarily use stolen credentials, phishing, and exploiting vulnerabilities to gain access, as per Verizon's 2023 Data Breach Investigation Report.

Cyberattacks can lead to financial and reputation issues. These issues include unhappy customers, lost money, penalties, lawsuits, lower company value, and difficulties managing resources. The first line of defense is knowing your attack surface and creating an incident response plan. Preparedness should also include a plan for managing the financial and legal implications that can arise.

Can our company become the target of a cyberattack?

Any organization, regardless of size, can be an attractive target. Attackers seem to be especially interested in companies that handle or store private or other types of valuable data, including:

  • Records of financial transactions and payments
  • Personally identifiable information (PII), including customer and human resources data
  • Healthcare information
  • Work product (digital assets, intellectual property, trade secrets, trademark and business strategy, etc.)

Cyberattacks have become increasingly sophisticated, expensive, and far-reaching. The federal government has increased its monitoring of the threat landscape due to the growing vulnerability of U.S. infrastructure. Hits to large banks, student loan servicers, and high-profile tech brands like Twitter, Uber, and WhatsApp have made headlines for years.

However, breaches impacting small businesses have also wreaked havoc. An incident at a startup in 2022 exposed the personal data of over 50,000 users, leaking home addresses, email, and some credit card details. Some network intruders aim to steal the intellectual property, brand strategy, and trade secrets of up-and-coming innovators. Hackers often also go after other operational data, such as email accounts, preventing a business from engaging with customers.

"Will a breach happen to our organization?" has been replaced by "When a breach happens, how will we be prepared to resolve it, minimize the damage, and return to normal operations as quickly as possible?"

How expensive are cyberattacks?

According to the IBM Cost of a Data Breach Report 2023, the global average data breach cost in 2023 was $4.45 million, a 15 percent increase over three years. The FBI reported in 2022 that the potential total loss in the landscape it monitors grew from $6.9 billion in 2021 to more than $10.2 billion in 2022.

In addition to financial and legal liabilities, cyber incidents can spark regulatory penalties, adding to the overall costs. For example, an online fashion retailer incurred a fine of $1.9 million from the state of New York by failing to disclose a data breach in years prior that impacted 39 million consumers. When looking at these or other estimates about data breaches, keep in mind:

          1. Many incidents go unreported because of a target's fear of reputational or legal ramifications.

          2. Cyberattacks can impact future revenue and profits, especially if the breach and subsequent fallout aren't appropriately mitigated.

What are the types of cyber insurance coverage?

Standard cybersecurity liability policies can cover costs typically associated with the most common cyber risks such as ransomware, malware and phishing scams, and similar breaches:

  • First-party coverage provides for a cyberattack's more urgent and direct expenses--ransomware or extortion payments, notifying impacted employees and customers, legal fees, business interruption, and breach-related other expenditures. Some policies may also cover the cost of providing identity protection to customers affected by a breach.
  • Third-party coverage helps the company defend against lawsuits brought by customers and other parties due to the cyber incident, such as litigation fees and fines. These costs can include expenses from a regulatory investigation, breach of contract or negligence claims, and class action lawsuits.

What isn't covered by cyber insurance?

Standard cyber risk coverage can help mitigate the costs of a breach investigation and loss of income during downtime. However, many insurers don't provide coverage for other repercussions that can occur after an incident. Uncovered losses can include:

  • Loss of revenue associated with intellectual property theft.
  • Revenue-impacting damage to brand and reputation.
  • A drop in stock prices following news of a breach.

Also, many cyber insurance providers don't cover costs to replace hardware or other property damaged in a cyber incident. However, businesses may be able to mitigate these costs with coverage under commercial property insurance. While insurers typically won't reimburse policyholders for establishing a virtual private network (VPN) or training employees to prevent future attacks, policyholders may be offered incentives for implementing these preventive measures.

Is cyber insurance affordable?

The continued rise in cyber incidents and related costs trigger forecasting and risk pricing challenges. Premium rates vary based on company needs and operations, so they can be low for some organizations and high for others. Some insurers offer access to cybersecurity experts and resources for faster data recovery and resuming normal operations. Ultimately, a policy premium can be cheaper than the costs of starting over or paying legal fees after an incident.

How much cybersecurity coverage do businesses need?

An insurance professional can help you find the right amount of coverage for your organization's unique cybersecurity needs. Discuss how cyber policies handle email compromise, phishing scams, and other security risks, and address your company's liability concerns. Insurers may provide guidelines or requirements for how your organization can handle incidents. Be sure to evaluate how those restrictions might impact operations.

Triple-I remains committed to policyholder awareness and education. To learn more about cybersecurity threats, check out our additional resources below. Also, follow our blog for an insider look at trends in managing cyber liability risks.

Learn more:

Facts + Statistics: Identity theft and cybercrime | III  

Cyber liability risks  

Top 10 Writers Of Cybersecurity Insurance By Direct Premiums Written, 2022 (1) | III 

Cyber Issues Brief: State of the Risk 2024  

Consumer indifference is still a challenge for personal cyber insurers

Back to top