10 Things You Need to Know About Cyber Liability Insurance

Beyond satisfying increasing regulatory demands and standards set forth by clients, investors, boards of directors and other stakeholders, businesses across nearly every industry are also contending with high standards for securing cybersecurity liability insurance. These policies – once nice-to-haves – are now becoming the norm for any organization that handles personal or sensitive data.

Even for those who’ve previously secured coverage, expectations (and premiums) are increasing. So how do you ready your business for effective coverage? Here are 10 critical things to know.

1. You probably need it. Every business in every industry is vulnerable to a cybersecurity incident. While of course there are varying levels of exposure, you should assume if your business handles any sort of sensitive information (customer PII, credit card/banking information, medical information, etc.), that you need cyber liability coverage. Your standard corporate policy likely does not cover cybersecurity-related incidents, and thus, you’ll need to explore standalone coverage.

2. It won’t be a cakewalk to get it. Truth be told – securing cyber liability coverage is not a fast or easy process. Many businesses are finding it difficult to qualify, as carriers rapidly increase their expectations and standards. Insurance applications can be extremely detailed, and many providers also require companies to benchmark their cyber risk programs against comprehensive compliance frameworks such as NIST.

3. It won’t be cheap either. Easy? No. Inexpensive? Also no. Cyber insurance premiums over the last two years have skyrocketed and are expected to continue increasing an average of 20-30% per year. Of course, specific policy premiums will be reflective of many different variables.

4. There are a variety of factors that may influence your coverage. Size, geography, regulatory requirements, and industry are just a few of the factors that will influence your business’ cyber insurance quote. Industries like healthcare & financial services, in particular, are frequently targeted by hackers; as a result, their coverage is often more expensive.

5. Coverage is ultimately determined by your organization’s level of risk. In addition to the aforementioned variables, your company’s insurance coverage will most significantly be dictated by your level of security risk – and the programs you’ve implemented to mitigate said risk. Most businesses, unfortunately, have very little insight into their specific risks and vulnerabilities, as well as how those risks correlate to the value of their sensitive data. Emerging technologies like data discovery can give companies a leg up in identifying critical vulnerabilities and providing transparency into the potential financial impact of security incidents.

6. Not everything will be covered. Every policy is different, but most cyber liability policies do not cover future financial losses, system and technology upgrades, and impacts to company valuation/market share.

7. Coverage will likely include some potentially expensive ramifications. Liability coverage for cybersecurity does typically include a number of relatively costs items that could result in the event of a cybersecurity breach or incident, including forensic costs, cyber extortion/ransomware costs, legal fees and lawsuits, and certain regulatory fines.

8. Technology is a big focus (obviously). Because of the nature of most cybersecurity breaches and incidents, your cyber insurance application will primarily focus on technology and systems you have in place to protect your network and sensitive data. From firewall protections to monitoring tools to multi-factor authentication software, carriers will ask detailed questions about your hardware and software infrastructure.

9. But policies are critical too. While information gathering, cyber insurance carriers will also focus on the policies and procedures you’ve implemented to both prevent cybersecurity risk AND respond to incidents that inevitably occur. This level of detail will help providers verify that you’ve taken the necessary time to think through potential vulnerabilities across your organization and the steps necessary to take to thwart and react to serious cyber incidents.

10. Regulatory compliance will work in your favor. As part of the cyber insurance application process, carriers will want to know if your business is subject to or voluntarily follows any regulatory frameworks or best practices. While certain industries may require compliance with regulatory guidelines (e.g. HIPAA, PCI DSS, SEC, CMMC, etc.), non-regulated businesses may also want to consider proactive compliance with industry-agnostic frameworks, such as the NIST Cybersecurity Framework (CSF), which may help standardize and streamline the insurance application process – plus provide your company with an established roadmap for cybersecurity protection.