Newsletter and Subscription Sign Up

Insuring Against Cyberattacks

Published Friday Aug 17, 2018

Author Lyle Fulkerson

Insuring Against Cyberattacks

Though often the plot of tv shows, cybercrime can be a terrifying reality for businesses. To keep a business running, cyber liability insurance is a critical component of any company’s protection plan.

Unlike traditional commercial insurance designed to protect against physical injury or property damage, cyber liability insurance is designed to protect against digital threats, such as lawsuits claiming failure to: keep data secure, restrict access to sensitive information or prevent the spread of computer viruses. It can also reimburse expenses associated with a breach, including business interruption, data restoration and forensic expenses.

Let’s look at how a traditional insurance policy would respond to a claim versus a cyber liability policy. Say an employee leaves a $1,000 laptop, with the personal and financial data of all the company’s clients, at a hotel bar. The laptop is never recovered.  Without a cyber liability policy, your company may collect for the cost of the laptop itself (subject to the deductible) but has no coverage for the loss of data or the potential lawsuits from clients whose data was stolen.

According to Symantec’s 2016 Internet Security Threat Report, odds are one in 40 for small businesses becoming a victim of a cybercrime. A more disturbing statistic is that, according to the U.S. National Cyber Security Alliance, 60 percent of small businesses that suffer a cyberattack go out of business within six months. As most businesses store, or at least collect, payment information or personal data of some kind electronically, a cyber liability policy is a necessity for most businesses, no matter what their size.

Cyber Liability Coverage
In the relative history of insurance, cyber liability is a new product.  Because of this, it lacks the standardization of many other insurance products like a general liability or business auto policy.  It is in the best interest of any business owner to have a conversation with their insurance professional about the specific online risks their business faces and select a policy that can best fit those needs.

A typical policy may include:

Data Breach: With government regulations putting more onus on companies to protect clients’ personal information, a breach would require notification to all affected parties as well as provide identity theft protection for those individuals. A data breach would also require a security fix as well as a possible defense in a legal action.  

Intellectual Property Rights: A company’s social media, blog or website can make it susceptible to libel, defamation of character, copyright or trade infringement claims.

Damage to a Third-Party System: If your company sends an email from your server that has a virus and crashes the system of a customer, your company could be held liable for the damages.

System Failure: Physical damage to hardware from a fire or other natural disaster would often be covered under a business liability policy, but not the data or code itself.  

Extortion/Ransomware Attack: Hackers can deny you and/or your customers access to your website or network. The criminals often demand a ransom be paid to restore access, which can cause a loss of income as well as additional costs from possibly paying the ransom or fixing any damage caused by extortion.

Business Interruption: If your business suffers a data breach or system failure, it will take time and money to fix it. That’s time and money that would have been allocated elsewhere.

Securing a Policy
As with any application for insurance, you will need to disclose information about your operation, revenue and loss history. However, you may also need to be prepared to provide the following:

• Purpose of customer data collection;

• How customer data is collected;

• Who has access to systems and data;

• IT and network security procedures;

• Employee cyber training;

• Third-party vendors, including cloud storage vendors;

• Encryption procedure.

Understanding what may be asked will only make the application process easier, for both you and the insurance company that is ultimately calculating the premium.

Policy Cost
Different businesses have different exposure to cyber liability depending on their industry, size, extent to which it uses technology and the safety measures they have in place. A small retail shop may want to secure its financial system and protect customer data while a large medical practice needs coverage against a large-scale cyberattack.  

Perhaps a different way to look at the cost of the insurance is to consider the cost of a cybercrime. Consider these scenarios:

• Cybercriminals send out ransomware and take over the website of a marketing firm that relies on cultivating clients and delivery of services through its site.

• An employee mistakenly sends personnel files to the wrong email address.

• A credit card company calls to tell you that the cards used at your business were compromised through your point of sale system.

• An employee sends an email that contains a virus, damaging both the company’s system and the recipient’s.

• A company laptop containing sensitive client information is inadvertently left in a taxi and never recovered.

Without a cyber liability insurance policy, your business would most likely be responsible for covering the expenses associated with such occurrences.

Common Misconceptions
There are several misconceptions about insurance and cyber liability including that a business is protected by its existing insurance. A commercial general liability policy does not address the cyber and digital exposure most companies face today. Unless you have a policy that explicitly references your business’s cyber exposure, chances are you do not have any coverage.

Another misconception is that a business does not need cyber insurance because it uses third-party vendors for all of its data storage and IT services. Even if you outsource your management system and/or IT services to a third party, the legal burden could still fall on your company if a breach occurred and you initially collected the client data and records.

Others believe a data breach won’t happen to them. Any business, regardless of size, is vulnerable to a cyberattack. If you use a computer to operate your business, your business is at risk.

Some believe the cost of insurance will exceed the benefit. Besides the coverage discussed, many cyber liability policies also provide risk management services to help identify and prevent a cyber loss in the first place.  There may also be coverage for legal defense costs and forensic support that can be critical in getting your business back up and running.

The Right Policies
There are additional cybercrimes you need to know about to protect your business. A growing crime that is specifically affecting small business is spear phishing. It is the fraudulent practice of sending emails, supposedly from a known sender, to induce the receiver to reveal confidential information—often bank account information.

For example, the company bookkeeper receives an email from a trusted vendor asking that the bank information be updated.  The bookkeeper does so and pays the invoice only to learn it was not the vendor who emailed the company but a criminal posing as such.

As the employee willingly transferred funds, the loss would not be covered by most policies, including cyber liability, unless coverage referred to as “social engineering” was added to the cyber policy or a separate social engineering policy was purchased.

Cyber liability insurance cannot stop a business from being attacked by hackers, but it can help you prepare, protect and recover from it.

Lyle Fulkerson is president of HPM Insurance in Bedford. For more information, visit

All Stories