7 minutes read

What is Cyber Insurance? The Ultimate Guide

With cyber-attacks on the rise, the demand for cyber insurance is rapidly growing. But what does cyber liability insurance actually cover? What isn’t covered? And what should be your key considerations when choosing a policy?

What is Cyber Insurance?

This is, essentially, a risk transfer mechanism that supports and protects businesses or individuals from repercussions of cyber-attacks and cyber risks. For businesses, these policies help to limit the severity of business interruption, data breaches, and heavy financial losses, which cyber incidents and their aftermath often cause. 

In basic terms, this kind of policy is a specialist insurance product used to protect businesses and individuals from internet-based risks and information technology infrastructure and activities. Risks of this nature are typically excluded from traditional insurance policies. 

Cyber Insurance, Cyber Security Insurance, Cyber Liability Insurance, and Cyber Risk Insurance: What Is The Difference?

All of these terms carry the same meaning. They can be used interchangeably to describe any kind of cyber insurance policy. 

Does It Cover All Risks Associated with Cyber Security, Information Security, and Data Protection?

A cyber liability policy can minimize the financial fallout from a cyber incident, but it is by no means a bandaid to heal all – cyber security insurance does not resolve all cyber risks and issues. The insured is still responsible for ensuring a robust security posture – the insurance is simply a complementary and inseparable part of that. 

In fact, cyber insurers have gradually taken a step away from their traditional role as payout providers and closer to risk advisors and business operations partners. They want to see that their clients are actively following and adapting to the ever-changing cyber risk by adopting good cyber hygiene practices. 


Who Needs Cyber Insurance?

Insurers currently offer both business and personal cyber insurance as two separate products.

Business Cyber Insurance

Businesses, no matter their industry and size, have also increasingly relied on computers, networks, social media, and data. Unfortunately, together with this digital revolution, comes increased cyber risks. The exploitation of errors (or, “vulnerabilities”) in software programming and hardware accounts for a considerable portion of cyber-attacks. This essentially means that any organization doing business through a computer and internet network, via technology, or with data could benefit from a cyber policy. 

Personal Cyber Insurance

Information and Communication Technology has become essential to modern society – we rely on mobile devices for almost every day-to-day task. But with this increased use of technology, comes increased cyber risk. The global cyber liability industry has realized this and, in response, has started introducing personal cyber insurance policies.

This insurance package is designed to provide financial reimbursement for costs associated with digital information theft and assets up to a certain limit. A cyber liability policy can cover any children which an individual may have living in their home, and any personal computers, routers, laptops, notebooks, tablets, and mobile phones. Some private individuals purchase “cyber personal extensions” instead of a standalone cyber security policy. 


What Cyber Liability Coverage Is There?

Coverages will vary from insurer to insurer, but there are several common protections afforded by each. As a general rule of thumb, cyber policies aim to cover the costs of security failures, including recovery, system forensics, as well as the costs of legal defense and making reparations to customers. 

Coverages comprise both first and third-party liability coverage, indemnifying companies for financial losses caused by a cyber incident, and also an additional offering that is unique to the cyber liability insurance product: the Incident Response Team.

First-Party Coverage

First-party coverage protects against losses incurred directly by the company in response to a cyber incident, and typically includes customer notification (to ensure that the business complies with local data protection laws), data recovery and restoration, business income loss (the net profit before taxes that would have been earned), cyber extortion (paying off demands for funds, damage, destruction, ransomware and other malicious code or denial of service) and privacy regulator actions. 

Third-Party Coverage

This protects against all damages and claims expenses that the insured becomes legally obliged to pay as a result of a third party claim first made against the insured, during the policy period. Third-party liability coverages afforded by a cyber policy are usually claims-made, meaning that in order for a third party to claim against the insured, they must establish that a wrongful act was committed by the insured company and/or by its employees. Coverage typically applies to damages or settlements that result from covered claims, as well as the cost of the legal representation.

Examples of third-party coverage include claims alleging that the insured failed to properly protect its sensitive data and Covers claims against a firm for negligent acts, errors, or omissions that result in a denial of service attack, unauthorized access, and introduction of a virus, or another security breach.

Incident Response Team

As the threat and global reach of cyber incidents grow, insurance companies are increasingly partnering with third-party breach response services to provide a local and international offering to mitigate the potential impact of a cyber incident. In most cyber policies, such services, dubbed Incident Response Team or “IRT”, are built into the policy. When dealing with cyber incidents, a quick and professional response can determine the severity of the incident. In order to mitigate the impact successfully, the policy provides a unique offering in the form of technical, legal, and reputational panels of local and international vendors.

  • Technical IRT gives an organization access to qualified, dedicated technical personnel with vast experience in managing cyber incidents. They assist the insured in returning to business quickly and efficiently. 
  • Legal IRT supports the notification activity when a breach is in its initial stages – most global regulations around data breaches require companies to notify affected customers within a given time frame and in a certain manner. 
  • PR IRT will also help to mitigate reputational damage and to build a long-term recovery plan and to get the company back onto the right track. They will deal with internal communication as well as external.

Are there any Endorsements?

The most common cyber security insurance endorsements are:

  • PCI Fines & Penalties (compliance violations concerning credit card data)
  • Social Engineering / E-Theft / Erroneous of Funds Transfer (paying out to companies where their employees have made errors or deliberately exploited vulnerabilities in the business’s security network)
  • Outsourced Service Provider – OSP (where a supplier has a cyber incident that causes knock-on effects and business interruption for the insured party)
  • System Failure / Operational Error / Human Error (unintentional or unplanned system outages)
  • Bricking (paying for new hardware when a business’s hardware loses functionality)
  • Reputational Injury following a cyber incident. 


What does Cyber Insurance Not Cover? Common Exclusions:

Cyber liability policies do not protect against every possible network-related eventuality. In fact, the sharp increase in the number of cyber-related claims made over the past couple of years has forced cyber insurers to reconsider and limit their cyber security insurance plans. Any insurance professional working in the industry will have to be clear on what they can and, more importantly, cannot cover.  

Many policies do not cover financial damage caused by loss of intellectual property following a cyberattack. To put this in context – a cyber policy could pay out for the costs of dealing with the immediate aftermath of a cyberattack, but long-term losses such as loss of business due to poor public reputation will not be covered. 

Some other key exclusions which can often be found in cyber risk insurance are:

  • Betterment
  • Patent infringement
  • Insolvency
  • AntiTrust
  • Contractual Liability 
  • War & Terrorism (not including Cyber Terrorism)
  • Infrastructure
  • Known Prior Acts
  • Property Damage
  • Bodily Injury
  • Pollution

There is, however, the issue of something called “Silent Cyber”. This is a term that is increasingly used to describe cyber-related losses stemming from insurance policies that were not specifically designed to cover cyber risk. This in turn means that insurers sometimes have to pay claims for cyber losses under a policy that was not written for cyber-related claims.


How Much Does Cyber Insurance Cost?

The price for a comprehensive cyber policy has shot up dramatically over the past few years, propelled further by the increased frequency and severity of cyber-attacks during COVID-19. Today, the cost of cyber liability insurance depends on a wide variety of factors such as the size of the business, its annual revenue, the sector in which it operates, the type of data it processes and stores, and its overall security posture. 

Conditions for being accepted by an insurer for a cyber security policy have hardened significantly. An organization that does not take its cyber security seriously or has a history of cyber attacks and data breaches will, at best, be charged higher prices for a cyber liability policy and, at worst, be refused a policy altogether.

A key point to make on cost, however, is that the cost of an uninsured cyber breach will, more often than not, outweigh the cost of a policy. Cyber liability insurance is an investment to future-proof and safeguards a business.


Where Can I Learn More About Cyber Insurance?

Cyber security insurance is a growing product within the insurance industry. However, there are comparatively limited numbers of cyber risk and liability specialists with an adequate level of knowledge and technical understanding of their clients’ needs and the solutions to resolve them. 

What Courses Can I Attend?

There are insurance courses that provide insights into the industry, but many of these are not formally accredited by professional bodies and therefore cannot contribute towards CPD (Continuing Professional Development). The Cyber Insurance Academy is the only provider of a comprehensive cyber insurance course that is recognized and approved by the Chartered Insurance Institute in London (CII).

What Do They Cover?

Our rigorous cyber insurance training guides students through both the technical world of cyber and the practical field of insurance. It provides high-level and broad cyber insurance education designed to enable insurance professionals to enter the cyber insurance market confidently. 

Can I Obtain A Certification?

Yes, the Cyber Insurance Academy provides a formal certificate to prove the standard of knowledge, time spent, and professional recognition for every student who completes the course.

Can I Further My Education Beyond the Academy?

Once you join the Cyber Insurance Academy, you become a student for life. We actively encourage our students to keep updated on the latest cyber insurance market development with Alumni Continuing Professional Education courses, masterclasses, workshops, webinars, newsletters, and more! 

Want to find out more about our courses? Click here

Reach Out to Us

Can’t find what you’re looking for? Leave your details and we’ll get back to you shortly