Not all cyber insurance is created equal. Here’s how to tell if the coverage is worth the cost.

Key Takeaways:

  • Cyber-attacks are escalating to all-time highs.
  • Cyber insurance is becoming essential, particularly for small businesses.
  • Coverage and coverage limits can be as different as the threats they address.
  • Third-party protection is important, given that small businesses could be an unwitting tool for criminals

We’ve previously looked at several key aspects of cyber insurance, including what this type of policy is and why more companies are investing in protection. This form of insurance is arguably among the most vital business coverage in 2022.

Why is having the best possible cyber policy so important this year? Last year, businesses suffered double the number of cyber-attacks per week than previous highs, with cybercriminals capable of penetrating 93 percent of company networks.

Those are just two worrying statistics from a Forbes report that should spur small businesses to re-assess or consider cyber coverage. Let’s review which features separate strong cyber insurance from insufficient policies.

How committed is your provider to cyber coverage?

As with all insurance, a cyber policy’s suitability should partially be rated based on coverage amounts and how easily the deductible can be met. But comparing cyber policies beyond these metrics isn’t as easy as with auto or home insurance. The high-speed evolution of technology breeds constantly expanding and unpredictable cyber threats with diverse outcomes, making it challenging to establish industry standards.

The escalating nature of cyber threats has made some insurers increasingly hesitant about insuring against some of the most common or costly claims — and quick to raise premiums when they offer this coverage. Thus, small businesses should initially evaluate a policy on a few basic things, such as if their current or potential provider has any qualms about fully covering a particular type of incident.

Some insurers also intend to raise rates on specific attacks in the future or exclude them from coverage altogether. Keep up with how the cyber policy may change, and avoid learning that you’re not covered for something too late.

Look at limits and defined protections

Another important review point is what limit an insurer places on cyber payouts. Do they intend to keep current coverage limits, raise them, or lower them? The latter is becoming more common.

The next rating factor is how many threats your business is covered for (and there is a long list). Evaluating coverage limits goes hand in hand with assessing the number of threat types a policy protects against.

Look for good first and third-party coverage

The average first-party cost of a data breach was $4.24 million in 2021, a figure composed of business interruption costs and incident response expenses, including investigations and private and public reparations. Those numbers are for all businesses, including massive corporations. In contrast (and while numbers vary), the resulting expenses for small businesses may be low six-figures with many of the same categories of costs. But while the numbers are lower for small companies, they are more vulnerable to these expenses; a single attack could put them out of business. Policyholders should assess how much of each of these bills will be shouldered by the coverage and how much will land on the company.

Third-party cyber coverage dictates how well a policy protects a company against a liability claim from another party. Since cyber-attacks often go through one business to impact another, the second business may sue the first for providing that bridge. Claims can happen in a range of circumstances. For example, the first party needn’t have been involved in handling the other’s data. One infected email could conceivably land a company in court.

Many cyber policies will offer at least some degree of protection against third-party litigation and possible settlements. They may also provide funds to pursue the prosecution of a third party if the policyholder was harmed.

Closely review the policy’s conditions, denials, and exclusions

Only organizations that take strong precautions to prevent a cyber incident have the hope of receiving a payout. As many as 60 percent of businesses don’t — meaning they’re at the top of the list to get a “failure to maintain” denial because they didn’t have adequate security standards.

This clause alone isn’t a policy flaw; insurers in all sectors look unfavorably on customers who effectively ask for trouble. Just be clear on your provider’s definition of “adequate security” to avoid any nasty surprises.

In addition, data can be lost or corrupted during network or technical interruptions, which can be caused by anything from inclement weather to system maintenance. A more comprehensive cyber policy will cover businesses in those scenarios, while others will only do so for a direct cyber-attack.

A cyber policy’s worth can also hinge on how it defines negligence. Rating your coverage can thus depend on how stringent the restrictions are. For example, a responsible company with solid cyber security and well-trained staff might still see an employee accidentally lose a digital device with access to company data. Would your provider view this as a breach of your policy agreement?

International protection and defining terrorism

Cybercrime isn’t limited by international borders, and an attack in any country could hurt a small business in America in today’s globally linked economy. A good cyber insurance policy shouldn’t be limited by borders, either. Coverage should be assessed based on the level of protection it provides against international incidents.

Many cyber policies also won’t protect against digital damage stemming from wars, invasions, or terrorism. These are all typical exclusion clauses for many forms of insurance — but it’s important to take a closer look at what constitutes “terrorism” and whether a policy excludes it. 

The official definition of “cyberterrorism” is still shaky and allows for any attack that results in fear or intimidation to potentially qualify for the term. The government makes few distinctions when discussing cybercrime and cyberterrorism, but the FTC also ranks protection from terrorism among its top five cyber policy musts. Evaluate insurers to see how they classify these incidents and whether you will be covered.

NICRIS offers a free, personalized review of your current circumstances to give us a clearer picture of the best cyber coverage for you. Request a quote, book a free, personalized insurance review, or contact us with any questions!