What Is Cyber Insurance?
Cyber insurance (also called cyber liability insurance or cyber risk insurance) covers losses from data breaches, cyber attacks, network failures, and related incidents. Unlike traditional insurance that evolved over decades, cyber insurance is relatively new and policy language varies significantly between insurers.
As a business owner, you need to understand that cyber coverage is not standardized. Two "cyber insurance" policies may cover very different things. Careful policy review is essential both when purchasing coverage and when making claims.
🔒 Why Every Business Needs Cyber Coverage
- Average data breach cost: Over $4 million (and rising)
- Ransomware attacks: Average payment exceeds $200,000; recovery costs often 10x more
- Regulatory penalties: CCPA, HIPAA, PCI-DSS violations can result in massive fines
- Business interruption: Cyber attacks can shut down operations for days or weeks
- Reputation damage: Customer trust and brand value at stake
- Other policies exclude cyber: Traditional property and liability policies often exclude cyber losses
What Cyber Insurance Typically Covers
Cyber policies generally include two main categories of coverage: first-party (your own losses) and third-party (claims against you by others).
📥 First-Party Coverage (Your Direct Losses)
- Data breach response costs: Forensic investigation, notification to affected individuals, credit monitoring, call centers
- Business interruption: Lost income and extra expenses from cyber-related downtime
- Cyber extortion/ransomware: Ransom payments and negotiation costs
- Data recovery: Costs to restore or recreate lost data
- Crisis management: Public relations, reputation repair
- Regulatory response: Costs to respond to regulatory investigations
📤 Third-Party Coverage (Claims Against You)
- Privacy liability: Defense and settlements for claims arising from data breaches
- Network security liability: Claims from third parties whose systems were affected through yours
- Media liability: Defamation, copyright infringement from your digital content
- Regulatory fines: Penalties from HIPAA, CCPA, PCI-DSS, GDPR, etc.
- PCI-DSS assessments: Card brand fines and assessments after payment card breaches
Common Coverage Gaps in Cyber Policies
Many business owners are surprised to discover what their cyber policy does not cover. These gaps can be devastating when a claim arises.
⚠ Critical Coverage Gaps to Watch For
- Social engineering/funds transfer fraud: Many policies exclude losses from employees tricked into wiring money
- Failure to maintain security: Some policies exclude claims if you failed to patch known vulnerabilities
- Nation-state attacks: "Acts of war" exclusions may apply to sophisticated attacks
- Unencrypted data: Some policies reduce or deny coverage for unencrypted data breaches
- Third-party vendors: Breaches at your cloud providers or vendors may not be covered
- Legacy systems: Old, unsupported systems may be excluded from coverage
- Insider threats: Malicious employees may be excluded
- Physical damage: Hardware damage from cyber attacks often excluded
- Reputational harm: Long-term brand damage difficult to recover
- Future lost profits: Coverage typically limited to "period of restoration"
Social Engineering and Business Email Compromise
One of the most common cyber-related losses occurs when employees are tricked into wiring money to fraudulent accounts (Business Email Compromise or BEC). Despite being cyber-enabled, many cyber policies exclude these losses because no "hacking" occurred - only deception.
Check whether your policy includes social engineering coverage or funds transfer fraud endorsement. If not, consider adding it or obtaining a separate crime policy with this coverage.
Acts of War Exclusion
Traditional insurance "war exclusions" are being applied to cyber attacks, especially those attributed to nation-state actors. The 2022 Merck v. Ace American Insurance case highlighted this issue when insurers denied coverage for NotPetya malware damages, claiming it was an act of war by Russia.
⚠ War Exclusion Red Flags
Review your cyber policy's war exclusion carefully. Some policies exclude:
- Any attack "attributed to" a nation-state
- Attacks during periods of "heightened risk"
- "Cyber terrorism" without clear definition
Negotiate for narrower exclusions or "carve-backs" that preserve coverage for non-targeted collateral damage.
Cyber Insurance Claim Scenarios
| Scenario | First-Party | Third-Party | Common Gaps |
|---|---|---|---|
| Ransomware attack | Covered | Varies | OFAC sanctions compliance; failure to patch |
| Customer data breach | Covered | Covered | Unencrypted data; prior knowledge |
| BEC wire fraud | Often excluded | N/A | Requires social engineering endorsement |
| Cloud provider breach | Varies | Varies | Third-party service provider exclusions |
| System failure (no hack) | Varies | Varies | May require specific "system failure" coverage |
| Phishing attack | Covered | Covered | Credential theft; employee negligence |
| DDoS attack | Usually covered | Varies | Waiting periods; sublimits |
Filing a Cyber Insurance Claim
Immediate Steps After a Cyber Incident
- Contain the incident - Isolate affected systems to prevent spread
- Notify your insurer immediately - Most policies have strict notice requirements
- Use approved vendors - Many policies require using insurer's panel of forensics, PR, and legal firms
- Preserve evidence - Do not wipe systems or destroy logs before forensic analysis
- Document everything - Keep detailed records of all response activities and costs
- Assess notification obligations - Data breach laws may require quick notification
💡 The Pre-Approved Vendor Trap
Many cyber policies require you to use the insurer's pre-approved "panel" vendors for forensics, legal, and PR services. Using non-approved vendors may void coverage for those expenses. However, if you already have incident response relationships, negotiate to have those vendors added to the panel before an incident occurs.
Common Claim Disputes
- Late notice: Reporting too late can void coverage
- Scope of incident: Insurer disputes what systems/data were affected
- Reasonableness of expenses: Insurer challenges costs as excessive
- Business interruption calculation: Disputes over lost revenue methodology
- Prior knowledge: Insurer claims you knew of vulnerabilities
- Failure to maintain security: Insurer alleges you did not meet policy requirements
- Concurrent cause: Multiple causes, some excluded
California Cyber Insurance and Privacy Law
CACalifornia has some of the strictest data privacy laws in the nation, which affects cyber insurance claims:
- CCPA/CPRA: California Consumer Privacy Act creates private right of action for data breaches involving unencrypted personal information; statutory damages of $100-$750 per consumer per incident
- Cal. Civ. Code Section 1798.82: Mandatory breach notification within 72 hours of discovering breach affecting California residents
- Attorney General enforcement: California AG actively enforces data security requirements
- Insurance regulations: California's Fair Claims Settlement Practices apply to cyber claims; 40-day decision deadline
- Bad faith remedies: Wrongful denial of cyber claims may give rise to bad faith claims with punitive damages
Make sure your cyber policy covers California-specific regulatory exposure, including CCPA class actions and AG investigations.
Ransomware Claims: Special Considerations
Ransomware attacks present unique claim challenges that every business should understand:
To Pay or Not to Pay
Insurers generally cover ransom payments, but there are complications:
- OFAC compliance: Paying ransoms to sanctioned groups (Russia, North Korea, etc.) may violate U.S. law
- Moral hazard: Insurance-funded ransoms may encourage more attacks
- No guarantee of recovery: Paying does not guarantee you get your data back
- Repeat attacks: Paying may make you a target for future attacks
Cryptocurrency Issues
Ransoms are typically demanded in cryptocurrency, creating logistical and legal challenges. Your insurer may require using specific payment vendors and may dispute the exchange rate used. Document all cryptocurrency transactions carefully.
Business Interruption from Ransomware
The business interruption component of ransomware claims often exceeds the ransom itself. Track all downtime, lost sales, extra expenses (overtime, contractors), and recovery costs separately from the extortion coverage.
Why Cyber Claims Get Denied
1. Failure to Maintain Security
Many policies require you to maintain certain security controls (encryption, patching, MFA). If the insurer can show you failed to maintain these, coverage may be denied.
2. Misrepresentation on Application
Cyber insurance applications ask detailed questions about your security posture. If you overstated your security measures, the insurer may rescind the policy.
3. Excluded Cause
War/terrorism exclusions, social engineering exclusions, and system failure exclusions are frequently invoked.
4. Late Notice
Cyber incidents require immediate notice. Delay can void coverage, especially if it affected the insurer's ability to respond.
5. Use of Non-Approved Vendors
Using your own forensics or legal teams without approval may result in denied expenses.
Best Practices for Cyber Coverage
- Review policy language carefully: Do not assume coverage; read the exclusions
- Close coverage gaps: Add endorsements for social engineering, system failure, etc.
- Understand notice requirements: Know exactly when and how to report incidents
- Pre-approve key vendors: Get your preferred incident response team on the panel
- Document security posture: Maintain records showing you meet policy requirements
- Answer applications accurately: Misrepresentation can void coverage
- Have an incident response plan: Know what to do before an incident occurs
- Review annually: Cyber risks and policies change rapidly