Pitfalls in Cyber Insurance Coverage and How to Avoid Them

Cyber insurance serves as an effective safeguard against a cyber attack by providing time-critical resources and indemnifying your organization for losses. While it’s essential to cover the direct costs associated with a data breach or ransomware attack, for example, it’s also important to consider the indirect losses stemming from such attacks, including business interruption and reputational damage. Cyber insurance provides coverage on an à la carte basis where coverage for these indirect losses may be overlooked. We’ve outlined a few of the most common pitfalls we see when reviewing cyber policies and how organizations can avoid them:

1. Insufficient “Business Interruption” cyber coverage: many organizations underestimate the financial impact a cyber event would have on their system until it is too late. “Business Interruption” on a cyber policy indemnifies an organization for their loss of income caused by an attack that shuts down their network, renders their hardware or software inoperable, or corrupts their data. It can also cover the extra expenses incurred to restore their operations, such as overtime pay for employees, extra travel expenses, and costs to expedite supplies or services to meet customer demand.
* Determining the appropriate amount of Business Interruption coverage needed requires a calculation of the potential loss of revenue and extra expenses. You should work with your cyber security provider to estimate the time and effort required to fully restore your operations. Additional time and expenses should be factored into this estimate to account for unforeseen disruptions and delays.

2. Business interruption caused by a cyber attack on a key supplier or service provider: organizations are more dependent on their service providers than ever before due to the
outsourcing of technology and business processes. A cyber attack that causes a shutdown of a key supplier’s operations could have a major impact on your organization’s operations and
finances.
* “Business Interruption” coverage, as mentioned above, will not indemnify an organization for their loss of income caused by a cyber attack on their supplier or service provider. Cyber
insurance would only respond in this situation if “Dependent Business Interruption” (sometimes called “Contingent Business Income”) is included in their policy.

3. Reputational Harm: cyber attacks often go underreported and for good reason: the reputational damage suffered by organizations after an attack can be substantial. In many cases the financial loss from reputational damage is greater than the direct costs associated with the cyber attack itself. However, not all cyber policies include coverage for reputational harm.
* “Reputational Harm” coverage indemnifies your business for the loss of profit or net loss resulting from a harmful publication concerning a cyber attack on your organization. In addition, “Breach Response” coverage can pay for a public relations consultant as well as a media campaign to mitigate the harm from a publication and help rehabilitate your reputation.

The day your organization is reeling from a cyber attack is not the time you want to discover your cyber policy has a gap in coverage! These pitfalls can often be avoided by working with an experienced broker who understands your organization’s needs and has access to the appropriate cyber coverage for your organization.