How Adequate Is Your Cybersecurity Insurance Coverage?

5-minute read

The need for cybersecurity insurance coverage isn’t a new topic for most and hasn’t been for some time. After years of cyberattacks on schools, hospitals, banks and more, we all know too well how important a cyber policy can be.

Problem is, too many companies are inadequately covered, or have bought policies rife with exclusions and which come up woefully short at a time when the median ransomware demand amount is $600,000.

The risk management team at a UnitedHealthcare unit was no doubt reading all the fine print in its cyber policies last month after experiencing a cyberattack that disrupted drug prescription orders at thousands of pharmacies nationwide. The breach also affected military clinics and hospitals worldwide.

The attack, in this case, appeared to be by a foreign country and, if reports are accurate, cost the company $22 million in Bitcoin payments to the cybercriminals.

If you’re a business owner, that’s the kind of money that should prompt you to wonder whether your cybersecurity insurance coverage is adequate or not.

A recent Forrester report found less than 20% of companies have enough coverage to cover the cost of that median $600,000 ransomware demand amount.

Worse still, more than one-third (37%) of respondents with cyber insurance do not have any coverage for ransomware payment demands, while 43% of those with a policy are not covered for costs such as court fees or employee downtime.

Talk about operating without a net.

After several years of big increases, cyber insurance pricing at the moment seems to be settling down. Yet cyber insurance has become harder to secure, due to stiffer endpoint detection and response (EDR) software requirements imposed by insurance carriers.

What’s Covered by Cyber Liability Insurance?

Insider attacks and those that occurred amid poor security processes are typically excluded by a cyber policy. But there’s plenty that a good policy will cover beyond ransomware. Here’s what you’ll want to be sure your policy includes:

Data Breach Coverage: This covers the costs associated with the loss of data or breach of data privacy. It can include notification expenses, credit monitoring services for affected individuals, and the cost of public relations efforts to manage the situation.

Business Interruption Loss: Protects against losses resulting from downtime caused by cyber incidents. This coverage helps recover lost income and pays for extra expenses that businesses incur to resume operations after a cyber-attack.

Network Security Liability: Provides protection against claims arising from allegations that a business's failure to secure its network resulted in a data breach or the spread of malware to third parties.

Privacy Liability: Covers legal fees, settlements, and other costs associated with violations of privacy regulations or the unauthorized release of personal information.

Regulatory Defense and Penalties: Offers coverage for legal expenses and fines associated with governmental investigations and penalties due to cybersecurity breaches.

Forensic Support: Covers the costs of services required to investigate a cybercrime, including the expenses of hiring specialists to identify the cause and extent of a breach.

Credit Monitoring: Pays for credit monitoring services for victims of a data breach to help protect them against identity theft.

Crisis Management and PR: Covers the costs of managing the public relations fallout after a cybersecurity incident, helping to repair the business's reputation.

These coverages can vary widely between policies and insurers, and businesses will want to work with their insurance brokerage to tailor coverage that fits their specific risk profiles and needs.

The folks at UnitedHealthcare will have been having these conversations, without a doubt.

The Mahoney Group, based in Mesa, Ariz., is one of the largest independent insurance and employee benefits brokerages in the U.S. For more information, visit our website or call 877-440-3304.

This article is not intended to be exhaustive, nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice.

Scroll to Top